Nope, I’m not calling a registered user. Actually, there are no registered
users. The function of the Kamailio service in this case is to relay WebRTC
calls to a conferencing bridge. The problem is that whoever set it up did so
without considering the security implications. And, in fact, it was malevolent
SIP traffic hitting the bridge that lead me to looking more closely at the
Kamailio solution.
There appears to be some custom configuration around routing. I’m not sure if
route(RELAY) on its own is meant to challenge for authorisation.
#!ifdef WITH_CONFERENCEBRIDGE
if(is_method("INVITE") && (!route(FROMBRIDGE))) {
# if new call from out there -
# - non-INVITE request are routed directly by Kamailio
# - traffic from is routed also directy by Kamailio
route(TOBRIDGE);
exit;
}
#!endif
#!ifdef WITH_CONFERENCEBRIDGE
# Send to bridge
route[TOBRIDGE] {
$du = "sip:" + $sel(cfg_get.bridge.bindip) + ":"
+ $sel(cfg_get.bridge.bindport);
route(RELAY);
exit;
}
#!endif
As I short term solution to filter unwanted traffic, I’ve updated the
configuration to only relay calls using a definitive DDI.
#!ifdef WITH_CONFERENCEBRIDGE
# Send to bridge
route[TOBRIDGE] {
if($rU != "8835100xxxxx")
return -1;
$du = "sip:" + $sel(cfg_get.bridge.bindip) + ":"
+ $sel(cfg_get.bridge.bindport);
route(RELAY);
exit;
}
#!endif
Thanks guys for your help.
From: sr-users [mailto:[email protected]] On Behalf Of David
Villasmil
Sent: Saturday, January 20, 2018 1:06 AM
To: Kamailio (SER) - Users Mailing List <[email protected]>
Subject: Re: [SR-Users] sip invite proxy-authorization
Again, are you calling a local registeted user?
On Fri, Jan 19, 2018, 17:28 Dave & Hazel <[email protected]
<mailto:[email protected]> > wrote:
Cheers Alex for your insight.
My problem still remains in that my invites are not being challenged even
though AUTH is defined.
On 19 Jan 2018, at 15:57, Alex Balashov <[email protected]
<mailto:[email protected]> > wrote:
Hi,
> On Fri, Jan 19, 2018 at 03:38:24PM -0000, Dave & Hazel wrote:
>
> preforming a SIP INVITE without first registering with the Kamailio
> service (SJ-Phone speak). I am dialling in remotely via NAT and my
> call is being relayed successfully.
Although many people are led to believe that there is some intrinsic
connection between registration and outbound calling by the way phone
UIs present these concepts, there is in fact no such connection
whatsoever.
Registration is an inbound concept, not an outbound concept. You can
make calls without being registered. You can make outbound calls using
different AAA mechanisms. Being registered in no way implies being able
to make outbound calls. They're just completely unrelated.
There is a common authentication mechanism used in both scenarios:
digest challenge authentication. As a practical matter, Kamailio sends a
407 proxy challenge for requests it is meant to relay (e.g. INVITEs) and
a 401 Unauthorized challenge for requests of which it is the logical
destination (e.g. REGISTER), and both draw on the same set of
authentication credentials and otherwise work the same way. The AUTH
route covers both of these cases.
-- Alex
--
Alex Balashov | Principal | Evariste Systems LLC
Tel: +1-706-510-6800 / +1-800-250-5920 (toll-free)
Web: http://www.evaristesys.com/, http://www.csrpswitch.com/
_______________________________________________
Kamailio (SER) - Users Mailing List
[email protected] <mailto:[email protected]>
https://lists.kamailio.org/cgi-bin/mailman/listinfo/sr-users
_______________________________________________
Kamailio (SER) - Users Mailing List
[email protected] <mailto:[email protected]>
https://lists.kamailio.org/cgi-bin/mailman/listinfo/sr-users
_______________________________________________
Kamailio (SER) - Users Mailing List
[email protected]
https://lists.kamailio.org/cgi-bin/mailman/listinfo/sr-users
