Back-to-back User Agent (b2bua)
Overview
This page contains some keys about the configuration of the b2bua server and how to set the proxy to communicate with it. If you don't know what the b2bua server is useful for, you should visit the feature page concerning the b2bua server before going further.
Launching the b2bua server
Using SystemD
Simply use the following command to start the service:
Don't forget to enable the service if you want it to start on system boot:
Invoking Flexisip directly
Configuration
The b2bua server configuration is divided in subsections for each specific application. The global configuration resides in the b2bua-server section
# Select address and port to listen on
transports=sip:127.0.0.1:6067;transport=tcp
# The b2bua server needs a writable directory to store data
data-directory=/var/opt/belledonne-communications/flexisip/b2b
# The Flexisip proxy URI to which the b2bua server should send all its outgoing SIP requests.
# This must match the internal-transport configuration in the cluster section of the proxy configuration
# Note: This is only used in trenscrypter mode. The sip-bridge mode has finer-grained configuration options.
outbound-proxy=sip:127.0.0.1:5060;transport=tcp
# The sub-module to load. This will define how the b2bua bridges calls. See below for details.
application=trenscrypter
Trenscrypter application
Leg A media encryption mode is selected by the endpoint placing the outgoing call (leg A), b2bua accepts any of: unencrypted call, SDES, DTLS-SRTP, ZRTP.
The configuration of the encryption bridge is found in a dedicated subsection: b2bua-server::trenscrypter, it allows to select the media encryption mode on the leg B call based on the recipient sip:URI (or GRUU is the call recipient is a GRUU) or the SRTP crypto suite if SDES mode is selected.
Leg B media encryption modes
Valid encryption modes are:
- zrtp
- dtls-srtp
- sdes
- none.
This configuration is a formatted list of :
mode1 regex1 mode2 regex2 ... moden regexn
regex use POSIX syntax, any invalid one is skipped with its associated mode
Each regex is applied, in the given order, on the call recipient sip:URI(including parameters if any, so it can be a GRUU). The first match found determines the encryption mode.
If no regex matches the recipient sip:URI, the leg A media encryption mode is used.
outgoing-enc-regex=zrtp .*@sip\.secure-example\.org dtls-srtp .*dtls@sip\.example\.org zrtp .*zrtp@sip\.example\.org sdes .*@sip\.example\.org
In the above example, the recipient sip:URI is matched in order with
- .*@sip\.secure-example\.org so any call directed to an address on domain sip.secure-example-org uses zrtp encryption mode
- .*dtls@sip\.example\.org any call on sip.example.org to a username ending with dtls uses dtls-srtp encryption mode
- .*zrtp@sip\.example\.org any call on sip.example.org to a username ending with zrtp uses zrtp encryption mode
If the recipient address includes parameters, the previous regex will not match as the parameters are concatenated after the domain. Ex: alice@sip.secure-example.org;;gr=urn:uuid:f81d4fae
In order to completely ignore sip:URI pamaters, use (;.*)? at the end of the regex. Example:
outgoing-enc-regex=zrtp .*@sip\.secure-example\.org(;.*)?
SRTP crypto suite selection when leg B media encryption mode is SDES
When the selected media encryption mode is SDES, it is also possible to select an ordered the list of SRTP crypto suite proposed in the outgoing SDP INVITE.
Available SRTP crypto suites are:
- AES_CM_128_HMAC_SHA1_80
- AES_CM_128_HMAC_SHA1_32
- AES_256_CM_HMAC_SHA1_80
- AES_256_CM_HMAC_SHA1_32
The configuration is a formatted list of:
cryptoSuiteList1 regex1 cryptoSuiteList2 regex2 ... crytoSuiteListn regexn
with cryptoSuiteList being a ; separated list of SRTP crypto suites.
Each regex is applied, in the given order, on the call recipient sip:URI(including parameters if any, so it can be a GRUU). The first match found determines the crypto suite list used.
If no regex matches, default to AES_CM_128_HMAC_SHA1_80;AES_CM_128_HMAC_SHA1_32;AES_256_CM_HMAC_SHA1_80;AES_256_CM_HMAC_SHA1_32
outgoing-srtp-regex=AES_256_CM_HMAC_SHA1_80;AES_256_CM_HMAC_SHA1_32 .*@sip\.secure-example\.org AES_CM_128_HMAC_SHA1_80 .*@sip\.example\.org
In the above example, the recipient sip:URI is matched in order with:
- .*@sip\.secure-example\.org so any call directed to an address on domain sip.secure-example-org uses AES_256_CM_HMAC_SHA1_80;AES_256_CM_HMAC_SHA1_32 suites (in that order)
- .*@sip\.example\.org any call directed to an address on domain sip.example.org use AES_CM_128_HMAC_SHA1_80 suite
As described in the previous section, you may want to add (;.*)? at the end of the regex to ignore sip:URI parameters
Configure the proxy server to route calls to a b2bua server
# this module will be redirected to the B2BUA server.
# Use the 'filter' parameter if you need to prevent some
# requests to be redirected to the B2BUA.
[module::B2bua]
enable=true
filter=
Sip-bridge application
This section has been split into a dedicated page.