[SR-Users] Authentication on loose_route();
Daniel-Constantin Mierla
miconda at gmail.com
Sat Mar 24 10:11:22 CET 2012
From experiences of the past cases, it can be indeed problematic with
some client. But can be done as Alex said.
I just wanted to add a bit about how I preferred to do it when I had to.
I try to auth only caller always, as it was for initial INVITE. The way
to do it is to append from tag to record route and detect direction. If
it is from caller and from header matches local domain, then the call
can be authentication.
Authenticating the callee is more complex, since with hardphones, To
header very likely has the local domain always (even when going to pstn
or other networks, which are routed by some prefix in r-uri username).
You would need to lookup in database to see if it is a local user. Then
if you have short dialing, aliases, dids, then you would practically
need to do all kind of translations to get to the user id to check if it
is local user or not.
Alternative would be using dialog module with some flags to know whether
to auth caller/callee for withing dialog requests, setting these flags
at call setup.
Cheers,
Daniel
On 3/23/12 11:34 PM, Alex Balashov wrote:
> Clearly, you can only authenticate sequential requests corresponding
> to calls whose initial requests were subject to authentication. If the
> initial request was not authenticated, there is no reason to believe
> that the endpoint would support authentication of sequential requests.
>
> As to whether you should do this, that is a controversial matter. I
> suppose that the security-maximising approach would be to challenge
> all requests, but it invites problems with many endpoints.
>
> --
> Alex Balashov - Principal
> Evariste Systems LLC
> 235 E Ponce de Leon Ave
> Suite 106
> Atlanta, GA 30030
> Tel: +1-678-954-0671
> Web: http://www.evaristesys.com/, http://www.alexbalashov.com
>
> David <kamailio.org at spam.lublink.net> wrote:
>
> Hello,
>
> Should I be requiring users to authenticate before letting them into
> loose_route(); ? What about anonymous calls from E164, how do I
> authenticate these calls after they have started?
>
> Thanks,
>
> David
>
>
>
> _______________________________________________
> SIP Express Router (SER) and Kamailio (OpenSER) - sr-users mailing list
> sr-users at lists.sip-router.org
> http://lists.sip-router.org/cgi-bin/mailman/listinfo/sr-users
--
Daniel-Constantin Mierla
Kamailio Advanced Training, April 23-26, 2012, Berlin, Germany
http://www.asipto.com/index.php/kamailio-advanced-training/
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.sip-router.org/pipermail/sr-users/attachments/20120324/450c28d5/attachment-0001.htm>
More information about the sr-users
mailing list