On 19 Mar 2015, at 18:38, canuck15 <canuc...@hotmail.com> wrote:
> It looks like auth_check() will work. It seems intelligent enough to scan all
> instances of the same domain as long as the username is unique so that should
> get things working.
>
> The problem here is that there is a fundamental difference between Asterisk
> and Kamailio authentication. Asterisk authentication works with FQDN or IP.
> However, Kamailio is not designed to authenticate anything with FQDN unless
> it is also a realm and identified as such by the UA. I believe that is the
> main issue here. SIP trunks typically do not use or care about realm. So
> after the initial invite response from Kamailio the SIP trunk provider
> typically responds with the IP address as the realm.
Asterisk authentication is kind of broken - it disregards the domain and is
based on the user name or only use IP/port. Many years ago I worked on adding
multiple domain support in asterisk - part of the code is still there. Then the
project leader added a huge patch for single-domain TLS and I gave up that
work.
Kamailio is much more flexible. While the auth module only handles realm, you
can easily connect the account to a set of specific From: SIP URI's and do a
full authentication
and authorization scheme that works as you want. You can build in a number of
ways - which makes it very mush more SIP-compliant and flexible.
>
> It does almost seem like there should be a special module to deal with this
> sort of thing. None of the existing modules seem to be the right fit.
Kamailio is a toolkit. Don't take a single module as the only solution. It's
like linux, you combine a set of small functions and build solutions.
Very different from Asterisk.
I don't think we need a new module. You can already build stuff like this by
combining functionality in different modules.
/O
>
>
> On 3/18/2015 9:03 AM, Daniel Tryba wrote:
>> On Wednesday 18 March 2015 08:32:10 canuck15 wrote:
>>> I can run a cron job every hour to DNS lookup and update the ip_addr
>>> table as needed so I think this is a satisfactory solution for IP
>>> authentication.
>> Is there a mechanism to identify all originating servers for a
>> hostname/domain? If the answer is no (and AFAIK is it) then this solution
>> doesn't work.
>>
>> I used this in the past, a subscriber has a userpref with ip/port combo. But
>> this ins't an answer for subaccounts on trunks (unles you can get the sender
>> to actually use different ports). 3 is the whitelist for ip adresses on
>> record. I abandoned this due to to much problems with trunks, they just have
>> to authenticate or go elsewere.
>>
>> BTW only for tcp since udp sources can be spoofed. I guess the best way is to
>> use tls with certificate verification (good luck getting the trunks to
>> implement this :)
>>
>> route[AUTHENTICATE]
>> {
>> if(!is_method("REGISTER") && allow_address("3", "$si", "$sp") &&
>> $proto=="tcp")
>> {
>> if(!avp_db_query("select username from usr_preferences where
>> attribute='ip_authentication' and domain='$td' and (value='$si:$sp' or value
>> like '$si:%') order by length(value) limit 1"))
>> {
>> xlog("L_ALERT","ACL: $rm from $fu (IP:$si:$sp)\n");
>> sl_send_reply("403", "Not Allowed by AUTHENTICATE
>> ACL");
>> exit;
>> }
>>
>> $avp(au)=$avp(i:1);
>> }
>> else
>> {
>> $var(authenticated)=www_authenticate("$td", "subscriber");
>>
>> if (!www_authenticate("$td", "subscriber")) {
>> xlog("L_ALERT","AUTHENTICATE: $rm from $fu to $tu
>> (IP:
>> $si:$sp)\n");
>> www_challenge("$td", "1");
>> exit;
>> }
>>
>> $avp(au)=$au;
>>
>> consume_credentials();
>> }
>>
>
>
> _______________________________________________
> SIP Express Router (SER) and Kamailio (OpenSER) - sr-users mailing list
> sr-users@lists.sip-router.org
> http://lists.sip-router.org/cgi-bin/mailman/listinfo/sr-users
_______________________________________________
SIP Express Router (SER) and Kamailio (OpenSER) - sr-users mailing list
sr-users@lists.sip-router.org
http://lists.sip-router.org/cgi-bin/mailman/listinfo/sr-users
