[Serusers] Access control on PSTN gateways

Jiri Kuthan jiri at iptel.org
Wed Jan 15 15:42:07 CET 2003 

<sorry>for delay, I'm travelling</sorry>

At 09:59 PM 1/14/2003, Michael Graff wrote:
>Jiri Kuthan <jiri at iptel.org> writes:
>
>> - rewriting From at a quite high risk of interoperability problems
>
>If this is only used between this specific PSTN gateway (a Cisco box)
>and SER (we require it to be in the loop for this PSTN path) this may
>be the fastest way.  It is a 1:1 translation anyway, so we could
>really say "from source SER s/graff at isc.org/65077970xx at isc.org/ and
>reverse the translation on the other way (or just let it talk directly
>to us, since that's not the problem direction.)
>
>Yes, I know it's a hack, and not a long-term fix.  I think the NAI
>thing seems like the fix we'd want.
>
>When is SIP 3.x coming out that fixes all the NAT, proxy, and other
>protocol issues?  Sorry, I'm being cynical.  :)

Well, I am neither happy about IETF's pace and ignorance of issues related
to SIP operation -- vendors and marketeers are there simply ahead of operators.

I'm trying to think out how your hack would be implementable. We would have
to enforce record-routing so that subsequent transactions can be rewritten
too.  A SAT module (SIP Address Translation :)) would rewrite URI in From
of both initial requests, and their replies. 

It would take transaction processing as long as some transactions may be
rewritten, some not and one needs to 'remember' replies of which transactions
shall be rewritten. 

We then still need to be able to rewrite transactions originated by the
called party, i.e, if called gateways send a Bye with "650" in To, it needs
to be rewritten back to "mike". The caller would otherwise very likely
not recognize the BYE as a part of an ongoing transaction. A hack to achieve
that might be use of a new record-routing parameter. The parameter would tell
"this belongs to a translated dialog and needs to be translated too".
The parameter could include the original address as well as the rewritten
one -- that would save an additional database lookup. It could look like
    ;satin=mike at foo.bar;satout=650 at foo.bar. 
If a request from caller (satin=from) hits the proxy, it now nows how to rewrite 
From: without database lookup. If a request from callee arrives (satout=to), the 
server knows too and rewrites To header field reversely.

does it sound reasonable?

-Jiri

More information about the sr-users mailing list