Been struggling with this for awhile now.
So far I am finding it rather difficult to come up with way to authenticate SIP trunks taking into account all possible scenarios. My setup is Kamailio combined with Asterisk realtime. Everything is in a MySQL database. All authentication is done by Kamailio. Kamailio handles SIP extension (user) authentication quite well but seems poorly equipped for SIP trunk (peer) authentication. The biggest problem I have run into so far is that SIP trunks typically use DNS names and Kamailio is not at all designed to used DNS names. Also SIP trunks do not use named "realms" whereas that is a key part of Kamailio authentication.
For IP authentication about the only solution I have found is to DNS lookup and save all returned IP addresses in the ip_addr mysql table.
Then I do:
#!ifdef WITH_IPAUTH if((!is_method("REGISTER")) && allow_source_address() && $au == "") { # source IP allowed return; }
I can run a cron job every hour to DNS lookup and update the ip_addr table as needed so I think this is a satisfactory solution for IP authentication.
SIP trunk user/pass authentication is the one I am now struggling with. This standard Kamailio authentication section does not work for SIP trunks.
if (is_method("REGISTER|INVITE") || from_uri==myself) { # authenticate requests #if (!auth_check("$fd", "subscriber", "1")) { if (!auth_check("$fd", "subscriber", "0")) { auth_challenge("$fd", "0"); exit; } # user authenticated - remove auth header if(!is_method("REGISTER|PUBLISH")) consume_credentials();
This is a multidomain setup and therefore:
modparam("auth_db", "use_domain", 1)
So the authentication section will try authenticate the realm of the trunk which will always be an IP address. However the SIP trunk realm will usually be saved in the "subscriber" database as the FQDN. There is no mechanism for auth_check() to directly or indirectly check against FQDN. The other problem is that even if I used the ip_addr table somehow it will only try use the user/pass of the first instance of a matching IP address. For SIP trunks it is possible I could have multiple subaccounts and therefore multiple instances of the same IP with different user/pass. So auth_check() is not designed for being used this way as far as I can tell.
Seems to me like there should almost be a special kamailio module just for SIP trunks. I had a look a carrierroute module it's not designed for this either.
On Wednesday 18 March 2015 08:32:10 canuck15 wrote:
I can run a cron job every hour to DNS lookup and update the ip_addr table as needed so I think this is a satisfactory solution for IP authentication.
Is there a mechanism to identify all originating servers for a hostname/domain? If the answer is no (and AFAIK is it) then this solution doesn't work.
I used this in the past, a subscriber has a userpref with ip/port combo. But this ins't an answer for subaccounts on trunks (unles you can get the sender to actually use different ports). 3 is the whitelist for ip adresses on record. I abandoned this due to to much problems with trunks, they just have to authenticate or go elsewere.
BTW only for tcp since udp sources can be spoofed. I guess the best way is to use tls with certificate verification (good luck getting the trunks to implement this :)
route[AUTHENTICATE] { if(!is_method("REGISTER") && allow_address("3", "$si", "$sp") && $proto=="tcp") { if(!avp_db_query("select username from usr_preferences where attribute='ip_authentication' and domain='$td' and (value='$si:$sp' or value like '$si:%') order by length(value) limit 1")) { xlog("L_ALERT","ACL: $rm from $fu (IP:$si:$sp)\n"); sl_send_reply("403", "Not Allowed by AUTHENTICATE ACL"); exit; }
$avp(au)=$avp(i:1); } else { $var(authenticated)=www_authenticate("$td", "subscriber");
if (!www_authenticate("$td", "subscriber")) { xlog("L_ALERT","AUTHENTICATE: $rm from $fu to $tu (IP: $si:$sp)\n"); www_challenge("$td", "1"); exit; }
$avp(au)=$au;
consume_credentials(); }
It looks like auth_check() will work. It seems intelligent enough to scan all instances of the same domain as long as the username is unique so that should get things working.
The problem here is that there is a fundamental difference between Asterisk and Kamailio authentication. Asterisk authentication works with FQDN or IP. However, Kamailio is not designed to authenticate anything with FQDN unless it is also a realm and identified as such by the UA. I believe that is the main issue here. SIP trunks typically do not use or care about realm. So after the initial invite response from Kamailio the SIP trunk provider typically responds with the IP address as the realm.
It does almost seem like there should be a special module to deal with this sort of thing. None of the existing modules seem to be the right fit.
On 3/18/2015 9:03 AM, Daniel Tryba wrote:
On Wednesday 18 March 2015 08:32:10 canuck15 wrote:
I can run a cron job every hour to DNS lookup and update the ip_addr table as needed so I think this is a satisfactory solution for IP authentication.
Is there a mechanism to identify all originating servers for a hostname/domain? If the answer is no (and AFAIK is it) then this solution doesn't work.
I used this in the past, a subscriber has a userpref with ip/port combo. But this ins't an answer for subaccounts on trunks (unles you can get the sender to actually use different ports). 3 is the whitelist for ip adresses on record. I abandoned this due to to much problems with trunks, they just have to authenticate or go elsewere.
BTW only for tcp since udp sources can be spoofed. I guess the best way is to use tls with certificate verification (good luck getting the trunks to implement this :)
route[AUTHENTICATE] { if(!is_method("REGISTER") && allow_address("3", "$si", "$sp") && $proto=="tcp") { if(!avp_db_query("select username from usr_preferences where attribute='ip_authentication' and domain='$td' and (value='$si:$sp' or value like '$si:%') order by length(value) limit 1")) { xlog("L_ALERT","ACL: $rm from $fu (IP:$si:$sp)\n"); sl_send_reply("403", "Not Allowed by AUTHENTICATE ACL"); exit; }
$avp(au)=$avp(i:1); } else { $var(authenticated)=www_authenticate("$td", "subscriber"); if (!www_authenticate("$td", "subscriber")) { xlog("L_ALERT","AUTHENTICATE: $rm from $fu to $tu (IP:$si:$sp)\n"); www_challenge("$td", "1"); exit; }
$avp(au)=$au; consume_credentials(); }
On 19 Mar 2015, at 18:38, canuck15 canuck15@hotmail.com wrote:
It looks like auth_check() will work. It seems intelligent enough to scan all instances of the same domain as long as the username is unique so that should get things working.
The problem here is that there is a fundamental difference between Asterisk and Kamailio authentication. Asterisk authentication works with FQDN or IP. However, Kamailio is not designed to authenticate anything with FQDN unless it is also a realm and identified as such by the UA. I believe that is the main issue here. SIP trunks typically do not use or care about realm. So after the initial invite response from Kamailio the SIP trunk provider typically responds with the IP address as the realm.
Asterisk authentication is kind of broken - it disregards the domain and is based on the user name or only use IP/port. Many years ago I worked on adding multiple domain support in asterisk - part of the code is still there. Then the project leader added a huge patch for single-domain TLS and I gave up that work.
Kamailio is much more flexible. While the auth module only handles realm, you can easily connect the account to a set of specific From: SIP URI's and do a full authentication and authorization scheme that works as you want. You can build in a number of ways - which makes it very mush more SIP-compliant and flexible.
It does almost seem like there should be a special module to deal with this sort of thing. None of the existing modules seem to be the right fit.
Kamailio is a toolkit. Don't take a single module as the only solution. It's like linux, you combine a set of small functions and build solutions. Very different from Asterisk.
I don't think we need a new module. You can already build stuff like this by combining functionality in different modules.
/O
On 3/18/2015 9:03 AM, Daniel Tryba wrote:
On Wednesday 18 March 2015 08:32:10 canuck15 wrote:
I can run a cron job every hour to DNS lookup and update the ip_addr table as needed so I think this is a satisfactory solution for IP authentication.
Is there a mechanism to identify all originating servers for a hostname/domain? If the answer is no (and AFAIK is it) then this solution doesn't work.
I used this in the past, a subscriber has a userpref with ip/port combo. But this ins't an answer for subaccounts on trunks (unles you can get the sender to actually use different ports). 3 is the whitelist for ip adresses on record. I abandoned this due to to much problems with trunks, they just have to authenticate or go elsewere.
BTW only for tcp since udp sources can be spoofed. I guess the best way is to use tls with certificate verification (good luck getting the trunks to implement this :)
route[AUTHENTICATE] { if(!is_method("REGISTER") && allow_address("3", "$si", "$sp") && $proto=="tcp") { if(!avp_db_query("select username from usr_preferences where attribute='ip_authentication' and domain='$td' and (value='$si:$sp' or value like '$si:%') order by length(value) limit 1")) { xlog("L_ALERT","ACL: $rm from $fu (IP:$si:$sp)\n"); sl_send_reply("403", "Not Allowed by AUTHENTICATE ACL"); exit; }
$avp(au)=$avp(i:1); } else { $var(authenticated)=www_authenticate("$td", "subscriber"); if (!www_authenticate("$td", "subscriber")) { xlog("L_ALERT","AUTHENTICATE: $rm from $fu to $tu (IP:$si:$sp)\n"); www_challenge("$td", "1"); exit; }
$avp(au)=$au; consume_credentials(); }
SIP Express Router (SER) and Kamailio (OpenSER) - sr-users mailing list sr-users@lists.sip-router.org http://lists.sip-router.org/cgi-bin/mailman/listinfo/sr-users
i suggest you use tls common names to identify servers behind your trunks,
-- juha
Please keep in mind that I have no control over SIP trunk providers.
The vast majority do not allow me to do any of these things as far as I know. This is something that needs to be solved in Kamailio with standard user/pass/realm authentication. TLS is not an option for me.
On 3/18/2015 11:36 PM, Juha Heinanen wrote:
i suggest you use tls common names to identify servers behind your trunks,
-- juha
SIP Express Router (SER) and Kamailio (OpenSER) - sr-users mailing list sr-users@lists.sip-router.org http://lists.sip-router.org/cgi-bin/mailman/listinfo/sr-users
canuck15 writes:
The vast majority do not allow me to do any of these things as far as I know. This is something that needs to be solved in Kamailio with standard user/pass/realm authentication. TLS is not an option for me.
then the vast majority don't care a bit about security, which is very bad for your customers.
-- juha
-
canuck15 -
Daniel Tryba -
Juha Heinanen -
Olle E. Johansson