[Serusers] trusting peers
Klaus Darilion
klaus.mailinglists at pernau.at
Fri Oct 14 12:56:50 CEST 2005
Dmitry Isakbayev wrote:
> Hi Klaus,
Hi Dimitry!
I'm aware of OSP and, yes, it is also a solution to this problem.
Sorry for forgetting to mention it.
regards
klaus
>
> There is another option. A UAC can present an authorization token issued
> by a trusted Open Settlement Protocol server. If UAS successfully
> validates the token, it can presume that the client is trusted. The
> trusted OSP server can use different policies for authenticating the UAC.
>
> OSP is an open standard defined by ETSI - the European
> Telecommunications Standards Institute. It has been widely deployed by
> VoIP carriers to enforce secure access control for peer to peer
> inter-domain VoIP routing and Call Detail Record (CDR) collection. The
> 'osp' module (http://osp-module.berlios.de or
> http://developer.berlios.de/projects/osp-module) adds support for the
> OSP to (Open) SER.
>
> We are in the process of moving the project to (Open) SER's CVS.
>
> Regards,
>
> Dmitry
>
>
>> -----Original Message-----
>> From: serusers-bounces at lists.iptel.org
>> [mailto:serusers-bounces at lists.iptel.org] On Behalf Of Klaus Darilion
>> Sent: Tuesday, October 11, 2005 8:56 AM
>> To: ser users; users openser.org
>> Subject: [Serusers] trusting peers
>>
>> Hi all!
>>
>> I want to differ between _incoming_ SIP requests from trusted
>> peers and from untrused (for different call routing). I came
>> to the following solutions. All of them has some
>> disadvantages, and I would like to now which you would prefer:
>>
>> 1. src_ip: incoming request are authenticated using the
>> src_ip (only in TCP mode useful)
>> +: easy to implement
>> +: easy to differ authenticated from unauthenticated incoming calls
>> -: lots of configuration (IP addresses may change, ) This
>> can be implemented using if src_ip==... blocks in
>> openser.cfg, which would require the change the script
>> everytime the IP addresses are changed. Also requires restart
>> of the proxy.
>>
>> Also from_gw() from lcr module can be used. But this would
>> interfere with the already used lcr tasks and IP addresses.
>> Maybe copy/paste the code into a new function called from_peer().
>>
>> 2. IPsec: makes it hard to differ trusted from untrusted
>> incomig requests in the application. Again verification of
>> the src_ip would be necessary.
>> -: requires sharing secrets with each peer
>> +: works also with TCP and TLS unaware proxies
>>
>> 3. TLS with certificates signed by me. Then, if my SIP proxy
>> only uses my root CA, all authenticated TLS connection must
>> be from my trusted peers.
>> +: simple, as long as there is only 1 perring-club to authenticate
>> +: works with current (open)ser
>> -: can't use public CA roots
>> -: requires signing of the public key of the peer
>>
>> 4. TLS with public signed certificates. (open)ser would
>> validate the TLS certificate. But after that, I need some
>> function like
>> tls_is_from_trusted() which checks the Subject of the
>> certificate against a list of trusted peers.
>> +: can use public signed CA roots
>> +: allows to use TLS for incoming trusted and incoming untrusted peers
>> -: need some more tls specific functions in (open)ser
>> -: certificate costs $$$
>>
>> 5. Digest Auth between proxies
>> -: uac module is not standard conform (CSeq Problem)
>> -: requires sharing secrets with each peer
>>
>> If I have forgotten some possibilities or made some mistakes
>> please correct me.
>>
>> regards
>> klaus
>>
>> _______________________________________________
>> Serusers mailing list
>> serusers at lists.iptel.org
>> http://lists.iptel.org/mailman/listinfo/serusers
>>
>>
>
>
>
> _______________________________________________
> Serusers mailing list
> serusers at lists.iptel.org
> http://lists.iptel.org/mailman/listinfo/serusers
>
>
More information about the sr-users
mailing list