Re: [Project Clearwater] [Clearwater] AS Configuration and untrusted sources

Tue, 25 Jul 2017 04:00:20 -0700 

Hi Michele,

Thank you for the extra diagnostics.

To help understand why Bono is rejecting the SUBSCRIBE to the Application 
Server it will help to know what kind of security checks Bono applies to 
incoming messages. When you successfully register a subscriber Bono stores the 
following details about the device used to register the subscriber:


·         IP address

·         Transport (i.e. TCP or UDP)

·         The port that the requests were sent from

Then if Bono receives an INVITE for a call from a registered subscriber whose 
device matches Bono’s record of the above three details then the call is 
allowed to proceed through to the IMS Core.

What appears to be happening here from looking at this line:

24-07-2017 10:38:25.417 UTC Debug bono.cpp:1166: Message received on 
non-trusted port 5060

is that the port which the SUBSRIBE message is being sent from does not match 
with the port that the device used to register the subscriber and hence Bono 
regards it as an untrusted port.

Exactly why different ports are being used for REGISTERS and SUBSCRIBES will 
depend on your SIP client. If do not know how to modify these I may be able to 
help if you give me details of your SIP client and a log file from Bono 
collected at a time when your made a registration.

Thanks,

Andrew

From: Clearwater [mailto:[email protected]] On 
Behalf Of Michele Furlanetto
Sent: Monday, July 24, 2017 3:08 PM
To: [email protected]
Subject: Re: [Project Clearwater] [Clearwater] AS Configuration and untrusted 
sources

Hi Andrew,
Thanks for your response.

In attachment you can find what you asked me.
It’s about 15 minutes of logs, beginning with the service start.
An example of message being rejected can be found at line 72104, while the 
rejection is at 72399.

I had to censor part of contents and some headers of the messages, so there may 
be some inconsistencies.


Thanks,
Michele


Il giorno 24 lug 2017, alle ore 11:53, Andrew Edmonds 
<[email protected]<mailto:[email protected]>> ha 
scritto:

Hi Michele,

Thank you for your question.

It may be the case that you need to update your firewall rules to allow traffic 
from your SIP client to reach the Application Server. However in order to 
verify this I will need the Bono logs from the time which you attempted to 
contact the AS. Could you please provide these logs?

Thanks,

Andrew

From: Clearwater [mailto:[email protected]] On 
Behalf Of Michele Furlanetto
Sent: Tuesday, July 18, 2017 12:58 PM
To: 
[email protected]<mailto:[email protected]>
Subject: [Project Clearwater] [Clearwater] AS Configuration and untrusted 
sources

Hi all,
I’ve got a problem while configuring an AIO image.

In my scenario, there are is an AS, say 
as1.service.example.com<http://as1.service.example.com/>, which should get the 
third-party registration as well as being able to be addressed directly from 
the Sip client.

While third-party registration works, I’m unable to contact the AS directly.
Looking at Bono logs, I get Info bono.cpp:1356: Rejecting request from 
untrusted source.

Here is the content of 
/usr/share/clearwater/ellis/web-content/js/app-servers.json, indented to be 
more readable
{
“SERVICE”:"
<InitialFilterCriteria>
            <Priority>0</Priority>
            <TriggerPoint>
                        <ConditionTypeCNF>0</ConditionTypeCNF>
                        <SPT>
                                    <ConditionNegated>0</ConditionNegated>
                                    <Group>0</Group>
                                    <Method>REGISTER</Method>
                                    <Extension>
                                                
<RegistrationType>0</RegistrationType>
                                                
<RegistrationType>1</RegistrationType>
                                                
<RegistrationType>2</RegistrationType>
                                    </Extension>
                        </SPT>
                        <SPT>
                                    <ConditionNegated>0</ConditionNegated>
                                    <Group>1</Group>
                                    
<RequestURI>sip:as1.service.example.com<http://service.example.com/></RequestURI>
                        </SPT>
            </TriggerPoint>
            <ApplicationServer>
                        
<ServerName>sip:as1.service.example.com<http://service.example.com/>:5071;transport=UDP</ServerName>
                        <DefaultHandling>0</DefaultHandling>
                        <Extension>
                                    <IncludeRegisterRequest/>
                        </Extension>
            </ApplicationServer>
</InitialFilterCriteria>"
}

Some other details:
- SERVICE is checked in Ellis for test users;
- as1.service.example.com<http://as1.service.example.com/> is resolved using 
/etc/hosts.


Any hint on the error(s)?
Thanks,
Michele
_______________________________________________
Clearwater mailing list
[email protected]<mailto:[email protected]>
http://lists.projectclearwater.org/mailman/listinfo/clearwater_lists.projectclearwater.org


_______________________________________________
Clearwater mailing list
[email protected]
http://lists.projectclearwater.org/mailman/listinfo/clearwater_lists.projectclearwater.org

Reply via email to