Re: [SR-Users] What is the best SIP trunk authentication strategy
On 19 Mar 2015, at 18:38, canuck15 canuc...@hotmail.com wrote:
It looks like auth_check() will work. It seems intelligent enough to scan all
instances of the same domain as long as the username is unique so that should
get things working.
The problem here is that there is a fundamental difference between Asterisk
and Kamailio authentication. Asterisk authentication works with FQDN or IP.
However, Kamailio is not designed to authenticate anything with FQDN unless
it is also a realm and identified as such by the UA. I believe that is the
main issue here. SIP trunks typically do not use or care about realm. So
after the initial invite response from Kamailio the SIP trunk provider
typically responds with the IP address as the realm.
Asterisk authentication is kind of broken - it disregards the domain and is
based on the user name or only use IP/port. Many years ago I worked on adding
multiple domain support in asterisk - part of the code is still there. Then the
project leader added a huge patch for single-domain TLS and I gave up that
work.
Kamailio is much more flexible. While the auth module only handles realm, you
can easily connect the account to a set of specific From: SIP URI's and do a
full authentication
and authorization scheme that works as you want. You can build in a number of
ways - which makes it very mush more SIP-compliant and flexible.
It does almost seem like there should be a special module to deal with this
sort of thing. None of the existing modules seem to be the right fit.
Kamailio is a toolkit. Don't take a single module as the only solution. It's
like linux, you combine a set of small functions and build solutions.
Very different from Asterisk.
I don't think we need a new module. You can already build stuff like this by
combining functionality in different modules.
/O
On 3/18/2015 9:03 AM, Daniel Tryba wrote:
On Wednesday 18 March 2015 08:32:10 canuck15 wrote:
I can run a cron job every hour to DNS lookup and update the ip_addr
table as needed so I think this is a satisfactory solution for IP
authentication.
Is there a mechanism to identify all originating servers for a
hostname/domain? If the answer is no (and AFAIK is it) then this solution
doesn't work.
I used this in the past, a subscriber has a userpref with ip/port combo. But
this ins't an answer for subaccounts on trunks (unles you can get the sender
to actually use different ports). 3 is the whitelist for ip adresses on
record. I abandoned this due to to much problems with trunks, they just have
to authenticate or go elsewere.
BTW only for tcp since udp sources can be spoofed. I guess the best way is to
use tls with certificate verification (good luck getting the trunks to
implement this :)
route[AUTHENTICATE]
{
if(!is_method(REGISTER) allow_address(3, $si, $sp)
$proto==tcp)
{
if(!avp_db_query(select username from usr_preferences where
attribute='ip_authentication' and domain='$td' and (value='$si:$sp' or value
like '$si:%') order by length(value) limit 1))
{
xlog(L_ALERT,ACL: $rm from $fu (IP:$si:$sp)\n);
sl_send_reply(403, Not Allowed by AUTHENTICATE
ACL);
exit;
}
$avp(au)=$avp(i:1);
}
else
{
$var(authenticated)=www_authenticate($td, subscriber);
if (!www_authenticate($td, subscriber)) {
xlog(L_ALERT,AUTHENTICATE: $rm from $fu to $tu
(IP:
$si:$sp)\n);
www_challenge($td, 1);
exit;
}
$avp(au)=$au;
consume_credentials();
}
___
SIP Express Router (SER) and Kamailio (OpenSER) - sr-users mailing list
sr-users@lists.sip-router.org
http://lists.sip-router.org/cgi-bin/mailman/listinfo/sr-users
___
SIP Express Router (SER) and Kamailio (OpenSER) - sr-users mailing list
sr-users@lists.sip-router.org
http://lists.sip-router.org/cgi-bin/mailman/listinfo/sr-users
[SR-Users] What is the best SIP trunk authentication strategy
i suggest you use tls common names to identify servers behind your trunks, -- juha ___ SIP Express Router (SER) and Kamailio (OpenSER) - sr-users mailing list sr-users@lists.sip-router.org http://lists.sip-router.org/cgi-bin/mailman/listinfo/sr-users
Re: [SR-Users] What is the best SIP trunk authentication strategy
Please keep in mind that I have no control over SIP trunk providers. The vast majority do not allow me to do any of these things as far as I know. This is something that needs to be solved in Kamailio with standard user/pass/realm authentication. TLS is not an option for me. On 3/18/2015 11:36 PM, Juha Heinanen wrote: i suggest you use tls common names to identify servers behind your trunks, -- juha ___ SIP Express Router (SER) and Kamailio (OpenSER) - sr-users mailing list sr-users@lists.sip-router.org http://lists.sip-router.org/cgi-bin/mailman/listinfo/sr-users ___ SIP Express Router (SER) and Kamailio (OpenSER) - sr-users mailing list sr-users@lists.sip-router.org http://lists.sip-router.org/cgi-bin/mailman/listinfo/sr-users
Re: [SR-Users] What is the best SIP trunk authentication strategy
canuck15 writes: The vast majority do not allow me to do any of these things as far as I know. This is something that needs to be solved in Kamailio with standard user/pass/realm authentication. TLS is not an option for me. then the vast majority don't care a bit about security, which is very bad for your customers. -- juha ___ SIP Express Router (SER) and Kamailio (OpenSER) - sr-users mailing list sr-users@lists.sip-router.org http://lists.sip-router.org/cgi-bin/mailman/listinfo/sr-users
Re: [SR-Users] What is the best SIP trunk authentication strategy
It looks like auth_check() will work. It seems intelligent enough to
scan all instances of the same domain as long as the username is unique
so that should get things working.
The problem here is that there is a fundamental difference between
Asterisk and Kamailio authentication. Asterisk authentication works
with FQDN or IP. However, Kamailio is not designed to authenticate
anything with FQDN unless it is also a realm and identified as such by
the UA. I believe that is the main issue here. SIP trunks typically do
not use or care about realm. So after the initial invite response from
Kamailio the SIP trunk provider typically responds with the IP address
as the realm.
It does almost seem like there should be a special module to deal with
this sort of thing. None of the existing modules seem to be the right fit.
On 3/18/2015 9:03 AM, Daniel Tryba wrote:
On Wednesday 18 March 2015 08:32:10 canuck15 wrote:
I can run a cron job every hour to DNS lookup and update the ip_addr
table as needed so I think this is a satisfactory solution for IP
authentication.
Is there a mechanism to identify all originating servers for a
hostname/domain? If the answer is no (and AFAIK is it) then this solution
doesn't work.
I used this in the past, a subscriber has a userpref with ip/port combo. But
this ins't an answer for subaccounts on trunks (unles you can get the sender
to actually use different ports). 3 is the whitelist for ip adresses on
record. I abandoned this due to to much problems with trunks, they just have
to authenticate or go elsewere.
BTW only for tcp since udp sources can be spoofed. I guess the best way is to
use tls with certificate verification (good luck getting the trunks to
implement this :)
route[AUTHENTICATE]
{
if(!is_method(REGISTER) allow_address(3, $si, $sp)
$proto==tcp)
{
if(!avp_db_query(select username from usr_preferences where
attribute='ip_authentication' and domain='$td' and (value='$si:$sp' or value
like '$si:%') order by length(value) limit 1))
{
xlog(L_ALERT,ACL: $rm from $fu (IP:$si:$sp)\n);
sl_send_reply(403, Not Allowed by AUTHENTICATE
ACL);
exit;
}
$avp(au)=$avp(i:1);
}
else
{
$var(authenticated)=www_authenticate($td, subscriber);
if (!www_authenticate($td, subscriber)) {
xlog(L_ALERT,AUTHENTICATE: $rm from $fu to $tu (IP:
$si:$sp)\n);
www_challenge($td, 1);
exit;
}
$avp(au)=$au;
consume_credentials();
}
___
SIP Express Router (SER) and Kamailio (OpenSER) - sr-users mailing list
sr-users@lists.sip-router.org
http://lists.sip-router.org/cgi-bin/mailman/listinfo/sr-users
[SR-Users] What is the best SIP trunk authentication strategy
Been struggling with this for awhile now.
So far I am finding it rather difficult to come up with way to
authenticate SIP trunks taking into account all possible scenarios. My
setup is Kamailio combined with Asterisk realtime. Everything is in a
MySQL database. All authentication is done by Kamailio. Kamailio
handles SIP extension (user) authentication quite well but seems poorly
equipped for SIP trunk (peer) authentication. The biggest problem I
have run into so far is that SIP trunks typically use DNS names and
Kamailio is not at all designed to used DNS names. Also SIP trunks do
not use named realms whereas that is a key part of Kamailio
authentication.
For IP authentication about the only solution I have found is to DNS
lookup and save all returned IP addresses in the ip_addr mysql table.
Then I do:
#!ifdef WITH_IPAUTH
if((!is_method(REGISTER)) allow_source_address() $au == ) {
# source IP allowed
return;
}
I can run a cron job every hour to DNS lookup and update the ip_addr
table as needed so I think this is a satisfactory solution for IP
authentication.
SIP trunk user/pass authentication is the one I am now struggling with.
This standard Kamailio authentication section does not work for SIP trunks.
if (is_method(REGISTER|INVITE) || from_uri==myself)
{
# authenticate requests
#if (!auth_check($fd, subscriber, 1)) {
if (!auth_check($fd, subscriber, 0)) {
auth_challenge($fd, 0);
exit;
}
# user authenticated - remove auth header
if(!is_method(REGISTER|PUBLISH))
consume_credentials();
This is a multidomain setup and therefore:
modparam(auth_db, use_domain, 1)
So the authentication section will try authenticate the realm of the
trunk which will always be an IP address. However the SIP trunk realm
will usually be saved in the subscriber database as the FQDN. There
is no mechanism for auth_check() to directly or indirectly check against
FQDN. The other problem is that even if I used the ip_addr table
somehow it will only try use the user/pass of the first instance of a
matching IP address. For SIP trunks it is possible I could have
multiple subaccounts and therefore multiple instances of the same IP
with different user/pass. So auth_check() is not designed for being
used this way as far as I can tell.
Seems to me like there should almost be a special kamailio module just
for SIP trunks. I had a look a carrierroute module it's not designed
for this either.
___
SIP Express Router (SER) and Kamailio (OpenSER) - sr-users mailing list
sr-users@lists.sip-router.org
http://lists.sip-router.org/cgi-bin/mailman/listinfo/sr-users
