Available in Flexisip 2.2 and later

Overview

This page contains some keys about the configuration of the b2bua server and how to set the proxy to communicate with it. If you don't know what the b2bua server is useful for, you should visit the feature page concerning the b2bua server before going further.

Launching the b2bua server

Using SystemD

Simply use the following command to start the service:

systemctl start flexisip-b2bua

Don't forget to enable the service if you want it to start on system boot:

systemctl enable flexisip-b2bua

Invoking Flexisip directly

/opt/belledonne-communications/bin/flexisip --server b2bua

Configuration

The b2bua server configuration is divided in subsections for each specific application. The global configuration resides in the b2bua-server section

[b2bua-server]
# Select address and port to listen on
transports=sip:127.0.0.1:6067;transport=tcp

# The b2bua server needs a writable directory to store data
data-directory=/var/opt/belledonne-communications/flexisip/b2b

# The Flexisip proxy URI to which the b2bua server should send all its outgoing SIP requests.
# This must match the internal-transport configuration in the cluster section of the proxy configuration
# Note: This is only used in trenscrypter mode. The sip-bridge mode has finer-grained configuration options.
outbound-proxy=sip:127.0.0.1:5060;transport=tcp

# The sub-module to load. This will define how the b2bua bridges calls. See below for details.
application=trenscrypter

Trenscrypter application

Leg A media encryption mode is selected by the endpoint placing the outgoing call (leg A), b2bua accepts any of: unencrypted call, SDES, DTLS-SRTP, ZRTP.

The configuration of the encryption bridge is found in a dedicated subsection: b2bua-server::trenscrypter, it allows to select the media encryption mode on the leg B call based on the recipient sip:URI (or GRUU is the call recipient is a GRUU) or the SRTP crypto suite if SDES mode is selected.

Leg B media encryption modes

Valid encryption modes are:

  • zrtp
  • dtls-srtp
  • sdes
  • none.

This configuration is a formatted list of :
mode1 regex1 mode2 regex2 ... moden regexn
regex use POSIX syntax, any invalid one is skipped with its associated mode

Each regex is applied, in the given order, on the call recipient sip:URI(including parameters if any, so it can be a GRUU). The first match found determines the encryption mode.

If no regex matches the recipient sip:URI, the leg A media encryption mode is used.
 

[b2bua-server::trenscrypter]

outgoing-enc-regex=zrtp .*@sip\.secure-example\.org dtls-srtp .*dtls@sip\.example\.org zrtp .*zrtp@sip\.example\.org sdes .*@sip\.example\.org

In the above example, the recipient sip:URI is matched in order with

  • .*@sip\.secure-example\.org so any call directed to an address on domain sip.secure-example-org uses zrtp encryption mode
  • .*dtls@sip\.example\.org any call on sip.example.org to a username ending with dtls uses dtls-srtp encryption mode
  • .*zrtp@sip\.example\.org any call on sip.example.org to a username ending with zrtp uses zrtp encryption mode

If the recipient address includes parameters, the previous regex will not match as the parameters are concatenated after the domain. Ex: alice@sip.secure-example.org;;gr=urn:uuid:f81d4fae

In order to completely ignore sip:URI pamaters, use (;.*)? at the end of the regex. Example:

[b2bua-server::trenscrypter]

outgoing-enc-regex=zrtp .*@sip\.secure-example\.org(;.*)?

SRTP crypto suite selection when leg B media encryption mode is SDES

When the selected media encryption mode is SDES, it is also possible to select an ordered the list of SRTP crypto suite  proposed in the outgoing SDP INVITE.

Available SRTP crypto suites are:

  • AES_CM_128_HMAC_SHA1_80
  • AES_CM_128_HMAC_SHA1_32
  • AES_256_CM_HMAC_SHA1_80
  • AES_256_CM_HMAC_SHA1_32

The configuration is a formatted list of:
cryptoSuiteList1 regex1 cryptoSuiteList2 regex2 ... crytoSuiteListn regexn
with cryptoSuiteList being a ; separated list of SRTP crypto suites.

Each regex is applied, in the given order, on the call recipient sip:URI(including parameters if any, so it can be a GRUU). The first match found determines the crypto suite list used.

If no regex matches, default to AES_CM_128_HMAC_SHA1_80;AES_CM_128_HMAC_SHA1_32;AES_256_CM_HMAC_SHA1_80;AES_256_CM_HMAC_SHA1_32

[b2bua-server::trenscrypter]

outgoing-srtp-regex=AES_256_CM_HMAC_SHA1_80;AES_256_CM_HMAC_SHA1_32 .*@sip\.secure-example\.org AES_CM_128_HMAC_SHA1_80 .*@sip\.example\.org

In the above example, the recipient sip:URI is matched in order with:

  • .*@sip\.secure-example\.org so any call directed to an address on domain sip.secure-example-org uses AES_256_CM_HMAC_SHA1_80;AES_256_CM_HMAC_SHA1_32 suites (in that order)
  • .*@sip\.example\.org any call directed to an address on domain sip.example.org use AES_CM_128_HMAC_SHA1_80 suite

As described in the previous section, you may want to add (;.*)? at the end of the regex to ignore sip:URI parameters

Configure the proxy server to route calls to a b2bua server

# Any call related requests (INVITE, ACK, etc.) that enters
# this module will be redirected to the B2BUA server.
# Use the 'filter' parameter if you need to prevent some 
# requests to be redirected to the B2BUA.
[module::B2bua]
enable=true
filter=

Sip-bridge application

This section has been split into a dedicated page.

Tags: