[Serusers] difference between callsetup asterisk & ser and related security risks

Klaus Darilion klaus.mailinglists at pernau.at
Wed Nov 16 15:54:28 CET 2005 

Arne Van Theemsche wrote:
> Hi,
> 
> I've been spending days on tcpdumping callsetups with ser OR asterisk as 
> registar. This is my conclusion, can somebody confirm this?
> 
> On asterisk:
> -asterisk maintains 2 independendly sipsessions between 2 clients, where 
> asterisks stays the contact in the sipheaders.
> After picking up the call, asterisk sends an re-invite in the sip-body 
> (address), and remains the contact for sipmessages.
> If someone hangs up, asterisk sends an re-invite to the other party, for 
> redirecting stream back to asterisk, and then sending the bye to the other 
> client (the one who didn't hang up).

I never saw a reINVITE if one party hangs up, just a BYE. MAybe this 
depends on your extensions.cfg or sip.cfg settings.
> 
> on ser:
> ser receives the invite, looking up the address of the callee, and sending 
> the invite through to the callee, the contact header allways stays the 
> caller's uri, but ser put's a record-route in the sipmessage, so that the 
> bye first is send to the ser machine, and then to the other party.
> 
> Am I seeing things correct here?
yes

> 
> What are the pro/contra's of both procedures?

asterisk: it atcs as a B2B-UA, thus asterisk has full control over the call.

ser: it just relays messages. The whole is an end2end service.

Eg. if you transfer a call, the whole transfer is done by the phones 
when using ser. When using asterisk, the transferer initiates the 
transfer, but the other party does not have a SIP signaling indication 
that the call will be transfered.

> Imo gives the asterisk way a lot more overhead, but is more secure (2 

depends on what you mean with secure. secure for the client or secure 
for the ITSP?

> clients keep communicating with asterisk, and are unable to fake things 
yes
> (or less easely), there were an not compliant client can bypass the 
> record-route of ser, and so avoiding accounting.

yes. If you have IP-IP calls and you do not charge them, there is no 
reason why the phone should bypass the proxy (e.g. NAT traversal will 
work better when using record-route).
If it is an IP-PSTN call, the GW should produce the accounting data.

klaus

> 
> Again, am I correct here?
> 
> thx
> Arne
> 
> 
> 
> _______________________________________________
> Serusers mailing list
> serusers at lists.iptel.org
> http://lists.iptel.org/mailman/listinfo/serusers
> 
>

More information about the sr-users mailing list