18 Jan
2018
18 Jan
'18
5:34 p.m.
Hello,
Sorry, I'm not that familiar with Kamailio. I am trying to figure out how to
configure proxy-authorization for incoming sip invites.
I've defined WITH_AUTH in the configuration file but I think this only applies to sip
register transactions.
Any insight is most appreciated.
Dave
18 Jan
18 Jan
5:37 p.m.
Hi,
No, that's not true. The same credentials should be used for authenticating invites,
and other initial requests (if applicable).
On January 18, 2018 11:34:44 AM EST, Dave & Hazel <dogbark(a)indigo.ie> wrote:
Hello,
Sorry, I'm not that familiar with Kamailio. I am trying to figure out
how to configure proxy-authorization for incoming sip invites.
I've defined WITH_AUTH in the configuration file but I think this only
applies to sip register transactions.
Any insight is most appreciated.
Dave
_______________________________________________
Kamailio (SER) - Users Mailing List
sr-users(a)lists.kamailio.org
https://lists.kamailio.org/cgi-bin/mailman/listinfo/sr-users
-- Alex
--
Sent via mobile, please forgive typos and brevity.
19 Jan
19 Jan
12:59 p.m.
Hi Alex,
Thanks very much for the response. I am glad to hear that's it’s capable of
authenticating invites. Unfortunately, It isn’t working for me.
#!define WITH_MYSQL
#!define WITH_AUTH
MYSQL is enabled and the subscriber table is populated but I can dial in directly without
being prompted for authentication. The clue may well be in the kamailio.cfg I've
inherited.
Thanks again for your input,
Dave
-----Original Message-----
From: sr-users [mailto:sr-users-bounces@lists.kamailio.org] On Behalf Of Alex Balashov
Sent: Thursday, January 18, 2018 4:38 PM
To: Kamailio (SER) - Users Mailing List <sr-users(a)lists.kamailio.org>
Subject: Re: [SR-Users] sip invite proxy-authorization
Hi,
No, that's not true. The same credentials should be used for authenticating invites,
and other initial requests (if applicable).
On January 18, 2018 11:34:44 AM EST, Dave & Hazel <dogbark(a)indigo.ie> wrote:
Hello,
Sorry, I'm not that familiar with Kamailio. I am trying to figure out
how to configure proxy-authorization for incoming sip invites.
I've defined WITH_AUTH in the configuration file but I think this only
applies to sip register transactions.
Any insight is most appreciated.
Dave
_______________________________________________
Kamailio (SER) - Users Mailing List
sr-users(a)lists.kamailio.org
https://lists.kamailio.org/cgi-bin/mailman/listinfo/sr-users
-- Alex
--
Sent via mobile, please forgive typos and brevity.
_______________________________________________
Kamailio (SER) - Users Mailing List
sr-users(a)lists.kamailio.org
https://lists.kamailio.org/cgi-bin/mailman/listinfo/sr-users
2:56 p.m.
On Fri, Jan 19, 2018 at 11:59:52AM -0000, Dave & Hazel wrote:
MYSQL is enabled and the subscriber table is populated
but I can dial
in directly without being prompted for authentication. The clue may
well be in the kamailio.cfg I've inherited.
This is a near default config, the AUTH route should work. There is a
authentication IP whitelist in the address table, are you sending the
INVITE from a whitelisted adress?
But "dial in directly" means that you can call a local extension? If so,
that is allowed explicitly:
# if caller is not local subscriber, then check if it calls
# a local destination, otherwise deny, not an open relay here
4:38 p.m.
Thanks Daniel for your support.
Maybe my choice of language could have been better. By "dial in directly", I
meant preforming a SIP INVITE without first registering with the Kamailio service
(SJ-Phone speak). I am dialling in remotely via NAT and my call is being relayed
successfully. I checked the address table but it's empty.
(I've modified the logging level in Kamailio.cfg and it's taken effect so I'm
am working on the correct configuration file)
-----Original Message-----
From: sr-users [mailto:sr-users-bounces@lists.kamailio.org] On Behalf Of Daniel Tryba
Sent: Friday, January 19, 2018 1:56 PM
To: Kamailio (SER) - Users Mailing List <sr-users(a)lists.kamailio.org>
Subject: Re: [SR-Users] sip invite proxy-authorization
On Fri, Jan 19, 2018 at 11:59:52AM -0000, Dave & Hazel wrote:
MYSQL is enabled and the subscriber table is populated
but I can dial
in directly without being prompted for authentication. The clue may
well be in the kamailio.cfg I've inherited.
This is a near default config, the AUTH route should work. There is a authentication IP
whitelist in the address table, are you sending the INVITE from a whitelisted adress?
But "dial in directly" means that you can call a local extension? If so, that is
allowed explicitly:
# if caller is not local subscriber, then check if it calls
# a local destination, otherwise deny, not an open relay here
_______________________________________________
Kamailio (SER) - Users Mailing List
sr-users(a)lists.kamailio.org
https://lists.kamailio.org/cgi-bin/mailman/listinfo/sr-users
4:57 p.m.
Hi,
On Fri, Jan 19, 2018 at 03:38:24PM -0000, Dave & Hazel wrote:
preforming a SIP INVITE without first registering with
the Kamailio
service (SJ-Phone speak). I am dialling in remotely via NAT and my
call is being relayed successfully.
Although many people are led to believe that there is some intrinsic
connection between registration and outbound calling by the way phone
UIs present these concepts, there is in fact no such connection
whatsoever.
Registration is an inbound concept, not an outbound concept. You can
make calls without being registered. You can make outbound calls using
different AAA mechanisms. Being registered in no way implies being able
to make outbound calls. They're just completely unrelated.
There is a common authentication mechanism used in both scenarios:
digest challenge authentication. As a practical matter, Kamailio sends a
407 proxy challenge for requests it is meant to relay (e.g. INVITEs) and
a 401 Unauthorized challenge for requests of which it is the logical
destination (e.g. REGISTER), and both draw on the same set of
authentication credentials and otherwise work the same way. The AUTH
route covers both of these cases.
-- Alex
--
Alex Balashov | Principal | Evariste Systems LLC
Tel: +1-706-510-6800 / +1-800-250-5920 (toll-free)
Web: http://www.evaristesys.com/, http://www.csrpswitch.com/
5:27 p.m.
Cheers Alex for your insight.
My problem still remains in that my invites are not being challenged even though AUTH is
defined.
On 19 Jan 2018, at 15:57, Alex Balashov <abalashov(a)evaristesys.com> wrote:
Hi,
On Fri, Jan 19, 2018 at 03:38:24PM -0000, Dave &
Hazel wrote:
preforming a SIP INVITE without first registering with the Kamailio
service (SJ-Phone speak). I am dialling in remotely via NAT and my
call is being relayed successfully.
Although many people are led to believe that there is some intrinsic
connection between registration and outbound calling by the way phone
UIs present these concepts, there is in fact no such connection
whatsoever.
Registration is an inbound concept, not an outbound concept. You can
make calls without being registered. You can make outbound calls using
different AAA mechanisms. Being registered in no way implies being able
to make outbound calls. They're just completely unrelated.
There is a common authentication mechanism used in both scenarios:
digest challenge authentication. As a practical matter, Kamailio sends a
407 proxy challenge for requests it is meant to relay (e.g. INVITEs) and
a 401 Unauthorized challenge for requests of which it is the logical
destination (e.g. REGISTER), and both draw on the same set of
authentication credentials and otherwise work the same way. The AUTH
route covers both of these cases.
-- Alex
--
Alex Balashov | Principal | Evariste Systems LLC
Tel: +1-706-510-6800 / +1-800-250-5920 (toll-free)
Web: http://www.evaristesys.com/, http://www.csrpswitch.com/
_______________________________________________
Kamailio (SER) - Users Mailing List
sr-users(a)lists.kamailio.org
https://lists.kamailio.org/cgi-bin/mailman/listinfo/sr-users
20 Jan
20 Jan
2:06 a.m.
Again, are you calling a local registeted user?
On Fri, Jan 19, 2018, 17:28 Dave & Hazel <dogbark(a)indigo.ie> wrote:
Cheers Alex for your insight.
My problem still remains in that my invites are not being challenged even
though AUTH is defined.
On 19 Jan 2018, at 15:57, Alex Balashov <abalashov(a)evaristesys.com> wrote:
Hi,
On Fri, Jan 19, 2018 at 03:38:24PM -0000, Dave
& Hazel wrote:
preforming a SIP INVITE without first registering with the Kamailio
service (SJ-Phone speak). I am dialling in remotely via NAT and my
call is being relayed successfully.
Although many people are led to believe that there is some intrinsic
connection between registration and outbound calling by the way phone
UIs present these concepts, there is in fact no such connection
whatsoever.
Registration is an inbound concept, not an outbound concept. You can
make calls without being registered. You can make outbound calls using
different AAA mechanisms. Being registered in no way implies being able
to make outbound calls. They're just completely unrelated.
There is a common authentication mechanism used in both scenarios:
digest challenge authentication. As a practical matter, Kamailio sends a
407 proxy challenge for requests it is meant to relay (e.g. INVITEs) and
a 401 Unauthorized challenge for requests of which it is the logical
destination (e.g. REGISTER), and both draw on the same set of
authentication credentials and otherwise work the same way. The AUTH
route covers both of these cases.
-- Alex
--
Alex Balashov | Principal | Evariste Systems LLC
Tel: +1-706-510-6800 / +1-800-250-5920 (toll-free)
Web: http://www.evaristesys.com/, http://www.csrpswitch.com/
_______________________________________________
Kamailio (SER) - Users Mailing List
sr-users(a)lists.kamailio.org
https://lists.kamailio.org/cgi-bin/mailman/listinfo/sr-users
_______________________________________________
Kamailio (SER) - Users Mailing List
sr-users(a)lists.kamailio.org
https://lists.kamailio.org/cgi-bin/mailman/listinfo/sr-users
3:12 p.m.
Nope, I’m not calling a registered user. Actually, there are no registered users. The
function of the Kamailio service in this case is to relay WebRTC calls to a conferencing
bridge. The problem is that whoever set it up did so without considering the security
implications. And, in fact, it was malevolent SIP traffic hitting the bridge that lead me
to looking more closely at the Kamailio solution.
There appears to be some custom configuration around routing. I’m not sure if route(RELAY)
on its own is meant to challenge for authorisation.
#!ifdef WITH_CONFERENCEBRIDGE
if(is_method("INVITE") && (!route(FROMBRIDGE))) {
# if new call from out there -
# - non-INVITE request are routed directly by Kamailio
# - traffic from is routed also directy by Kamailio
route(TOBRIDGE);
exit;
}
#!endif
#!ifdef WITH_CONFERENCEBRIDGE
# Send to bridge
route[TOBRIDGE] {
$du = "sip:" + $sel(cfg_get.bridge.bindip) + ":"
+ $sel(cfg_get.bridge.bindport);
route(RELAY);
exit;
}
#!endif
As I short term solution to filter unwanted traffic, I’ve updated the configuration to
only relay calls using a definitive DDI.
#!ifdef WITH_CONFERENCEBRIDGE
# Send to bridge
route[TOBRIDGE] {
if($rU != "8835100xxxxx")
return -1;
$du = "sip:" + $sel(cfg_get.bridge.bindip) + ":"
+ $sel(cfg_get.bridge.bindport);
route(RELAY);
exit;
}
#!endif
Thanks guys for your help.
From: sr-users [mailto:sr-users-bounces@lists.kamailio.org] On Behalf Of David Villasmil
Sent: Saturday, January 20, 2018 1:06 AM
To: Kamailio (SER) - Users Mailing List <sr-users(a)lists.kamailio.org>
Subject: Re: [SR-Users] sip invite proxy-authorization
Again, are you calling a local registeted user?
On Fri, Jan 19, 2018, 17:28 Dave & Hazel <dogbark(a)indigo.ie
<mailto:dogbark@indigo.ie> > wrote:
Cheers Alex for your insight.
My problem still remains in that my invites are not being challenged even though AUTH is
defined.
On 19 Jan 2018, at 15:57, Alex Balashov <abalashov(a)evaristesys.com
<mailto:abalashov@evaristesys.com> > wrote:
Hi,
On Fri, Jan 19, 2018 at 03:38:24PM -0000, Dave &
Hazel wrote:
preforming a SIP INVITE without first registering with the Kamailio
service (SJ-Phone speak). I am dialling in remotely via NAT and my
call is being relayed successfully.
Although many people are led to believe that there is some intrinsic
connection between registration and outbound calling by the way phone
UIs present these concepts, there is in fact no such connection
whatsoever.
Registration is an inbound concept, not an outbound concept. You can
make calls without being registered. You can make outbound calls using
different AAA mechanisms. Being registered in no way implies being able
to make outbound calls. They're just completely unrelated.
There is a common authentication mechanism used in both scenarios:
digest challenge authentication. As a practical matter, Kamailio sends a
407 proxy challenge for requests it is meant to relay (e.g. INVITEs) and
a 401 Unauthorized challenge for requests of which it is the logical
destination (e.g. REGISTER), and both draw on the same set of
authentication credentials and otherwise work the same way. The AUTH
route covers both of these cases.
-- Alex
--
Alex Balashov | Principal | Evariste Systems LLC
Tel: +1-706-510-6800 / +1-800-250-5920 (toll-free)
Web: http://www.evaristesys.com/, http://www.csrpswitch.com/
_______________________________________________
Kamailio (SER) - Users Mailing List
sr-users(a)lists.kamailio.org <mailto:sr-users@lists.kamailio.org>
https://lists.kamailio.org/cgi-bin/mailman/listinfo/sr-users
_______________________________________________
Kamailio (SER) - Users Mailing List
sr-users(a)lists.kamailio.org <mailto:sr-users@lists.kamailio.org>
https://lists.kamailio.org/cgi-bin/mailman/listinfo/sr-users
21 Jan
21 Jan
11:45 p.m.
I doubt the relay does any authentication.
Any invite seems to be straight to that "tobridge" route which sets the
destination and relays it... there's no auth there whatsoever... you might
want to do ip auth before sending it to the "tobridge" route?
On Sat, Jan 20, 2018, 15:14 Dave & Hazel <dogbark(a)indigo.ie> wrote:
Nope, I’m not calling a registered user. Actually,
there are no registered
users. The function of the Kamailio service in this case is to relay WebRTC
calls to a conferencing bridge. The problem is that whoever set it up did
so without considering the security implications. And, in fact, it was
malevolent SIP traffic hitting the bridge that lead me to looking more
closely at the Kamailio solution.
There appears to be some custom configuration around routing. I’m not sure
if route(RELAY) on its own is meant to challenge for authorisation.
#!ifdef WITH_CONFERENCEBRIDGE
if(is_method("INVITE") && (!route(FROMBRIDGE))) {
# if new call from out there -
# - non-INVITE request are routed directly by Kamailio
# - traffic from is routed also directy by Kamailio
route(TOBRIDGE);
exit;
}
#!endif
#!ifdef WITH_CONFERENCEBRIDGE
# Send to bridge
route[TOBRIDGE] {
$du = "sip:" + $sel(cfg_get.bridge.bindip) + ":"
+ $sel(cfg_get.bridge.bindport);
route(RELAY);
exit;
}
#!endif
As I short term solution to filter unwanted traffic, I’ve updated the
configuration to only relay calls using a definitive DDI.
#!ifdef WITH_CONFERENCEBRIDGE
# Send to bridge
route[TOBRIDGE] {
* if($rU != "8835100xxxxx")*
* return -1;*
$du = "sip:" + $sel(cfg_get.bridge.bindip) + ":"
+ $sel(cfg_get.bridge.bindport);
route(RELAY);
exit;
}
#!endif
Thanks guys for your help.
*From:* sr-users [mailto:sr-users-bounces@lists.kamailio.org] *On Behalf
Of *David Villasmil
*Sent:* Saturday, January 20, 2018 1:06 AM
*To:* Kamailio (SER) - Users Mailing List <sr-users(a)lists.kamailio.org>
*Subject:* Re: [SR-Users] sip invite proxy-authorization
Again, are you calling a local registeted user?
On Fri, Jan 19, 2018, 17:28 Dave & Hazel <dogbark(a)indigo.ie> wrote:
Cheers Alex for your insight.
My problem still remains in that my invites are not being challenged even
though AUTH is defined.
On 19 Jan 2018, at 15:57, Alex Balashov <abalashov(a)evaristesys.com> wrote:
Hi,
On Fri, Jan 19, 2018 at 03:38:24PM -0000, Dave
& Hazel wrote:
preforming a SIP INVITE without first registering with the Kamailio
service (SJ-Phone speak). I am dialling in remotely via NAT and my
call is being relayed successfully.
Although many people are led to believe that there is some intrinsic
connection between registration and outbound calling by the way phone
UIs present these concepts, there is in fact no such connection
whatsoever.
Registration is an inbound concept, not an outbound concept. You can
make calls without being registered. You can make outbound calls using
different AAA mechanisms. Being registered in no way implies being able
to make outbound calls. They're just completely unrelated.
There is a common authentication mechanism used in both scenarios:
digest challenge authentication. As a practical matter, Kamailio sends a
407 proxy challenge for requests it is meant to relay (e.g. INVITEs) and
a 401 Unauthorized challenge for requests of which it is the logical
destination (e.g. REGISTER), and both draw on the same set of
authentication credentials and otherwise work the same way. The AUTH
route covers both of these cases.
-- Alex
--
Alex Balashov | Principal | Evariste Systems LLC
Tel: +1-706-510-6800 / +1-800-250-5920 (toll-free)
Web: http://www.evaristesys.com/, http://www.csrpswitch.com/
_______________________________________________
Kamailio (SER) - Users Mailing List
sr-users(a)lists.kamailio.org
https://lists.kamailio.org/cgi-bin/mailman/listinfo/sr-users
_______________________________________________
Kamailio (SER) - Users Mailing List
sr-users(a)lists.kamailio.org
https://lists.kamailio.org/cgi-bin/mailman/listinfo/sr-users
_______________________________________________
Kamailio (SER) - Users Mailing List
sr-users(a)lists.kamailio.org
https://lists.kamailio.org/cgi-bin/mailman/listinfo/sr-users
2301
days inactive
2304
days old
9 comments
4 participants
participants (4)
-
Alex Balashov -
Daniel Tryba -
Dave & Hazel -
David Villasmil