[SR-Users] What is the best SIP trunk authentication strategy

[Daniel Tryba]

On Wednesday 18 March 2015 08:32:10 canuck15 wrote:
> I can run a cron job every hour to DNS lookup and update the ip_addr 
> table as needed so I think this is a satisfactory solution for IP 
> authentication.

Is there a mechanism to identify all originating servers for a 
hostname/domain? If the answer is no (and AFAIK is it) then this solution 
doesn't work.

I used this in the past, a subscriber has a userpref with ip/port combo. But 
this ins't an answer for subaccounts on trunks (unles you can get the sender 
to actually use different ports). 3 is the whitelist for ip adresses on 
record. I abandoned this due to to much problems with trunks, they just have 
to authenticate or go elsewere.

BTW only for tcp since udp sources can be spoofed. I guess the best way is to  
use tls with certificate verification (good luck getting the trunks to 
implement this :)

route[AUTHENTICATE]
{
        if(!is_method("REGISTER") && allow_address("3", "$si", "$sp") && 
$proto=="tcp")
        {
                if(!avp_db_query("select username from usr_preferences where 
attribute='ip_authentication' and domain='$td' and (value='$si:$sp' or value 
like '$si:%') order by length(value) limit 1"))
                {
                        xlog("L_ALERT","ACL: $rm from $fu (IP:$si:$sp)\n");
                        sl_send_reply("403", "Not Allowed by AUTHENTICATE 
ACL");
                        exit;
                }

                $avp(au)=$avp(i:1);
        }
        else
        {
                $var(authenticated)=www_authenticate("$td", "subscriber");

                if (!www_authenticate("$td", "subscriber")) {
                        xlog("L_ALERT","AUTHENTICATE: $rm from $fu to $tu (IP:
$si:$sp)\n");
                        www_challenge("$td", "1");
                        exit;
                }

                $avp(au)=$au;

                consume_credentials();
        }