23 May
2005
23 May
'05
7:19 p.m.
On Sunday 22 May 2005 02:57 am, you wrote:
Yes, it's possible if provider supports it. I'm not sure that it's better in
terms
of performance that sending 2 UDP INVITEs and I'd still prefer to authenticate,
but it's a possibility. Thanks.
Sorry, Greger, I still don't understand how would registering adds any
INVITE-security
if INVITEs not authenticated. Still anyone can send INVITE putting ip address of
my server as source of ip packet.
See inline.
Michael Ulitskiy wrote:
Will do. Just wanted to get some feedback, 'cause it's always possible that I
overlooked
something :)
On Saturday 21 May 2005 02:31 am, you wrote:
I saw your post on serusers, yes, but not on serdev. Because you cannot make
a module work, doesn't mean it doesn't work for all, so as I said, if you
have found a bug, post it to serdev (preferably) or directly to the
maintainer. That's the way open source software work... I would say SER is what you need, except that you
struggle with the
authentication. You have the following scenarios:
1. PSTN termination with IP-based access control (easiest)
2. PSTN termination with authentication of all INVITEs (yes, that's
the UAC module. You should contact the maintainer, Ramona-Elena
Modroiu about the status. I thought it was reported to work, but
haven't tried myself)
3. PSTN termination with registration and authentication of REGISTER
(but not INVITEs). Use sipsak to generate a REGISTER for your box.
#2 requires that all INVITEs are sent twice and is not a very good
option. I would seek out PSTN providers who will give you #1.
g-)
UAC module doesn't work and I think won't work unless ser is made
call-statefull, 'cause it needs to adjust cseq within dialog. I
posted my findings to this list
several days ago (UAC module (backport to 0.9.0). Nobody replied so I
guess
nobody knows the way to make it work. As for ip auth
I guess it's just not good enough. UDP invites don't
require any handshake it's not hard at all to spoof ip address. I
believe sending 2 invites worth the security it actually adds.
Yes, but you can also do TCP. Also I
don't understand what you mean by #3. Taking ip address from
authenticated REGISTER and then doing IP auth on that?
No, using sipsak to actually do a REGISTER on behalf of your ser. No IP
auth, basically it makes your ser a registered client of the GW. Of course,
if INVITEs still must be authenticated, you are back to the UAC module
problem. g-)
Thanks,
Michael
Michael Ulitskiy wrote:
--
See you later,
Michael
------------------------------------------------------- Hello,
I'd like ask for advice on what is in your opinion the best solution
in the following scenario.
I have a bunch of sip servers (asterisk boxes as my users need pbx
functionality) that can make sip call to each other and my PSTN
gateway. Now I want to purchase PSTN terminitaion in several
different markets (and probably more in the future). All those
terminations will require authentication.
I want all my boxes when they see non-local call to send it to a
central routing server that would determine where this call should
be sent and authenticate to the appropriate provider so that I don't
have to configure all credentials on all asterisk boxes. Also I want
it not to deal with the media at all. All media streams should go
directly from asterisk box to the PSTN termination provider.
So basically it should be central SIP router that is able to
authenticate calls if neccessary.
I thought I could do it with SER and its UAC module, but it appears
UAC module doesn't work and probably won't work (see my previous
post in this list about UAC backport to 0.9.0).
Also I don't want to use asterisk in this place as asterisk always
wants to stay in media path and I'd really like to avoid of getting
into hassle with re-invites.
So the question is what are my options and what you would advice
as a solution. Are there any software out there that can do it
(preferably open-source, of course) or what else you could suggest
to do to get desired results.
Thanks a lot,