23 May
2005
23 May
'05
4:50 a.m.
just an idea:
does any PSTN provider supports TLS? If some does you have your auth
problem solved with the TLS support from SER.
Samuel
Unclassified.
I
--
See you later,
Michael
-------------------------------------------------------
_______________________________________________
Serusers mailing list
serusers(a)lists.iptel.org
http://lists.iptel.org/mailman/listinfo/serusers
>> "Greger V. Teigre"
<greger(a)teigre.com> 05/22/05 08:57AM >>>
See inline.
Michael Ulitskiy wrote:
On Saturday 21 May 2005 02:31 am, you wrote:
> I would say SER is what you need, except that you struggle with the
> authentication. You have the following scenarios:
> 1. PSTN termination with IP-based access control (easiest)
> 2. PSTN termination with authentication of all INVITEs (yes, that's
> the UAC module. You should contact the maintainer, Ramona-Elena
> Modroiu about the status. I thought it was reported to work, but
> haven't tried myself)
> 3. PSTN termination with registration and authentication of
REGISTER
(but not
INVITEs). Use sipsak to generate a REGISTER for your box.
#2 requires that all INVITEs are sent twice and is not a very good
option. I would seek out PSTN providers who will give you #1.
g-)
UAC module doesn't work and I think won't work unless ser is made
call-statefull, 'cause it needs to adjust cseq within dialog. I
posted my findings to this list
several days ago (UAC module (backport to 0.9.0). Nobody replied so guess
nobody knows the way to make it work.
I saw your post on serusers, yes, but not on serdev. Because you cannot
make
a module work, doesn't mean it doesn't work for all, so as I said, if
you
have found a bug, post it to serdev (preferably) or directly to the
maintainer. That's the way open source software work...
As for ip auth I guess it's just not good enough.
UDP invites don't
require any handshake it's not hard at all to spoof ip address. I
believe sending 2 invites worth the security it actually adds.
Yes, but you can also do TCP.
Also I don't understand what you mean by #3.
Taking ip address from
authenticated REGISTER and then doing IP auth on that?
No, using sipsak to actually do a REGISTER on behalf of your ser. No IP
auth, basically it makes your ser a registered client of the GW. Of
course,
if INVITEs still must be authenticated, you are back to the UAC module
problem.
g-)
Thanks,
Michael
> Michael Ulitskiy wrote:
>> Hello,
>>
>> I'd like ask for advice on what is in your opinion the best
solution
>> in the following scenario.
>> I have a bunch of sip servers (asterisk boxes as my users need pbx
>> functionality) that can make sip call to each other and my PSTN
>> gateway. Now I want to purchase PSTN terminitaion in several
>> different markets (and probably more in the future). All those
>> terminations will require authentication.
>> I want all my boxes when they see non-local call to send it to a
>> central routing server that would determine where this call should
>> be sent and authenticate to the appropriate provider so that I
don't
>> have to configure all credentials on all
asterisk boxes. Also I
want
>> it not to deal with the media at all. All
media streams should go
>> directly from asterisk box to the PSTN termination provider.
>> So basically it should be central SIP router that is able to
>> authenticate calls if neccessary.
>> I thought I could do it with SER and its UAC module, but it
appears
>> UAC module doesn't work and probably
won't work (see my previous
>> post in this list about UAC backport to 0.9.0).
>> Also I don't want to use asterisk in this place as asterisk always
>> wants to stay in media path and I'd really like to avoid of
getting
into hassle with re-invites.
So the question is what are my options and what you would advice
as a solution. Are there any software out there that can do it
(preferably open-source, of course) or what else you could suggest
to do to get desired results.
Thanks a lot,