[OpenSER-Users] Multidomain and in-dialog REFER auth issue

Klaus Darilion klaus.mailinglists at pernau.at
Tue Oct 16 11:33:47 CEST 2007


Iñaki Baz Castillo wrote:
> El Monday 15 October 2007 22:35:34 Klaus Darilion escribió:
>> Iñaki Baz Castillo wrote:
>>> El Monday 15 October 2007 12:12:44 Klaus Darilion escribió:
>>>> What exactly do you want to achieve? Do you want to allow REFER only
>>>> intradomain?
>>> Exactly.
>>> - Imagine you admin a OpenSer that gives service to 2 independent
>>> companies (domain_A and domain_B).
>>> - Imagine a user_A of domain_A calls to a user_B of domain_B.
>>> - During the call user_A does REFER.
>>> - OpenSer requires auth por REFER, so user_A sends auth (it can since
>>> it's a local user).
>>> - So finally user_B is transferred by an external user. Of course this is
>>> not tolerable.
>>>
>>> So I need to allow a REFER just if the caller and called are in the same
>>> domain, but REFER is in-dialog so there is not domain name in the URI.
>> just an idea: check if $fd of REFER is identical to domain in REFER to
>> header - if not -> reject it.
> 
> It's a great idea!
> Of course I need to test it. For example:
> What about if the "Refer-to" header just contains "sip:001234234234" with no 
> @domain? maybe there are "broken" SIP devices which auto-complete this URI 
> with their domain?
> 
> 
> 
> 
>> Further, if B's phone send out the new INVITE, if $rd != $fd then do not
>> send the call to the gateway.
> 
> Humm, it can't be, because in case of a forwarding (implemented in OpenSer) I 
> do allow calls from others domain to PSTN gateway.

Usually, if a client wants to dial a phone number, the client will add 
its own domain as RURI domain. E.g.

sip:client at mydomain.com calls PSTN 12345: RURI=sip:12345 at mydomain.com -> 
forward to PSTN gateway

sip:client at mydomain.com calls sip:12345 at otherdomain.com --> forward 
request to otherdomain. Regardless if otherdomain.com is hosted in the 
same openser or any others SIP proxy, at otherdomain.com this is an 
incoming SIP call from an external SIP client which MUST NOT be routed 
to the PSTN.

Thus, I would add both checks.

regards
klaus




More information about the sr-users mailing list