<html xmlns:v="urn:schemas-microsoft-com:vml" xmlns:o="urn:schemas-microsoft-com:office:office" xmlns:w="urn:schemas-microsoft-com:office:word" xmlns:m="http://schemas.microsoft.com/office/2004/12/omml" xmlns="http://www.w3.org/TR/REC-html40"><head><meta http-equiv=Content-Type content="text/html; charset=utf-8"><meta name=Generator content="Microsoft Word 15 (filtered medium)"><style><!--
/* Font Definitions */
@font-face
{font-family:"Cambria Math";
panose-1:2 4 5 3 5 4 6 3 2 4;}
@font-face
{font-family:Calibri;
panose-1:2 15 5 2 2 2 4 3 2 4;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0in;
margin-bottom:.0001pt;
font-size:12.0pt;
font-family:"Times New Roman",serif;}
a:link, span.MsoHyperlink
{mso-style-priority:99;
color:blue;
text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
{mso-style-priority:99;
color:purple;
text-decoration:underline;}
p
{mso-style-priority:99;
mso-margin-top-alt:auto;
margin-right:0in;
mso-margin-bottom-alt:auto;
margin-left:0in;
font-size:12.0pt;
font-family:"Times New Roman",serif;}
span.EmailStyle18
{mso-style-type:personal-reply;
font-family:"Calibri",sans-serif;
color:#1F497D;}
.MsoChpDefault
{mso-style-type:export-only;
font-family:"Calibri",sans-serif;
mso-fareast-language:EN-US;}
@page WordSection1
{size:8.5in 11.0in;
margin:1.0in 1.0in 1.0in 1.0in;}
div.WordSection1
{page:WordSection1;}
--></style><!--[if gte mso 9]><xml>
<o:shapedefaults v:ext="edit" spidmax="1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext="edit">
<o:idmap v:ext="edit" data="1" />
</o:shapelayout></xml><![endif]--></head><body lang=EN-IE link=blue vlink=purple><div class=WordSection1><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1F497D;mso-fareast-language:EN-US'>Nope, I’m not calling a registered user. Actually, there are no registered users. The function of the Kamailio service in this case is to relay WebRTC calls to a conferencing bridge. The problem is that whoever set it up did so without considering the security implications. And, in fact, it was malevolent SIP traffic hitting the bridge that lead me to looking more closely at the Kamailio solution.<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1F497D;mso-fareast-language:EN-US'><o:p> </o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1F497D;mso-fareast-language:EN-US'>There appears to be some custom configuration around routing. I’m not sure if route(RELAY) on its own is meant to challenge for authorisation.<o:p></o:p></span></p><p class=MsoNormal style='text-autospace:none'><span style='font-size:11.0pt;font-family:"Courier New";mso-fareast-language:EN-US'><o:p> </o:p></span></p><p class=MsoNormal style='text-autospace:none'><span style='font-size:11.0pt;font-family:"Courier New";mso-fareast-language:EN-US'>#!ifdef WITH_CONFERENCEBRIDGE<o:p></o:p></span></p><p class=MsoNormal style='text-autospace:none'><span style='font-size:11.0pt;font-family:"Courier New";mso-fareast-language:EN-US'> if(is_method("INVITE") && (!route(FROMBRIDGE))) {<o:p></o:p></span></p><p class=MsoNormal style='text-autospace:none'><span style='font-size:11.0pt;font-family:"Courier New";mso-fareast-language:EN-US'> # if new call from out there - <o:p></o:p></span></p><p class=MsoNormal style='text-autospace:none'><span style='font-size:11.0pt;font-family:"Courier New";mso-fareast-language:EN-US'> # - non-INVITE request are routed directly by Kamailio<o:p></o:p></span></p><p class=MsoNormal style='text-autospace:none'><span style='font-size:11.0pt;font-family:"Courier New";mso-fareast-language:EN-US'> # - traffic from is routed also directy by Kamailio<o:p></o:p></span></p><p class=MsoNormal style='text-autospace:none'><span style='font-size:11.0pt;font-family:"Courier New";mso-fareast-language:EN-US'> <o:p></o:p></span></p><p class=MsoNormal style='text-autospace:none'><span style='font-size:11.0pt;font-family:"Courier New";mso-fareast-language:EN-US'> route(TOBRIDGE);<o:p></o:p></span></p><p class=MsoNormal style='text-autospace:none'><span style='font-size:11.0pt;font-family:"Courier New";mso-fareast-language:EN-US'> exit;<o:p></o:p></span></p><p class=MsoNormal style='text-autospace:none'><span style='font-size:11.0pt;font-family:"Courier New";mso-fareast-language:EN-US'> }<o:p></o:p></span></p><p class=MsoNormal style='text-autospace:none'><span style='font-size:11.0pt;font-family:"Courier New";mso-fareast-language:EN-US'>#!endif<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1F497D;mso-fareast-language:EN-US'><o:p> </o:p></span></p><p class=MsoNormal style='text-autospace:none'><span style='font-size:11.0pt;font-family:"Courier New";mso-fareast-language:EN-US'>#!ifdef WITH_CONFERENCEBRIDGE<o:p></o:p></span></p><p class=MsoNormal style='text-autospace:none'><span style='font-size:11.0pt;font-family:"Courier New";mso-fareast-language:EN-US'># Send to bridge<o:p></o:p></span></p><p class=MsoNormal style='text-autospace:none'><span style='font-size:11.0pt;font-family:"Courier New";mso-fareast-language:EN-US'>route[TOBRIDGE] {<o:p></o:p></span></p><p class=MsoNormal style='text-autospace:none'><span style='font-size:11.0pt;font-family:"Courier New";mso-fareast-language:EN-US'> $du = "sip:" + $sel(cfg_get.bridge.bindip) + ":"<o:p></o:p></span></p><p class=MsoNormal style='text-autospace:none'><span style='font-size:11.0pt;font-family:"Courier New";mso-fareast-language:EN-US'> + $sel(cfg_get.bridge.bindport);<o:p></o:p></span></p><p class=MsoNormal style='text-autospace:none'><span style='font-size:11.0pt;font-family:"Courier New";mso-fareast-language:EN-US'> route(RELAY);<o:p></o:p></span></p><p class=MsoNormal style='text-autospace:none'><span style='font-size:11.0pt;font-family:"Courier New";mso-fareast-language:EN-US'> exit;<o:p></o:p></span></p><p class=MsoNormal style='text-autospace:none'><span style='font-size:11.0pt;font-family:"Courier New";mso-fareast-language:EN-US'>}<o:p></o:p></span></p><p class=MsoNormal style='text-autospace:none'><span style='font-size:11.0pt;font-family:"Courier New";mso-fareast-language:EN-US'><o:p> </o:p></span></p><p class=MsoNormal style='text-autospace:none'><span style='font-size:11.0pt;font-family:"Courier New";mso-fareast-language:EN-US'>#!endif<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1F497D;mso-fareast-language:EN-US'><o:p> </o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1F497D;mso-fareast-language:EN-US'>As I short term solution to filter unwanted traffic, I’ve updated the configuration to only relay calls using a definitive DDI.<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1F497D;mso-fareast-language:EN-US'><o:p> </o:p></span></p><p class=MsoNormal style='text-autospace:none'><span style='font-size:11.0pt;font-family:"Courier New";mso-fareast-language:EN-US'>#!ifdef WITH_CONFERENCEBRIDGE<o:p></o:p></span></p><p class=MsoNormal style='text-autospace:none'><span style='font-size:11.0pt;font-family:"Courier New";mso-fareast-language:EN-US'># Send to bridge<o:p></o:p></span></p><p class=MsoNormal style='text-autospace:none'><span style='font-size:11.0pt;font-family:"Courier New";mso-fareast-language:EN-US'>route[TOBRIDGE] {<o:p></o:p></span></p><p class=MsoNormal style='text-autospace:none'><span style='font-size:11.0pt;font-family:"Courier New";mso-fareast-language:EN-US'><o:p> </o:p></span></p><p class=MsoNormal style='text-autospace:none'><b><span style='font-size:11.0pt;font-family:"Courier New";mso-fareast-language:EN-US'> if($rU != "8835100xxxxx")<o:p></o:p></span></b></p><p class=MsoNormal style='text-autospace:none'><b><span style='font-size:11.0pt;font-family:"Courier New";mso-fareast-language:EN-US'> return -1;<o:p></o:p></span></b></p><p class=MsoNormal style='text-autospace:none'><span style='font-size:11.0pt;font-family:"Courier New";mso-fareast-language:EN-US'><o:p> </o:p></span></p><p class=MsoNormal style='text-autospace:none'><span style='font-size:11.0pt;font-family:"Courier New";mso-fareast-language:EN-US'> $du = "sip:" + $sel(cfg_get.bridge.bindip) + ":"<o:p></o:p></span></p><p class=MsoNormal style='text-autospace:none'><span style='font-size:11.0pt;font-family:"Courier New";mso-fareast-language:EN-US'> + $sel(cfg_get.bridge.bindport);<o:p></o:p></span></p><p class=MsoNormal style='text-autospace:none'><span style='font-size:11.0pt;font-family:"Courier New";mso-fareast-language:EN-US'> route(RELAY);<o:p></o:p></span></p><p class=MsoNormal style='text-autospace:none'><span style='font-size:11.0pt;font-family:"Courier New";mso-fareast-language:EN-US'> exit;<o:p></o:p></span></p><p class=MsoNormal style='text-autospace:none'><span style='font-size:11.0pt;font-family:"Courier New";mso-fareast-language:EN-US'>}<o:p></o:p></span></p><p class=MsoNormal style='text-autospace:none'><span style='font-size:11.0pt;font-family:"Courier New";mso-fareast-language:EN-US'><o:p> </o:p></span></p><p class=MsoNormal style='text-autospace:none'><span style='font-size:11.0pt;font-family:"Courier New";mso-fareast-language:EN-US'>#!endif<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1F497D;mso-fareast-language:EN-US'><o:p> </o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1F497D;mso-fareast-language:EN-US'>Thanks guys for your help.<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1F497D;mso-fareast-language:EN-US'><o:p> </o:p></span></p><p class=MsoNormal><b><span lang=EN-US style='font-size:11.0pt;font-family:"Calibri",sans-serif'>From:</span></b><span lang=EN-US style='font-size:11.0pt;font-family:"Calibri",sans-serif'> sr-users [mailto:sr-users-bounces@lists.kamailio.org] <b>On Behalf Of </b>David Villasmil<br><b>Sent:</b> Saturday, January 20, 2018 1:06 AM<br><b>To:</b> Kamailio (SER) - Users Mailing List <sr-users@lists.kamailio.org><br><b>Subject:</b> Re: [SR-Users] sip invite proxy-authorization<o:p></o:p></span></p><p class=MsoNormal><o:p> </o:p></p><p>Again, are you calling a local registeted user?<o:p></o:p></p><p class=MsoNormal><o:p> </o:p></p><div><div><p class=MsoNormal>On Fri, Jan 19, 2018, 17:28 Dave & Hazel <<a href="mailto:dogbark@indigo.ie">dogbark@indigo.ie</a>> wrote:<o:p></o:p></p></div><blockquote style='border:none;border-left:solid #CCCCCC 1.0pt;padding:0in 0in 0in 6.0pt;margin-left:4.8pt;margin-right:0in'><p class=MsoNormal>Cheers Alex for your insight.<br><br>My problem still remains in that my invites are not being challenged even though AUTH is defined.<br><br>On 19 Jan 2018, at 15:57, Alex Balashov <<a href="mailto:abalashov@evaristesys.com" target="_blank">abalashov@evaristesys.com</a>> wrote:<br><br>Hi,<br><br>> On Fri, Jan 19, 2018 at 03:38:24PM -0000, Dave & Hazel wrote:<br>><br>> preforming a SIP INVITE without first registering with the Kamailio<br>> service (SJ-Phone speak). I am dialling in remotely via NAT and my<br>> call is being relayed successfully.<br><br>Although many people are led to believe that there is some intrinsic<br>connection between registration and outbound calling by the way phone<br>UIs present these concepts, there is in fact no such connection<br>whatsoever.<br><br>Registration is an inbound concept, not an outbound concept. You can<br>make calls without being registered. You can make outbound calls using<br>different AAA mechanisms. Being registered in no way implies being able<br>to make outbound calls. They're just completely unrelated.<br><br>There is a common authentication mechanism used in both scenarios:<br>digest challenge authentication. As a practical matter, Kamailio sends a<br>407 proxy challenge for requests it is meant to relay (e.g. INVITEs) and<br>a 401 Unauthorized challenge for requests of which it is the logical<br>destination (e.g. REGISTER), and both draw on the same set of<br>authentication credentials and otherwise work the same way. The AUTH<br>route covers both of these cases.<br><br>-- Alex<br><br>--<br>Alex Balashov | Principal | Evariste Systems LLC<br><br>Tel: +1-706-510-6800 / +1-800-250-5920 (toll-free)<br>Web: <a href="http://www.evaristesys.com/" target="_blank">http://www.evaristesys.com/</a>, <a href="http://www.csrpswitch.com/" target="_blank">http://www.csrpswitch.com/</a><br><br>_______________________________________________<br>Kamailio (SER) - Users Mailing List<br><a href="mailto:sr-users@lists.kamailio.org" target="_blank">sr-users@lists.kamailio.org</a><br><a href="https://lists.kamailio.org/cgi-bin/mailman/listinfo/sr-users" target="_blank">https://lists.kamailio.org/cgi-bin/mailman/listinfo/sr-users</a><br><br><br>_______________________________________________<br>Kamailio (SER) - Users Mailing List<br><a href="mailto:sr-users@lists.kamailio.org" target="_blank">sr-users@lists.kamailio.org</a><br><a href="https://lists.kamailio.org/cgi-bin/mailman/listinfo/sr-users" target="_blank">https://lists.kamailio.org/cgi-bin/mailman/listinfo/sr-users</a><o:p></o:p></p></blockquote></div></div></body></html>