[Serusers] Advice needed

Michael Ulitskiy mdu113 at acedsl.com
Mon May 23 18:19:30 CEST 2005 

On Sunday 22 May 2005 02:57 am, you wrote:
> See inline.
> 
> Michael Ulitskiy wrote:
> > On Saturday 21 May 2005 02:31 am, you wrote:
> >> I would say SER is what you need, except that you struggle with the
> >> authentication.  You have the following scenarios:
> >> 1. PSTN termination with IP-based access control (easiest)
> >> 2. PSTN termination with authentication of all INVITEs (yes, that's
> >> the UAC module. You should contact the maintainer,  Ramona-Elena
> >> Modroiu about the status. I thought it was reported to work, but
> >> haven't tried myself)
> >> 3. PSTN termination with registration and authentication of REGISTER
> >> (but not INVITEs).  Use sipsak to generate a REGISTER for your box.
> >>
> >> #2 requires that all INVITEs are sent twice and is not a very good
> >> option. I would seek out PSTN providers who will give you #1.
> >> g-)
> >
> > UAC module doesn't work and I think won't work unless ser is made
> > call-statefull, 'cause it needs to adjust cseq within dialog. I
> > posted my findings to this list
> > several days ago (UAC module (backport to 0.9.0). Nobody replied so I
> > guess
> > nobody knows the way to make it work.
> 
> I saw your post on serusers, yes, but not on serdev. Because you cannot make 
> a module work, doesn't mean it doesn't work for all, so as I said, if you 
> have found a bug, post it to serdev (preferably) or directly to the 
> maintainer. That's the way open source software work...

Will do. Just wanted to get some feedback, 'cause it's always possible that I overlooked
something :)
 
> > As for ip auth I guess it's just not good enough. UDP invites don't
> > require any handshake it's not hard at all to spoof ip address. I
> > believe sending 2 invites worth the security it actually adds.
> 
> Yes, but you can also do TCP.

Yes, it's possible if provider supports it. I'm not sure that it's better in terms
of performance that sending 2 UDP INVITEs and I'd still prefer to authenticate,
but it's a possibility. Thanks.

> > Also I don't understand what you mean by #3. Taking ip address from
> > authenticated REGISTER and then doing IP auth on that?
> 
> No, using sipsak to actually do a REGISTER on behalf of your ser. No IP 
> auth, basically it makes your ser a registered client of the GW.  Of course, 
> if INVITEs still must be authenticated, you are back to the UAC module 
> problem.

Sorry, Greger, I still don't understand how would registering adds any INVITE-security
if INVITEs not authenticated. Still anyone can send INVITE putting ip address of
my server as source of ip packet. 

> g-)
> 
> 
> > Thanks,
> >
> > Michael
> >
> >> Michael Ulitskiy wrote:
> >>> Hello,
> >>>
> >>> I'd like ask for advice on what is in your opinion the best solution
> >>> in the following scenario.
> >>> I have a bunch of sip servers (asterisk boxes as my users need pbx
> >>> functionality) that can make sip call to each other and my PSTN
> >>> gateway. Now I want to purchase PSTN terminitaion in several
> >>> different markets (and probably more in the future). All those
> >>> terminations will require authentication.
> >>> I want all my boxes when they see non-local call to send it to a
> >>> central routing server that would determine where this call should
> >>> be sent and authenticate to the appropriate provider so that I don't
> >>> have to configure all credentials on all asterisk boxes. Also I want
> >>> it not to deal with the media at all. All media streams should go
> >>> directly from asterisk box to the PSTN termination provider.
> >>> So basically it should be central SIP router that is able to
> >>> authenticate calls if neccessary.
> >>> I thought I could do it with SER and its UAC module, but it appears
> >>> UAC module doesn't work and probably won't work (see my previous
> >>> post in this list about UAC backport to 0.9.0).
> >>> Also I don't want to use asterisk in this place as asterisk always
> >>> wants to stay in media path and I'd really like to avoid of getting
> >>> into hassle with re-invites.
> >>> So the question is what are my options and what you would advice
> >>> as a solution. Are there any software out there that can do it
> >>> (preferably open-source, of course) or what else you could suggest
> >>> to do to get desired results.
> >>> Thanks a lot,
> >>
> >>
> >
> > --
> > See you later,
> >                    Michael
> >
> >
> > ------------------------------------------------------- 
> 
>

More information about the sr-users mailing list