[Serusers] Advice needed
Greger V. Teigre
greger at teigre.com
Sun May 22 08:57:36 CEST 2005
See inline.
Michael Ulitskiy wrote:
> On Saturday 21 May 2005 02:31 am, you wrote:
>> I would say SER is what you need, except that you struggle with the
>> authentication. You have the following scenarios:
>> 1. PSTN termination with IP-based access control (easiest)
>> 2. PSTN termination with authentication of all INVITEs (yes, that's
>> the UAC module. You should contact the maintainer, Ramona-Elena
>> Modroiu about the status. I thought it was reported to work, but
>> haven't tried myself)
>> 3. PSTN termination with registration and authentication of REGISTER
>> (but not INVITEs). Use sipsak to generate a REGISTER for your box.
>>
>> #2 requires that all INVITEs are sent twice and is not a very good
>> option. I would seek out PSTN providers who will give you #1.
>> g-)
>
> UAC module doesn't work and I think won't work unless ser is made
> call-statefull, 'cause it needs to adjust cseq within dialog. I
> posted my findings to this list
> several days ago (UAC module (backport to 0.9.0). Nobody replied so I
> guess
> nobody knows the way to make it work.
I saw your post on serusers, yes, but not on serdev. Because you cannot make
a module work, doesn't mean it doesn't work for all, so as I said, if you
have found a bug, post it to serdev (preferably) or directly to the
maintainer. That's the way open source software work...
> As for ip auth I guess it's just not good enough. UDP invites don't
> require any handshake it's not hard at all to spoof ip address. I
> believe sending 2 invites worth the security it actually adds.
Yes, but you can also do TCP.
> Also I don't understand what you mean by #3. Taking ip address from
> authenticated REGISTER and then doing IP auth on that?
No, using sipsak to actually do a REGISTER on behalf of your ser. No IP
auth, basically it makes your ser a registered client of the GW. Of course,
if INVITEs still must be authenticated, you are back to the UAC module
problem.
g-)
> Thanks,
>
> Michael
>
>> Michael Ulitskiy wrote:
>>> Hello,
>>>
>>> I'd like ask for advice on what is in your opinion the best solution
>>> in the following scenario.
>>> I have a bunch of sip servers (asterisk boxes as my users need pbx
>>> functionality) that can make sip call to each other and my PSTN
>>> gateway. Now I want to purchase PSTN terminitaion in several
>>> different markets (and probably more in the future). All those
>>> terminations will require authentication.
>>> I want all my boxes when they see non-local call to send it to a
>>> central routing server that would determine where this call should
>>> be sent and authenticate to the appropriate provider so that I don't
>>> have to configure all credentials on all asterisk boxes. Also I want
>>> it not to deal with the media at all. All media streams should go
>>> directly from asterisk box to the PSTN termination provider.
>>> So basically it should be central SIP router that is able to
>>> authenticate calls if neccessary.
>>> I thought I could do it with SER and its UAC module, but it appears
>>> UAC module doesn't work and probably won't work (see my previous
>>> post in this list about UAC backport to 0.9.0).
>>> Also I don't want to use asterisk in this place as asterisk always
>>> wants to stay in media path and I'd really like to avoid of getting
>>> into hassle with re-invites.
>>> So the question is what are my options and what you would advice
>>> as a solution. Are there any software out there that can do it
>>> (preferably open-source, of course) or what else you could suggest
>>> to do to get desired results.
>>> Thanks a lot,
>>
>>
>
> --
> See you later,
> Michael
>
>
> -------------------------------------------------------
More information about the sr-users
mailing list