You also want an ePaper? Increase the reach of your titles
YUMPU automatically turns print PDFs into web optimized ePapers that Google loves.
<strong>ENUM</strong> <strong>Best</strong> <strong>Practices</strong><br />
<br />
Ing. Lukáš Macura<br />
<br />
<br />
<br />
<br />
CESNET<br />
Obchodně podnikatelská fakulta v Karviné<br />
CESNET VoIP team
Contents<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
Theory<br />
Setting DNS records<br />
Using <strong>ENUM</strong> trees<br />
Implementation in Asterisk<br />
Implementation in Kamailio<br />
Common problems<br />
Security<br />
Monitoring<br />
Conclusions
Theory<br />
<br />
<br />
<br />
<br />
<br />
<strong>ENUM</strong> is defined in RFC3761<br />
It ”maps” E.164 numbers into DNS<br />
NAPTR records<br />
More trees should be used (in theory, one is<br />
enaugh)<br />
Can be implemented on phone or PBX
Theory<br />
<br />
<br />
<br />
<br />
<br />
<br />
...<br />
<strong>ENUM</strong> is not VoIP<br />
<strong>ENUM</strong> can hold any mapping<br />
Can be used for number portability (Jan Rudinsky)<br />
PhNUM -- an <strong>ENUM</strong>-based service (Carsten Schiefner)<br />
E2MD – <strong>ENUM</strong> to metadata (Bernie Hoeneisen)
Theory<br />
<br />
<br />
<br />
<br />
Which point of view?<br />
User<br />
Company<br />
Operators
Theory<br />
<br />
Scenario - e164.arpa.
Theory<br />
<br />
<br />
<br />
<br />
We want to map number (+420 123451 XXX)<br />
into (SIP) uri sip:xxxxxxxxx@firma1.cz<br />
We want to map number (+420 123452 XXX)<br />
into (SIP) uri sip:xxxxxxxxx@firma2.cz<br />
We want to map number (+420 123453 XXX)<br />
into (SIP) uri sip:xxxxxxxxx@firma3.cz<br />
Anybody can use our records to call us.
Setting DNS Records<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
We should use SRV records<br />
Anybody wants to call directly sip:xxx@firma1.cz<br />
Nobody knows our infrastructure.<br />
Where is UDP SIP server for @firma1.cz?<br />
_sip._udp IN SRV 20 0 5060 asterisk1.firma1.cz.<br />
_sip._udp IN SRV 20 0 5060 asterisk2.firma1.cz.<br />
Where is TLS SIPS server for @firma1.cz?<br />
_sips._tcp IN SRV 10 0 5061 kamailio.firma1.cz.<br />
<br />
We prefer sips uri, due to lower order (10)<br />
<br />
We want to loadbalance SIP server over two asterisks (same<br />
priority and weight)
Setting DNS Records<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
Now let us setup NAPTR to make mapping<br />
Anybody wants to call +420 123451 XXX<br />
Without <strong>ENUM</strong>, user has to use PSTN and pay for call<br />
We have delegated 5.4.3.2.1.0.2.4.e164.arpa:<br />
5.4.3.2.1.0.2.4 IN NS ns.firma1.cz.<br />
So zone data are in our DNS server<br />
Entire mapping is in our zone<br />
We do not need anybody to change it<br />
It is decentralized structure, any company taking care of its<br />
records<br />
Very flexible instead of old style PSTN routing
Setting DNS Records<br />
<br />
Our zone for firma1.cz:<br />
$ORIGIN firma1.cz.<br />
_sip._udp IN SRV 20 0 5060 asterisk1.firma1.cz.<br />
_sip._udp IN SRV 20 0 5060 asterisk2.firma1.cz.<br />
_sips._tcp IN SRV 10 0 5061 kamailio.firma1.cz.<br />
Asterisk1 IN A 192.168.1.1 ; Yes, this is bad ;)<br />
Asterisk2 IN A 192.168.1.2 ; Yes, this is bad ;)<br />
Kamailio IN A 192.168.2.1; Yes, this is bad ;)<br />
Kamailio IN AAAA .... ; For ipv6 ready systems
Setting DNS Records<br />
<br />
<br />
<br />
<br />
<br />
Our zone for <strong>ENUM</strong> queries:<br />
All numbers will be stripped to national format (9 numbers) and<br />
forwarded to our SIP server.<br />
+420 123451 110 is echo test<br />
+420 123451 111 is switchboard<br />
We use '*' records, it is easier for us<br />
$ORIGIN 1.5.4.3.2.1.0.2.4.e164.arpa.<br />
* IN NAPTR 100 10 "u" "E2U+sip" "!^\\+420(.*)$!sip:\\1@firma1.cz!" .<br />
*.1 IN NAPTR 100 10 "u" "E2U+sip" "!^\\+420(.*)$!sip:\\1@firma1.cz!" .<br />
*.1.1. IN NAPTR 100 10 "u" "E2U+sip" "!^\\+420(.*)$!sip:\\1@firma1.cz!" .<br />
0.1.1 IN NAPTR 100 10 "u" "E2U+sip" "!^\\+420123451110$!sip:echo@firma1.cz!" .<br />
1.1.1 IN NAPTR 100 10 "u" "E2U+sip" "!^\\+420123451111$!sip:switchboard@firma1.cz!" .
Using <strong>ENUM</strong> trees<br />
<br />
<br />
<br />
<br />
<br />
It is needed to use more trees<br />
First, internal query<br />
Second, e164.arpa.<br />
Third, nrenum.net.<br />
Optionaly, e164.org.<br />
<br />
<br />
Hint: It can take some time to ask all servers<br />
Use local caching dns server
Using <strong>ENUM</strong> trees<br />
<br />
<br />
<br />
<br />
<br />
<br />
Internal query<br />
It is highly recomended for large institutions<br />
Especialy for organizations with decentralized<br />
management<br />
Like CESNET (autonomous subjects has their<br />
numbers and systems)<br />
Hard to maintain ”central” table of routes.<br />
Better to use decentralized tree with delegated<br />
DNS servers.
Using <strong>ENUM</strong> trees<br />
<br />
<br />
<br />
<br />
<br />
<br />
Internal infrastructure – group of companies<br />
e164.companies.cz.<br />
All companies will use this zone first<br />
Each zone is delegated to DNS server of<br />
particular company<br />
Very flexible<br />
Looks like central routing, but in fact, delegated<br />
and decentralistic
Implementation in Asterisk<br />
sip.conf<br />
<br />
<br />
<br />
<br />
<br />
<br />
[general]<br />
context=guest<br />
allowguest=yes<br />
realm=firma1.cz<br />
srvlookup=yes<br />
domain=firma1.cz
Implementation in Asterisk<br />
RFC Compliant <strong>ENUM</strong> macro:<br />
http://www.voip-info.org/wiki/view/RFC+Compliant+<strong>ENUM</strong>+Macro<br />
•<br />
It should handle all common uris<br />
•<br />
Asterisk knows more protocols than SIP<br />
•<br />
It handles all of protocols known to Asterisk<br />
<br />
<br />
<br />
Callable via dialplan:<br />
Macro(routeenum,${EXTEN})<br />
Expects international number with '+'
Implementation in Kamailio<br />
Entire config is out of scope of this document<br />
loadmodule ”enum.so”<br />
modparam("enum", "domain_suffix", "e164.arpa.")<br />
; Somewhere in routing block:<br />
if (enum_query(”e164.companies.cz.”) { ; Internal query<br />
}<br />
route(RELAY);<br />
if (enum_query(”e164.arpa.”) { ; e164.arpa. query<br />
}<br />
route(RELAY);<br />
if (enum_query(”nrenum.net.”) { ; nrenum.net. query<br />
}<br />
route(RELAY);<br />
;Normal routing<br />
}
Implementation in Kamailio<br />
Hints:<br />
•<br />
Do not forget to prefix '+' to called number (function prefix())<br />
•<br />
You can use any zone as parameter of enum_query<br />
•<br />
enum_query(”nrenum.net”)<br />
•<br />
Put it on right place to right routing block<br />
•<br />
enum_query will rewrite uri so it is enaught to relay message,<br />
no next modifications are needed
Implementation in Kamailio<br />
<br />
Kam3cfg<br />
<br />
./kam3cfg.php --global-prefix '+420' \<br />
--local-domains<br />
'opf.slu.cz^sip.opf.slu.cz^fpf.slu.cz' \<br />
--with-enum \<br />
--enum-suffixes<br />
'e164.arpa.^nrenum.net^e164.org' \<br />
--subscribers \<br />
'123456789@opf.slu.cz/pass/authid
Implementation in Kamailio<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
Kam3cfg<br />
”highly” configurable<br />
”easy” to use<br />
Result is config file<br />
Can be edited after it<br />
Supports LDAP, SQL, <strong>ENUM</strong>, …<br />
Uses smarty as template engine<br />
Can be theoreticaly used for opensips<br />
<br />
It is beta release, no warranty ;)
Common problems<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
Take care of DNS zone config<br />
Do not forget to normalize number to<br />
international form with '+'<br />
Use right versions of software (Bugs in Asterisk<br />
even Kamailio)<br />
Small change to DNS can break many clents<br />
Better to use ”less complicated' DNS records<br />
Decentralized means we trust all subnodes<br />
Advantages can becomes disadvantages
Common Problems<br />
<br />
Revalidation of zones<br />
<br />
<br />
No registry to ask<br />
Users forgets it<br />
<br />
<br />
No technical solution now<br />
Dead zones<br />
<br />
<br />
CESNET has <strong>ENUM</strong> zones monitoring tool<br />
Helps to find:<br />
<br />
<br />
<br />
Which zones are expired<br />
Which zones will expire in short future<br />
Common mistakes in zone config
Security<br />
<br />
<br />
<br />
<br />
We are trusting DNS system<br />
It is possible to fake response<br />
We need DNSSEC infrastructure<br />
More problems to solve<br />
<br />
<br />
<br />
Not all trees are signed<br />
We have to use DNSSEC resolvers<br />
Not supported in many applications
Conclusions<br />
<br />
Use <strong>ENUM</strong>! ;)<br />
<br />
But don't trust anybody<br />
<br />
<br />
Ing. Lukas Macura<br />
CESNET