Proxychain Experimental Source Code

Description

Proxychain [1] is an efficient, scalable and robust authentication protocol for the Session Initiation Protocol (SIP). Like a number of cellular and VoIP providers, Proxychain is built around a single centralized authentication service working with proxy nodes distributed across a wide geographic area. Proxychain reduces the impact of the latency and load associated with this architecture through the use of a modified hash chain construction. In addition to providing an efficient mechanism for mutual authentication, Proxychain also provides vastly improved scalability through the use of secure caching of temporary authentication credentials at the SIP proxies.

To evaluate its performance and scalability, Proxychain was implemented in an experimental testbed based on open source components. The test bed consisted of: a database (MySQL), several SIP proxies (OpenSIPS) and user agents generating traffic load (SIPp). The proxies and the user agents were modified to support Proxychain. In the database server, a separate a concurrent-process server application was implemented to handle the Proxychain queries from the proxies. The modifications to OpenSIPS and SIPp are available below in the form of software patches, as well as the source code for the database server module. The instructions on how to apply and use our experimental code are also provided, including example configuration files.

It is important to notice that this is experimental code and it is not intended for production environments. The code has been tested with the versions of OpenSIPS and SIPp described below. It may not work with newer versions of these components. Please contact me if you have problems or questions regarding Proxychain.

Compiling OpenSIPS 1.5.2 with Proxychain support

In OpenSIPS, only modifications to the auth_db module were required. To compile OpenSIPS (SIP proxy) with Proxychain support use the following steps:

  1. Download OpenSIPS v1.5.2 (no-TLS) source code: [opensips-1.5.2-notls_src.tar.gz]

  2. Untar the OpenSIPS source code. Then, download the Proxychain header file proxychain.h and copy it to [local_dir]/opensips-1.5.2-notls/modules/auth_db

  3. Download the patch file: [proxychain_opensips-1.5.2.patch]. Apply the patch from the directory where the OpenSIPS source directory is located:

    patch -p0 -i proxychain_opensips-1.5.2.patch

  4. Compile and install OpenSIPS with all its modules (see OpenSIPS installation options instructions for more details [OpenSIPs install instructions]):

    make include_modules="db_mysql" all

    make prefix=[installation path] install

Configuring OpenSIPS to use Proxychain

After compiling OpenSIPS with Proxychain support, new functions and parameters are available in the auth_db module. The parameters can be used in the OpenSIPS configuration file using the modparam operator (i.e., modparam("auth_db", "hc_enable", 1)). The new functions and parameters added are:

  • proxy_authorize_pc(realm, table): This function verifies credentials using Proxychain (equivalent to proxy_authorize())
  • proxy_challenge_pc(realm, 0): This function challenges the user client using Proxychain (equivalent to proxy_challenge()). The qop value is not required in Proxychain.
  • pc_enable: This parameter enables (1) or disables (0) the use of Proxychain.
  • max_users: This parameter defines the maximum number of users whose credentials are going to be stored in proxy's memory.
  • dbclient_addr: This parameter tells the proxy the IP address of the Proxychain's DB client module (the IP address of the database server).
  • dbclient_port: This parameter tells the proxy the port number (TCP) where the Proxychain's DB client module is listening for requests.
  • cache_warmup: This parameter determines if the proxy should load credentials in memory from a local file (credentials created in advance). If the value is set to 1, the proxy will read the credentials from a file at boot time. If set to 0, no credentials are loaded at boot time.
  • cache_warmup_size: This parameter tells the proxy the number of credentials to read from a local file at boot time.
  • cache_warmup_file: This parameter defines the path to the local file containing the offline credentials.
  • offset: This parameter indicates to the proxy if a offset value should be added to the user ID. This is useful when the proxies have to store a continuous subset of the total number of users.
  • prefetching: This parameter tells the proxy if the prefetching process should be started at boot time. The prefetching process queries the database for users credentials when a user has not credentials in the proxy or her credentials have expired, without requiring user action. Use 1 to start the process, 0 to disable it.
  • prefetch_delay: This parameter determines the period in seconds that the prefetching process will use to scan the users' credentials in memory to see if they are present or expired. The default value is 1 second.

An example of an OpenSIPS configuration file using Proxychain authentication for INVITE messages, preloading the credentials at boot time and no prefetching, can be downloaded here: [opensips.cfg]. An example of a file with offline credentials (200,000 users) can be downloaded here: [rand_credentials.dat].

Compiling SIPp 3.1 with support for Proxychain

    To add Proxychain support to SIPp, use the following steps:

  1. Download SIPp v3.1 source code: [sipp.3.1.src.tar.gz]

  2. Untar the SIPp source code file.

  3. Download the patch file: [proxychain_sipp-3.1.patch]. Copy it to the root of the SIPp source code directory.

  4. Apply the patch from the directory where the SIPp source directory is located:

    patch -p0 -i proxychain_sipp-3.1.patch

  5. Compile and install SIPp (see SIPp documentation for more installation details [sipp_installation]):

    make ossl

Configuring SIPp to use Proxychain

The use of Proxychain in SIPp is transparent to the user. SIPp will decide to use Proxychain based on the information in the challenge from the proxy (Proxy-Authenticate header). Specifically, when a SIPp instance receives a Proxy-Authenticate header starting with the value "PC" (instead of MD5), the SIPp instance will use Proxychain authentication instead of Digest authentication.

An example of an SIPp scenario file (-sf option) with INVITE authentication can be downloaded here: [uac_INVITE_auth.xml]. Also, a similar scenario but including BYE authentication: [uac_INVITE_BYE_auth.xml]. Finally, an example caller injection file (-inf option) can be found here: [callers.inf]

Compiling Proxychain Database Module

The DB client module is an independent process that runs in database server. To compile it, use the following steps:

  1. Download DBclient source code:[proxychain_DBclient.tgz]

  2. Untar DBclient source code and compile it: make

Configuring the Proxychain Database Module

The DBclient module has the following command options:

  • -n The length of the hash chains to be used in the users' credentials.
  • -p The TCP port number where the DBclient process will be listening for queries from the proxies.
  • -h The IP address of the database to be used by the proxies to send their queries.
  • -d The name of the MySQL database where the user information is stored.
  • -u The username to connect to the database.
  • -P The password to connect to the database.

The DBclient process should be executed as a background process. At boot time, each proxy process will establish a TCP connection with the DBclient module. The DBclient process will spawn children processes, one per proxy process. Each children DBclient process will serve the corresponding proxy process until the TCP connection expires. This is an example of how to execute the DBclient module:

./DBclient -n 10 -p 1976 -h 192.168.0.32 -d opensips -u root -P mypasswd &

Reference

  1. Italo Dacosta and Patrick Traynor, Proxychain: Developing a Robust and Efficient Authentication Infrastructure for Carrier-Scale VoIP Networks, The College of Computing at Georgia Tech, Atlanta, USA, Tech. Rep. GT-CS-10-03, 2010.