[SR-Users] What is the best SIP trunk authentication strategy

Thu Mar 19 18:38:20 CET 2015

It looks like auth_check() will work. It seems intelligent enough to 
scan all instances of the same domain as long as the username is unique 
so that should get things working.

The problem here is that there is a fundamental difference between 
Asterisk and Kamailio authentication.  Asterisk authentication works 
with FQDN or IP.  However, Kamailio is not designed to authenticate 
anything with FQDN unless it is also a realm and identified as such by 
the UA.  I believe that is the main issue here.  SIP trunks typically do 
not use or care about realm.  So after the initial invite response from 
Kamailio the SIP trunk provider typically responds with the IP address 
as the realm.

It does almost seem like there should be a special module to deal with 
this sort of thing.  None of the existing modules seem to be the right fit.

On 3/18/2015 9:03 AM, Daniel Tryba wrote:
> On Wednesday 18 March 2015 08:32:10 canuck15 wrote:
>> I can run a cron job every hour to DNS lookup and update the ip_addr
>> table as needed so I think this is a satisfactory solution for IP
>> authentication.
> Is there a mechanism to identify all originating servers for a
> hostname/domain? If the answer is no (and AFAIK is it) then this solution
> doesn't work.
>
> I used this in the past, a subscriber has a userpref with ip/port combo. But
> this ins't an answer for subaccounts on trunks (unles you can get the sender
> to actually use different ports). 3 is the whitelist for ip adresses on
> record. I abandoned this due to to much problems with trunks, they just have
> to authenticate or go elsewere.
>
> BTW only for tcp since udp sources can be spoofed. I guess the best way is to
> use tls with certificate verification (good luck getting the trunks to
> implement this :)
>
> route[AUTHENTICATE]
> {
>          if(!is_method("REGISTER") && allow_address("3", "$si", "$sp") &&
> $proto=="tcp")
>          {
>                  if(!avp_db_query("select username from usr_preferences where
> attribute='ip_authentication' and domain='$td' and (value='$si:$sp' or value
> like '$si:%') order by length(value) limit 1"))
>                  {
>                          xlog("L_ALERT","ACL: $rm from $fu (IP:$si:$sp)\n");
>                          sl_send_reply("403", "Not Allowed by AUTHENTICATE
> ACL");
>                          exit;
>                  }
>
>                  $avp(au)=$avp(i:1);
>          }
>          else
>          {
>                  $var(authenticated)=www_authenticate("$td", "subscriber");
>
>                  if (!www_authenticate("$td", "subscriber")) {
>                          xlog("L_ALERT","AUTHENTICATE: $rm from $fu to $tu (IP:
> $si:$sp)\n");
>                          www_challenge("$td", "1");
>                          exit;
>                  }
>
>                  $avp(au)=$au;
>
>                  consume_credentials();
>          }
>