In followup and closing to this thread and my loose_routing security thread, 
this is how my project ended up-

This setup was designed to:
  - Whitelist my gateway IPs.
  - Any initial INVITES from non-gateway IPs will be authorized and the dialog 
be added to a simple htable based on callid
  - Any in-dialog will do a lookup on the htable so that authorization isn't 
required on bye and the like.

This was all successfully accomplished EXCEPT for the fact that while I could 
authorize asterisk, asterisk then INSISTED upon authorizing kamailio as well 
(It would send kamailio a 401 Unauthorized for any invite sent to asterisk). So 
then I started working on using UAC to authorize to asterisk in response to the 
401. Kamailio appends a new branch but asterisk does not work with branches, 
instead it only saw that the CSEQ for the 2nd invite with the authorize header 
had not incremented and it therefore ignores the 2nd invite and instead sends 
another 401. I then tried playing with a system to hackishly manually increment 
the CSEQ, but this would have to be done ONLY for messages destined to 
asterisk, the other side of the call would have to be -1 CSEQ. This became a 
major issue because it is quite difficult to tell WHAT ip you are sending the 
packet to. Instead I abandoned this craziness in favor of a much much simpler 
whitelisted gateways in htable approach. The only downside is now to add a new 
gateway involved editing the config file and reloading kamailio. At some point 
I could put this in SQL and just update the gateways daily ie. DASH.

Thanks for all the help everyone, if it looks like I missed something please 
let me know as I would have preferred doing as above, but what I have now is 
functional.

-Eric

> CC: sr-users@lists.sip-router.org
> From: abalas...@evaristesys.com
> Date: Sun, 17 Apr 2011 19:25:31 -0400
> To: sr-users@lists.sip-router.org
> Subject: Re: [SR-Users] Authenticate if receiving 401
> 
> You can use the UAC module for that, and it might work, but basically that's 
> not something a proxy should be doing.  The sending UA should respond to the 
> challenge.
> 
> --
> Alex Balashov - Principal
> Evariste Systems LLC
> 260 Peachtree Street NW
> Suite 2200
> Atlanta, GA 30303
> Tel: +1-678-954-0670
> Fax: +1-404-961-1892
> Web: http://www.evaristesys.com/
> 
> On Apr 17, 2011, at 6:29 PM, Eric Hiller <mrrapto...@hotmail.com> wrote:
> 
> > I want kamailio to authenticate itself to a host if it is sent a 401, just 
> > as that host is expected to authenticate if kamailio sends it one. I am not 
> > finding much in the online probably because I am not searching for the 
> > right terms. Does anyone have any experience in this?
> > 
> > Thanks!
> > -Eric
> > _______________________________________________
> > SIP Express Router (SER) and Kamailio (OpenSER) - sr-users mailing list
> > sr-users@lists.sip-router.org
> > http://lists.sip-router.org/cgi-bin/mailman/listinfo/sr-users
> 
> _______________________________________________
> SIP Express Router (SER) and Kamailio (OpenSER) - sr-users mailing list
> sr-users@lists.sip-router.org
> http://lists.sip-router.org/cgi-bin/mailman/listinfo/sr-users
                                          
_______________________________________________
SIP Express Router (SER) and Kamailio (OpenSER) - sr-users mailing list
sr-users@lists.sip-router.org
http://lists.sip-router.org/cgi-bin/mailman/listinfo/sr-users

Reply via email to