没有合适的资源?快使用搜索试试~ 我知道了~
Deploying STIR/SHAKEN with Kamailio
需积分: 0 0 下载量 200 浏览量
2023-11-13
10:33:12
上传
评论
收藏 72KB PDF 举报
温馨提示
试读
11页
Deploying STIR/SHAKEN with Kamailio
资源推荐
资源详情
资源评论
Martini Security
Deploying STIR/SHAKEN with Kamailio
Version 1.1
© Copyright 2023
This work is licensed under the Creative
Commons Aribution-NoDerivatives 4.0
International License.
Deploying STIR/SHAKEN with Kamailio
Background
This document outlines various methods for implementing STIR/SHAKEN using Kamailio, in
conjunction with services provided by Martini Security.
Starting from version 5.6, Kamailio natively supports two modules for STIR/SHAKEN
implementation. This guide will provide instructions on deploying these modules, along with Olive,
an ACME client developed by Martini Security that facilitates ordering and auto-renewal of
STIR/SHAKEN signing certicates.
The recommended approach involves using Vermouth, an application that operates as a separate
service alongside Kamailio. Vermouth provides a REST API for signing and verifying SIP calls within
Kamailio and includes its own lightweight ACME client for automatic certicate renewal.
Sample Conguration Notes
The information provided in this document has been tested on Ubuntu Server 22 LTS, using the
latest packages available as of April 4, 2023. While not guaranteed, it is assumed that other
Debian-based distributions or RHEL/Fedora systems may also be compatible.
Conguration snippets were validated using Kamailio 5.6 congured with MySQL 8. Tests were
conducted with both static Debian packages and binaries compiled from the source. Alternative
database engines can be used in place of MySQL, as Kamailio supports several options. However, a
database engine is necessary for this setup.
The source code was cloned using:
git clone --branch 5.6 https://github.com/kamailio/kamailio.git
To install static libraries, add the following lines to the /etc/apt/sources.list le:
deb http://deb.kamailio.org/kamailio56 jammy main
deb-src http://deb.kamailio.org/kamailio56 jammy main
This guide assumes that the reader possesses a strong understanding of Kamailio, its ecosystem,
and SIP. Familiarity with the ATIS STIR/SHAKEN specications is also benecial.
Geing Started
Before deploying, you must rst create an account with Martini Security and obtain an API key. This
process involves four steps:
1. Register for an account with Martini Security and acquire an API key.
2. Submit your FCC 499 ler ID.
3. Select a subscription plan and complete payment.
4. Have the registered 499 ler approve the request to represent their organization.
Account creation typically takes only a few minutes.
After registering, creating ACME credentials can be done in just a few steps.
1. Click ACME Clients on the left navigation bar.
2. Click to + to add a new client.
3. Give it a label meaningful to you.
• Ex: “signing-node-1”
1
4. Locate the sections labeled“Key ID”and “API Key”and copy these somewhere. You will need
them soon regardless of which mechanism you will use to implement STIR/SHAKEN.
For more information, watch this video: https://www.youtube.com/watch?v=CXvR-jyJVx4&t=1s
Additionally, you will need your STI-PA API credentials and OCN, which can be found in the
credentials you created at iConectiv’s STIR/SHAKEN provider portal.
General Kamailio + STIR/SHAKEN Guidance
All STIR/SHAKEN implementations require the following information:
• X5U
• Public STIR/SHAKEN certicate HTTP URL
• Attestation Level
• A, B, or C as dened by ATIS
• OrigTN
• Calling party
• DestTN
• Called party
• OrigID
• Call identier specied by signer (unspecied OrigIDs cause most signing engines to
generate and use a UUID)
• Private Key Path
• Signing key used to sign calls
Kamailio offers numerous built-in pseudo variables. In the examples provided, from user ($fU) and
to user ($tU) are used for signing requests. Note that for US-based calling and called parties, signing
requests must use the 11-digit format –i.e., “1NXXNXXXXXX”.
Testing was conducted with SIP To and From User data formatted as “+1NXXNXXXXXX”, so string
manipulation was performed to remove the “+”. Keep in mind that the sources of origTN and
destTN are specic to your VoIP environment.
The request to add the identity header should be made just before sending the INVITE to an external
peer. The request to verify the identity should be made as soon as a SIP INVITE is received from an
external SIP peer. These practices apply consistently across all STIR/SHAKEN deployments.
Using Vermouth
About
Vermouth is a system service that listens on a congured IP and port for signing and verication
requests, providing appropriate responses. It offers various services, including ACME operations for
requesting and renewing signing certicates.
Installation
Vermouth can be installed from a package or built from the source. After downloading the current
release (or manually building the package), install it using dpkg -i vermouth-X.X.X.deb. By default,
/etc/vermouth is the YAML master conguration le that must be modied before starting
Vermouth.
Vermouth Conguration
First, open /etc/vermouth in your preferred text editor. Most of the default elds already contain the
recommended values and can be left unchanged. However, the following lines need to be modied:
2
剩余10页未读,继续阅读
资源评论
无名387
- 粉丝: 712
- 资源: 5
上传资源 快速赚钱
- 我的内容管理 展开
- 我的资源 快来上传第一个资源
- 我的收益 登录查看自己的收益
- 我的积分 登录查看自己的积分
- 我的C币 登录后查看C币余额
- 我的收藏
- 我的下载
- 下载帮助
安全验证
文档复制为VIP权益,开通VIP直接复制
信息提交成功