[Serusers] avpops and ip based auth

Iqbal iqbal at gigo.co.uk
Thu Jun 23 14:57:51 CEST 2005


Hi

I am using trusted mainly for inbound routes from my gateway to ser for 
inbound calling via pstn numbers mapped to IP phones. (I do think that 
trusted module/pacth bound to gateways listed in lcr could be a good idea).

Now what I am looking for is to take several devices/gateways and have 
them hit ser but ignore all auth i.e no user/pass combos, but just 
detect IP's. I think I can get them to all have external IP adds, which 
would remove the problems of private IP's being used by other devices.

My main problem is resource usage in all the scenarios, minimum DB hits 
is obviously best, lets assume the gateway will initiate 10000 calls 
(just to have alarge number :-)), and lets say all these calls are of 10 
secs each, if I had to auth each call every time that would be a pain, 
however if I could auth once, and from there on in , just let all calls 
pass, and re-check the auth every so often (lets say once per hour) then 
thats fine.

In terms of billing it would be per gateway, but I would need to break 
down per call, which shouldnt be hard since they would all have diff 
destinations I guess.

trying to find the best scenario for a one time auth system with miminal 
db lookups in it.

iqbal

Greger V. Teigre wrote:

> I would say that as allow_trusted uses a cached (and I believe hashed) 
> list of IP addresses to match against, it is better suited for non-(or 
> low) dynamic data like trusted peers etc. avpops is better suited for 
> subscriber specific operations (as avpops will do the DB every time) 
> and thus larger number of IPs and dynamic data.
>    Are you thinking about storing the IPs with avp_db_store for each 
> register and then just allow any IP you have stored?  This would save 
> you some DB cycles probably (and some SIP messages) as you only do one 
> lookup and no digest challenge for INVITEs.  You would then allow 
> anybody behind a given NAT and again IP-based auth on UDP is not 
> really secure.
>    And of course, you would probably need a way to expire the IPs?!
>
> Or have I misunderstood completely? What are you trying to achieve?
> g-)
>
> Iqbal wrote:
>
>> allow_trusted I already use, just wanted to know which is better, or
>> is it just personal preference here. If either is used and looking by
>> the acc table billing could still be pulled even thought no
>> username/password..any inputs here.
>>
>> Iqbal
>>
>> On 6/23/2005, "Greger V. Teigre" <greger at teigre.com> wrote:
>>
>>> Have you looked at allow_trusted() in (I believe) the domain module.
>>> In fact, when I come to think of it, maybe the functions are
>>> undocumented. I'm on GPRS right now, but I'll check when I get back
>>>    over the weekend. You populate the trusted table and use
>>> allow_trusted() before auth of INVITE's (and probably assume that
>>> you don't get REGISTERs). There is also a FIFO command to reload the
>>> trusted table. I guess it's feasible to use REGISTER to store a new
>>> IP after a successful auth and then use IP for INVITE's.
>>>    Ref. an earlier discussion, using IP for UDP is not really good
>>> security-wise, you should use TCP.
>>> g-)
>>>
>>> Iqbal wrote:
>>>
>>>> Hi
>>>>
>>>> If I use avpops for IP based auth, and drop the normal
>>>> username/password combo aside from spoofing what is the downside if
>>>> any. Also if I do IP based auth, can I auth once, and be done with
>>>> it, or is it auth once per call, I guess its once per call, if so is
>>>> there any way to bypass auth completely for a particular IP address,
>>>> again I am assuming no, since the IP will still need to be checked
>>>> for each request.
>>>> Iqbal
>>>>
>>>> _______________________________________________
>>>> Serusers mailing list
>>>> serusers at lists.iptel.org
>>>> http://lists.iptel.org/mailman/listinfo/serusers 
>>>
>
>
> .
>




More information about the sr-users mailing list