On Sat, Sep 6, 2008 at 8:44 AM, Scott Lawrence <[EMAIL PROTECTED]> wrote: > With this checkin, the authorization behavior of sipXproxy changes in an > important way. > > Previously, the proxy only challenged an INVITE if the target required > some permission - for example, if the call was going to some gateway in > the default dial plans. A call from one extension to another was not > challenged because in the default dial plans that does not require any > permission. > > Starting with 3.11.5-013330, the proxy will _also_ challenge any > unauthenticated INVITE whose From address identity is that of a user > (that is, the [EMAIL PROTECTED] part appears as an identity in the credentials > database). When the INVITE is authenticated, the proxy adds a > P-Asserted-Identity header to it as it is forwarded. This > authentication can be used by any other sipXecs component in the cluster > (it is signed), and may be used by ITSPs in SIP trunk configurations.
If a user is authorized to use a particular SIP trunk which is associated with a particular ITSP and the INVITE comes to sipxbridge bound for that ITSP, can this header be used by sipxbridge to verify that the request is valid and originating from the sipx proxy server? ITSPs are not using the P-Asserted-Identity in that fashion. Here is at least what ONE particular ITSP (AT&T) expects: When you hide the identity of the caller for the inbound INVITE using an [EMAIL PROTECTED] address in the From header, you must place the caller ID specified by the ITSP in the P-Asserted-Identity header. The caller-ID has been provided by the ITSP a-priori and the ITSP also accepts inbound INVITES only from provisioned IP addresses ( case in point would be AT&T). XECS-1426 does not solve this problem but perhaps XECS-1426 can be used to solve the problem of authenticated INVITEs which are verifiably valid requests originating from the SIPX Proxy server. Thanks > >> Subject: sipXecs 13330 xmlscott: [XECS-1426] RFC 3325 >> (P-Asserted-Identity) support for sipXproxy >> Date: Fri, 5 Sep 2008 20:58:51 -0400 >> >> Project >> sipXecs >> New Revision >> 13330 >> Committer >> xmlscott (Scott Lawrence) >> Date >> 2008-09-05 20:58:51 -0400 (Fri, 05 >> Sep 2008) >> Log >> >> [XECS-1426] RFC 3325 (P-Asserted-Identity) support for sipXproxy >> contributed by Huijun Yang >> >> >> >> Modified: >> * main/sipXproxy/include/SipRouter.h >> * main/sipXproxy/lib/authplugins/test/EnforceAuthRulesTest.cpp >> * main/sipXproxy/src/SipRouter.cpp >> * main/sipXtackLib/include/net/SipXauthIdentity.h >> * main/sipXtackLib/src/net/SipXauthIdentity.cpp >> main/sipXtackLib/src/test/net/SipXauthIdentityTest.cpp.in > > _______________________________________________ > sipx-dev mailing list > [email protected] > List Archive: http://list.sipfoundry.org/archive/sipx-dev > Unsubscribe: http://list.sipfoundry.org/mailman/listinfo/sipx-dev > -- M. Ranganathan _______________________________________________ sipx-dev mailing list [email protected] List Archive: http://list.sipfoundry.org/archive/sipx-dev Unsubscribe: http://list.sipfoundry.org/mailman/listinfo/sipx-dev
