[Serusers] trusting peers

Dmitry Isakbayev isakdim at gmail.com
Thu Oct 13 15:51:46 CEST 2005 

Hi Klaus,

There is another option. A UAC can present an authorization token issued by 
a trusted Open Settlement Protocol server.  If UAS successfully validates 
the token, it can presume that the client is trusted.  The trusted OSP 
server can use different policies for authenticating the UAC.

OSP is an open standard defined by ETSI - the European Telecommunications 
Standards Institute. It has been widely deployed by VoIP carriers to enforce 
secure access control for peer to peer inter-domain VoIP routing and Call 
Detail Record (CDR) collection.  The 'osp' module 
(http://osp-module.berlios.de or 
http://developer.berlios.de/projects/osp-module) adds support for the OSP to 
(Open) SER.

We are in the process of moving the project to (Open) SER's CVS.

Regards,

Dmitry


> -----Original Message-----
> From: serusers-bounces at lists.iptel.org
> [mailto:serusers-bounces at lists.iptel.org] On Behalf Of Klaus Darilion
> Sent: Tuesday, October 11, 2005 8:56 AM
> To: ser users; users openser.org
> Subject: [Serusers] trusting peers
>
> Hi all!
>
> I want to differ between _incoming_ SIP requests from trusted
> peers and from untrused (for different call routing). I came
> to the following solutions. All of them has some
> disadvantages, and I would like to now which you would prefer:
>
> 1. src_ip: incoming request are authenticated using the
> src_ip (only in TCP mode useful)
> +:  easy to implement
> +:  easy to differ authenticated from unauthenticated incoming calls
> -:  lots of configuration (IP addresses may change, ) This
> can be implemented using if src_ip==... blocks in
> openser.cfg, which would require the change the script
> everytime the IP addresses are changed. Also requires restart
> of the proxy.
>
> Also from_gw() from lcr module can be used. But this would
> interfere with the already used lcr tasks and IP addresses.
> Maybe copy/paste the code into a new function called from_peer().
>
> 2. IPsec: makes it hard to differ trusted from untrusted
> incomig requests in the application. Again verification of
> the src_ip would be necessary.
> -: requires sharing secrets with each peer
> +: works also with TCP and TLS unaware proxies
>
> 3. TLS with certificates signed by me. Then, if my SIP proxy
> only uses my root CA, all authenticated TLS connection must
> be from my trusted peers.
> +: simple, as long as there is only 1 perring-club to authenticate
> +: works with current (open)ser
> -: can't use public CA roots
> -: requires signing of the public key of the peer
>
> 4. TLS with public signed certificates. (open)ser would
> validate the TLS certificate. But after that, I need some
> function like
> tls_is_from_trusted() which checks the Subject of the
> certificate against a list of trusted peers.
> +: can use public signed CA roots
> +: allows to use TLS for incoming trusted and incoming untrusted peers
> -: need some more tls specific functions in (open)ser
> -: certificate costs $$$
>
> 5. Digest Auth between proxies
> -: uac module is not standard conform (CSeq Problem)
> -: requires sharing secrets with each peer
>
> If I have forgotten some possibilities or made some mistakes
> please correct me.
>
> regards
> klaus
>
> _______________________________________________
> Serusers mailing list
> serusers at lists.iptel.org
> http://lists.iptel.org/mailman/listinfo/serusers
>
>

More information about the sr-users mailing list