[Users] Trying to find a solution to a sticky problem here.

Douglas Garstang dgarstang at oneeighty.com
Fri Mar 17 17:56:48 CET 2006


> -----Original Message-----
> From: Arek Bekiersz [mailto:arek at perceval.net]
> Sent: Friday, March 17, 2006 9:21 AM
> To: Douglas Garstang
> Cc: openser
> Subject: Re: [Users] Trying to find a solution to a sticky 
> problem here.
> 
> 
> Hi,
> 
> 
> Just a first impression, after quickly reading the mail.
> May be useful. Or may be noise:
> 
> I do it IP based. I use few Asterisk boxes not exactly the 
> way like you, 
> but I also need to talk betweeen SERs and Asterisks without 
> problems. I 
> just put one or more SERs as a trusted peers at all 
> Asterisks. Then at 
> SER I disable authentication of requests, coming for 
> specified Asterisk 
> addresses.
> 
> When it comes to your REFER problem (or similar), I just put 
> record-route to all requests flying thru SER. Then all UAs 
> are obliged 
> to send subsequent requests in a dialog thru proxy. This is what 
> record-route is for.
Whoa! I didn't realise I could do that. Just exactly where would I put the record_route()? I tried putting it after the logic that tests for an INVITE... but it didn't seem to work.

> 
> If this is not enough, because you are outside of a dialog or have 
> particularly stupid UA - my SIP routing is based on domains. 
> So UAs are 
> always configured to use proxy and proxy is in textual format 
> of a realm 
> (FQDN). Thus, they will never send any dialog initiating request 
> ommiting proxy. Or they are very stupid UAs :-)
> 
> Conclusion: trusted peers on (*) and IP-based policy on SER 
> works well 
> for me.
> 
> -- 
> Regards,
> Arek Bekiersz
> 
> 
> 
> 
> Douglas Garstang wrote:
> > Trying to find a solution to a sticky problem here.
> > 
> > We have 3 OpenSER systems. Phones register with the OpenSER 
> systems, and after they authenticate the user, pass the 
> registration info using OpenSER's send() command to all 
> Asterisk boxes sitting behind them. Each asterisk system then 
> knows about every phone.
> > 
> > For this to work, I had to turn off authentication in 
> Asterisk for both registrations and invites. If it's on, 
> asterisk sends a 407 Proxy Auth required to the phone in 
> addition to OpenSER. This confuses the phone, as it's now 
> receiving two 407 proxy auth requests, and it basically just 
> drops the second request on the floor. 
> > 
> > This is obviously a big security problem and it can't stay 
> this way. I thought maybe if authentication was on in 
> Asterisk, that considering by the time it receives the 
> authenticated register or invite from OpenSER, the MD5 
> password was already contained in the packet, that Asterisk 
> wouldn't ask again. It does. :(
> > 
> > We could use IP tables to only allow connections from the 
> OpenSER systems, but that doesn't always work. When a caller 
> transfers a call, the phones will send a REFER message 
> directly to Asterisk, so all the phones would have to also be 
> in the ip tables allow list. Not an elegent solution.
> > 
> > We could run mediaproxy on OpenSER and force all RTP 
> streams back through it. Might work, but it might also break 
> other stuff. We could then configure ip tables to only allow 
> RTP streams from the OpenSER systems.
> > 
> > It might be possible to configure OpenSER to perform the 
> logic necessary to make it talk to Asterisk properly, but 
> it's beyond my abilities and time.
> > 
> > Anyone ever done this? Anyone got any ideas?
> > 
> > Doug
> 




More information about the Users mailing list