Been struggling with this for awhile now.
So far I am finding it rather difficult to come up with way to
authenticate SIP trunks taking into account all possible scenarios. My
setup is Kamailio combined with Asterisk realtime. Everything is in a
MySQL database. All authentication is done by Kamailio. Kamailio
handles SIP extension (user) authentication quite well but seems poorly
equipped for SIP trunk (peer) authentication. The biggest problem I
have run into so far is that SIP trunks typically use DNS names and
Kamailio is not at all designed to used DNS names. Also SIP trunks do
not use named "realms" whereas that is a key part of Kamailio
authentication.
For IP authentication about the only solution I have found is to DNS
lookup and save all returned IP addresses in the ip_addr mysql table.
Then I do:
#!ifdef WITH_IPAUTH
if((!is_method("REGISTER")) && allow_source_address() && $au == "") {
# source IP allowed
return;
}
I can run a cron job every hour to DNS lookup and update the ip_addr
table as needed so I think this is a satisfactory solution for IP
authentication.
SIP trunk user/pass authentication is the one I am now struggling with.
This standard Kamailio authentication section does not work for SIP trunks.
if (is_method("REGISTER|INVITE") || from_uri==myself)
{
# authenticate requests
#if (!auth_check("$fd", "subscriber", "1")) {
if (!auth_check("$fd", "subscriber", "0")) {
auth_challenge("$fd", "0");
exit;
}
# user authenticated - remove auth header
if(!is_method("REGISTER|PUBLISH"))
consume_credentials();
This is a multidomain setup and therefore:
modparam("auth_db", "use_domain", 1)
So the authentication section will try authenticate the realm of the
trunk which will always be an IP address. However the SIP trunk realm
will usually be saved in the "subscriber" database as the FQDN. There
is no mechanism for auth_check() to directly or indirectly check against
FQDN. The other problem is that even if I used the ip_addr table
somehow it will only try use the user/pass of the first instance of a
matching IP address. For SIP trunks it is possible I could have
multiple subaccounts and therefore multiple instances of the same IP
with different user/pass. So auth_check() is not designed for being
used this way as far as I can tell.
Seems to me like there should almost be a special kamailio module just
for SIP trunks. I had a look a carrierroute module it's not designed
for this either.
_______________________________________________
SIP Express Router (SER) and Kamailio (OpenSER) - sr-users mailing list
sr-users@lists.sip-router.org
http://lists.sip-router.org/cgi-bin/mailman/listinfo/sr-users
