24 Mar
2012
24 Mar
'12
11:11 a.m.
From experiences of the past cases, it can be indeed problematic with
some client. But can be done as Alex said.
I just wanted to add a bit about how I preferred to do it when I had to.
I try to auth only caller always, as it was for initial INVITE. The way
to do it is to append from tag to record route and detect direction. If
it is from caller and from header matches local domain, then the call
can be authentication.
Authenticating the callee is more complex, since with hardphones, To
header very likely has the local domain always (even when going to pstn
or other networks, which are routed by some prefix in r-uri username).
You would need to lookup in database to see if it is a local user. Then
if you have short dialing, aliases, dids, then you would practically
need to do all kind of translations to get to the user id to check if it
is local user or not.
Alternative would be using dialog module with some flags to know whether
to auth caller/callee for withing dialog requests, setting these flags
at call setup.
Cheers,
Daniel
On 3/23/12 11:34 PM, Alex Balashov wrote:
Clearly, you can only authenticate sequential requests
corresponding
to calls whose initial requests were subject to authentication. If the
initial request was not authenticated, there is no reason to believe
that the endpoint would support authentication of sequential requests.
As to whether you should do this, that is a controversial matter. I
suppose that the security-maximising approach would be to challenge
all requests, but it invites problems with many endpoints.
--
Alex Balashov - Principal
Evariste Systems LLC
235 E Ponce de Leon Ave
Suite 106
Atlanta, GA 30030
Tel: +1-678-954-0671
Web: http://www.evaristesys.com/, http://www.alexbalashov.com
David <kamailio.org(a)spam.lublink.net> wrote:
Hello,
Should I be requiring users to authenticate before letting them into
loose_route(); ? What about anonymous calls from E164, how do I
authenticate these calls after they have started?
Thanks,
David
_______________________________________________
SIP Express Router (SER) and Kamailio (OpenSER) - sr-users mailing list
sr-users(a)lists.sip-router.org
http://lists.sip-router.org/cgi-bin/mailman/listinfo/sr-users
--
Daniel-Constantin Mierla
Kamailio Advanced Training, April 23-26, 2012, Berlin, Germany
http://www.asipto.com/index.php/kamailio-advanced-training/