[SR-Users] What is the best SIP trunk authentication strategy
Olle E. Johansson
oej at edvina.net
Mon Mar 23 09:55:33 CET 2015
On 19 Mar 2015, at 18:38, canuck15 <canuck15 at hotmail.com> wrote:
> It looks like auth_check() will work. It seems intelligent enough to scan all instances of the same domain as long as the username is unique so that should get things working.
>
> The problem here is that there is a fundamental difference between Asterisk and Kamailio authentication. Asterisk authentication works with FQDN or IP. However, Kamailio is not designed to authenticate anything with FQDN unless it is also a realm and identified as such by the UA. I believe that is the main issue here. SIP trunks typically do not use or care about realm. So after the initial invite response from Kamailio the SIP trunk provider typically responds with the IP address as the realm.
Asterisk authentication is kind of broken - it disregards the domain and is based on the user name or only use IP/port. Many years ago I worked on adding
multiple domain support in asterisk - part of the code is still there. Then the project leader added a huge patch for single-domain TLS and I gave up that
work.
Kamailio is much more flexible. While the auth module only handles realm, you can easily connect the account to a set of specific From: SIP URI's and do a full authentication
and authorization scheme that works as you want. You can build in a number of ways - which makes it very mush more SIP-compliant and flexible.
>
> It does almost seem like there should be a special module to deal with this sort of thing. None of the existing modules seem to be the right fit.
Kamailio is a toolkit. Don't take a single module as the only solution. It's like linux, you combine a set of small functions and build solutions.
Very different from Asterisk.
I don't think we need a new module. You can already build stuff like this by combining functionality in different modules.
/O
>
>
> On 3/18/2015 9:03 AM, Daniel Tryba wrote:
>> On Wednesday 18 March 2015 08:32:10 canuck15 wrote:
>>> I can run a cron job every hour to DNS lookup and update the ip_addr
>>> table as needed so I think this is a satisfactory solution for IP
>>> authentication.
>> Is there a mechanism to identify all originating servers for a
>> hostname/domain? If the answer is no (and AFAIK is it) then this solution
>> doesn't work.
>>
>> I used this in the past, a subscriber has a userpref with ip/port combo. But
>> this ins't an answer for subaccounts on trunks (unles you can get the sender
>> to actually use different ports). 3 is the whitelist for ip adresses on
>> record. I abandoned this due to to much problems with trunks, they just have
>> to authenticate or go elsewere.
>>
>> BTW only for tcp since udp sources can be spoofed. I guess the best way is to
>> use tls with certificate verification (good luck getting the trunks to
>> implement this :)
>>
>> route[AUTHENTICATE]
>> {
>> if(!is_method("REGISTER") && allow_address("3", "$si", "$sp") &&
>> $proto=="tcp")
>> {
>> if(!avp_db_query("select username from usr_preferences where
>> attribute='ip_authentication' and domain='$td' and (value='$si:$sp' or value
>> like '$si:%') order by length(value) limit 1"))
>> {
>> xlog("L_ALERT","ACL: $rm from $fu (IP:$si:$sp)\n");
>> sl_send_reply("403", "Not Allowed by AUTHENTICATE
>> ACL");
>> exit;
>> }
>>
>> $avp(au)=$avp(i:1);
>> }
>> else
>> {
>> $var(authenticated)=www_authenticate("$td", "subscriber");
>>
>> if (!www_authenticate("$td", "subscriber")) {
>> xlog("L_ALERT","AUTHENTICATE: $rm from $fu to $tu (IP:
>> $si:$sp)\n");
>> www_challenge("$td", "1");
>> exit;
>> }
>>
>> $avp(au)=$au;
>>
>> consume_credentials();
>> }
>>
>
>
> _______________________________________________
> SIP Express Router (SER) and Kamailio (OpenSER) - sr-users mailing list
> sr-users at lists.sip-router.org
> http://lists.sip-router.org/cgi-bin/mailman/listinfo/sr-users
More information about the sr-users
mailing list