[Users] trusting peers

Klaus Darilion klaus.mailinglists at pernau.at
Tue Oct 11 14:55:42 CEST 2005


Hi all!

I want to differ between _incoming_ SIP requests from trusted peers and 
from untrused (for different call routing). I came to the following 
solutions. All of them has some disadvantages, and I would like to now 
which you would prefer:

1. src_ip: incoming request are authenticated using the src_ip (only in 
TCP mode useful)
+:  easy to implement
+:  easy to differ authenticated from unauthenticated incoming calls
-:  lots of configuration (IP addresses may change, )
This can be implemented using if src_ip==... blocks in openser.cfg, 
which would require the change the script everytime the IP addresses are 
changed. Also requires restart of the proxy.

Also from_gw() from lcr module can be used. But this would interfere 
with the already used lcr tasks and IP addresses. Maybe copy/paste the 
code into a new function called from_peer().

2. IPsec: makes it hard to differ trusted from untrusted incomig 
requests in the application. Again verification of the src_ip would be 
necessary.
-: requires sharing secrets with each peer
+: works also with TCP and TLS unaware proxies

3. TLS with certificates signed by me. Then, if my SIP proxy only uses 
my root CA, all authenticated TLS connection must be from my trusted peers.
+: simple, as long as there is only 1 perring-club to authenticate
+: works with current (open)ser
-: can't use public CA roots
-: requires signing of the public key of the peer

4. TLS with public signed certificates. (open)ser would validate the TLS 
certificate. But after that, I need some function like 
tls_is_from_trusted() which checks the Subject of the certificate 
against a list of trusted peers.
+: can use public signed CA roots
+: allows to use TLS for incoming trusted and incoming untrusted peers
-: need some more tls specific functions in (open)ser
-: certificate costs $$$

5. Digest Auth between proxies
-: uac module is not standard conform (CSeq Problem)
-: requires sharing secrets with each peer

If I have forgotten some possibilities or made some mistakes please 
correct me.

regards
klaus




More information about the Users mailing list