[SR-Users] Authenticate if receiving 401
Eric Hiller
mrraptor98 at hotmail.com
Sat May 7 01:03:11 CEST 2011
In followup and closing to this thread and my loose_routing security thread, this is how my project ended up-
This setup was designed to:
- Whitelist my gateway IPs.
- Any initial INVITES from non-gateway IPs will be authorized and the dialog be added to a simple htable based on callid
- Any in-dialog will do a lookup on the htable so that authorization isn't required on bye and the like.
This was all successfully accomplished EXCEPT for the fact that while I could authorize asterisk, asterisk then INSISTED upon authorizing kamailio as well (It would send kamailio a 401 Unauthorized for any invite sent to asterisk). So then I started working on using UAC to authorize to asterisk in response to the 401. Kamailio appends a new branch but asterisk does not work with branches, instead it only saw that the CSEQ for the 2nd invite with the authorize header had not incremented and it therefore ignores the 2nd invite and instead sends another 401. I then tried playing with a system to hackishly manually increment the CSEQ, but this would have to be done ONLY for messages destined to asterisk, the other side of the call would have to be -1 CSEQ. This became a major issue because it is quite difficult to tell WHAT ip you are sending the packet to. Instead I abandoned this craziness in favor of a much much simpler whitelisted gateways in htable approach. The only downside is now to add a new gateway involved editing the config file and reloading kamailio. At some point I could put this in SQL and just update the gateways daily ie. DASH.
Thanks for all the help everyone, if it looks like I missed something please let me know as I would have preferred doing as above, but what I have now is functional.
-Eric
> CC: sr-users at lists.sip-router.org
> From: abalashov at evaristesys.com
> Date: Sun, 17 Apr 2011 19:25:31 -0400
> To: sr-users at lists.sip-router.org
> Subject: Re: [SR-Users] Authenticate if receiving 401
>
> You can use the UAC module for that, and it might work, but basically that's not something a proxy should be doing. The sending UA should respond to the challenge.
>
> --
> Alex Balashov - Principal
> Evariste Systems LLC
> 260 Peachtree Street NW
> Suite 2200
> Atlanta, GA 30303
> Tel: +1-678-954-0670
> Fax: +1-404-961-1892
> Web: http://www.evaristesys.com/
>
> On Apr 17, 2011, at 6:29 PM, Eric Hiller <mrraptor98 at hotmail.com> wrote:
>
> > I want kamailio to authenticate itself to a host if it is sent a 401, just as that host is expected to authenticate if kamailio sends it one. I am not finding much in the online probably because I am not searching for the right terms. Does anyone have any experience in this?
> >
> > Thanks!
> > -Eric
> > _______________________________________________
> > SIP Express Router (SER) and Kamailio (OpenSER) - sr-users mailing list
> > sr-users at lists.sip-router.org
> > http://lists.sip-router.org/cgi-bin/mailman/listinfo/sr-users
>
> _______________________________________________
> SIP Express Router (SER) and Kamailio (OpenSER) - sr-users mailing list
> sr-users at lists.sip-router.org
> http://lists.sip-router.org/cgi-bin/mailman/listinfo/sr-users
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.sip-router.org/pipermail/sr-users/attachments/20110506/c5c7645b/attachment.htm>
More information about the sr-users
mailing list