[SR-Users] What is the best SIP trunk authentication strategy

Wed Mar 18 16:32:10 CET 2015

Been struggling with this for awhile now.

So far I am finding it rather difficult to come up with way to 
authenticate SIP trunks taking into account all possible scenarios.   My 
setup is Kamailio combined with Asterisk realtime. Everything is in a 
MySQL database.  All authentication is done by Kamailio.  Kamailio 
handles SIP extension (user) authentication quite well but seems poorly 
equipped for SIP trunk (peer) authentication.  The biggest problem I 
have run into so far is that SIP trunks typically use DNS names and 
Kamailio is not at all designed to used DNS names.  Also SIP trunks do 
not use named "realms" whereas that is a key part of Kamailio 
authentication.

For IP authentication about the only solution I have found is to DNS 
lookup and save all returned IP addresses in the ip_addr mysql table.

Then I do:

#!ifdef WITH_IPAUTH
     if((!is_method("REGISTER")) && allow_source_address() && $au == "") {
         # source IP allowed
         return;
     }

I can run a cron job every hour to DNS lookup and update the ip_addr 
table as needed so I think this is a satisfactory solution for IP 
authentication.

SIP trunk user/pass authentication is the one I am now struggling with.  
This standard Kamailio authentication section does not work for SIP trunks.

if (is_method("REGISTER|INVITE") || from_uri==myself)
     {
         # authenticate requests
         #if (!auth_check("$fd", "subscriber", "1")) {
         if (!auth_check("$fd", "subscriber", "0")) {
             auth_challenge("$fd", "0");
             exit;
         }
         # user authenticated - remove auth header
         if(!is_method("REGISTER|PUBLISH"))
             consume_credentials();

This is a multidomain setup and therefore:

modparam("auth_db", "use_domain", 1)

So the authentication section will try authenticate the realm of the 
trunk which will always be an IP address.  However the SIP trunk realm 
will usually be saved in the "subscriber" database as the FQDN.  There 
is no mechanism for auth_check() to directly or indirectly check against 
FQDN.  The other problem is that even if I used the ip_addr table 
somehow it will only try use the user/pass of the first instance of a 
matching IP address.  For SIP trunks it is possible I could have 
multiple subaccounts and therefore multiple instances of the same IP 
with different user/pass.  So auth_check() is not designed for being 
used this way as far as I can tell.

Seems to me like there should almost be a special kamailio module just 
for SIP trunks.  I had a look a carrierroute module it's not designed 
for this either.