Hello again,
Still getting familiar with kamailio, and I'm wondering about the AUTH route in the example configuration file. Here's a reducted-simplified version of it for reference (from git master, without IP AUTH and comments):
______________________________________________ route[AUTH] { if (is_method("REGISTER") || from_uri==myself) { if (!auth_check("$fd", "subscriber", "1")) { auth_challenge("$fd", "0"); exit; } if(!is_method("REGISTER|PUBLISH")) consume_credentials(); } if (from_uri!=myself && uri!=myself) { sl_send_reply("403","Not relaying"); exit; } return; } ______________________________________________
So the way I see it, what happens is the following:
* All REGISTERs will be challenged * All SIP messages with kamailio's aliases in the "From" header URI will be challenged * All SIP messages with no reference to kamailio's aliases in both R-URI and "From" header URI will be dropped
The question is, what about messages that do not enter either of the two conditionals? For example, I expect the following to be very common:
* Method: INVITE * R-URI: myself * From: username@"UAC's local IP address" (not myself) * To: myself
So in the example above, the auth route will return without either having challenged or dropped the request, am I correct? This is because:
* For the challenge: Method is not REGISTER and "From URI" is not one of kamailio host's aliases (cumulatively) * For dropping after sending 403: "From URI" is not one of kamailio's host's aliases (which calculates to true) but R-URI is "myself"
So I'm guessing we're expecting the challenge to come from elsewhere in cases like the example above? Or is there something else I'm missing here? Thanks!
BR, George
Hi George,
If you are asking about this part:
if (from_uri!=myself && uri!=myself) { sl_send_reply("403","Not relaying"); exit; }
Then this mean that we do not want to deal with sip requests which not send to us or not by us. So any request which is not related to us we will not serve.
Keep in mind that "to" header by sip RFC can contain anything and we don't care in most cases what is there.
https://tools.ietf.org/html/rfc3261#page-36
With kind regards,
Jurijs
On Wed, Aug 2, 2017 at 4:01 PM, George Diamantopoulos georgediam@gmail.com wrote:
Hello again,
Still getting familiar with kamailio, and I'm wondering about the AUTH route in the example configuration file. Here's a reducted-simplified version of it for reference (from git master, without IP AUTH and comments):
route[AUTH] { if (is_method("REGISTER") || from_uri==myself) { if (!auth_check("$fd", "subscriber", "1")) { auth_challenge("$fd", "0"); exit; } if(!is_method("REGISTER|PUBLISH")) consume_credentials(); } if (from_uri!=myself && uri!=myself) { sl_send_reply("403","Not relaying"); exit; } return; } ______________________________________________
So the way I see it, what happens is the following:
- All REGISTERs will be challenged
- All SIP messages with kamailio's aliases in the "From" header URI will
be challenged
- All SIP messages with no reference to kamailio's aliases in both R-URI
and "From" header URI will be dropped
The question is, what about messages that do not enter either of the two conditionals? For example, I expect the following to be very common:
- Method: INVITE
- R-URI: myself
- From: username@"UAC's local IP address" (not myself)
- To: myself
So in the example above, the auth route will return without either having challenged or dropped the request, am I correct? This is because:
- For the challenge: Method is not REGISTER and "From URI" is not one of
kamailio host's aliases (cumulatively)
- For dropping after sending 403: "From URI" is not one of kamailio's
host's aliases (which calculates to true) but R-URI is "myself"
So I'm guessing we're expecting the challenge to come from elsewhere in cases like the example above? Or is there something else I'm missing here? Thanks!
BR, George
Kamailio (SER) - Users Mailing List sr-users@lists.kamailio.org https://lists.kamailio.org/cgi-bin/mailman/listinfo/sr-users
Hey,
Thanks for the reply! Actually it's the entire logic that baffles me.
It is not uncommon for a UAC (say at 192.168.1.1) to send out an INVITE which is formed like this: * R-URI: kamailio's URI * From: username@192.168.1.1 * To: irrelevant
What I'm saying is that this SIP message will fail all conditional checks of the AUTH route, and will return to the main routing block. In other words, this INVITE will be processed without having been challenged.
Am I wrong in thinking that in any way?
On 2 August 2017 at 21:41, Jurijs Ivolga jurijs.ivolga@gmail.com wrote:
Hi George,
If you are asking about this part:
if (from_uri!=myself && uri!=myself) { sl_send_reply("403","Not relaying"); exit; }
Then this mean that we do not want to deal with sip requests which not send to us or not by us. So any request which is not related to us we will not serve.
Keep in mind that "to" header by sip RFC can contain anything and we don't care in most cases what is there.
https://tools.ietf.org/html/rfc3261#page-36
With kind regards,
Jurijs
On Wed, Aug 2, 2017 at 4:01 PM, George Diamantopoulos < georgediam@gmail.com> wrote:
Hello again,
Still getting familiar with kamailio, and I'm wondering about the AUTH route in the example configuration file. Here's a reducted-simplified version of it for reference (from git master, without IP AUTH and comments):
route[AUTH] { if (is_method("REGISTER") || from_uri==myself) { if (!auth_check("$fd", "subscriber", "1")) { auth_challenge("$fd", "0"); exit; } if(!is_method("REGISTER|PUBLISH")) consume_credentials(); } if (from_uri!=myself && uri!=myself) { sl_send_reply("403","Not relaying"); exit; } return; } ______________________________________________
So the way I see it, what happens is the following:
- All REGISTERs will be challenged
- All SIP messages with kamailio's aliases in the "From" header URI will
be challenged
- All SIP messages with no reference to kamailio's aliases in both R-URI
and "From" header URI will be dropped
The question is, what about messages that do not enter either of the two conditionals? For example, I expect the following to be very common:
- Method: INVITE
- R-URI: myself
- From: username@"UAC's local IP address" (not myself)
- To: myself
So in the example above, the auth route will return without either having challenged or dropped the request, am I correct? This is because:
- For the challenge: Method is not REGISTER and "From URI" is not one of
kamailio host's aliases (cumulatively)
- For dropping after sending 403: "From URI" is not one of kamailio's
host's aliases (which calculates to true) but R-URI is "myself"
So I'm guessing we're expecting the challenge to come from elsewhere in cases like the example above? Or is there something else I'm missing here? Thanks!
BR, George
Kamailio (SER) - Users Mailing List sr-users@lists.kamailio.org https://lists.kamailio.org/cgi-bin/mailman/listinfo/sr-users
Kamailio (SER) - Users Mailing List sr-users@lists.kamailio.org https://lists.kamailio.org/cgi-bin/mailman/listinfo/sr-users
Hi George,
I misread your email, sorry.
In your case scenario is when somebody from outside tries to call user registered in kamailio, by default it is allowed. We do not need to challenge such request, because it is user from outside, not our subscriber and by default kamailio allows such calls and in this case such call will finish in location route and eventually will reach user.
I hope I understood you and I didn't messed anything again. :)
With kind regards,
Jurijs
On Wed, Aug 2, 2017 at 4:01 PM, George Diamantopoulos georgediam@gmail.com wrote:
Hello again,
Still getting familiar with kamailio, and I'm wondering about the AUTH route in the example configuration file. Here's a reducted-simplified version of it for reference (from git master, without IP AUTH and comments):
route[AUTH] { if (is_method("REGISTER") || from_uri==myself) { if (!auth_check("$fd", "subscriber", "1")) { auth_challenge("$fd", "0"); exit; } if(!is_method("REGISTER|PUBLISH")) consume_credentials(); } if (from_uri!=myself && uri!=myself) { sl_send_reply("403","Not relaying"); exit; } return; } ______________________________________________
So the way I see it, what happens is the following:
- All REGISTERs will be challenged
- All SIP messages with kamailio's aliases in the "From" header URI will
be challenged
- All SIP messages with no reference to kamailio's aliases in both R-URI
and "From" header URI will be dropped
The question is, what about messages that do not enter either of the two conditionals? For example, I expect the following to be very common:
- Method: INVITE
- R-URI: myself
- From: username@"UAC's local IP address" (not myself)
- To: myself
So in the example above, the auth route will return without either having challenged or dropped the request, am I correct? This is because:
- For the challenge: Method is not REGISTER and "From URI" is not one of
kamailio host's aliases (cumulatively)
- For dropping after sending 403: "From URI" is not one of kamailio's
host's aliases (which calculates to true) but R-URI is "myself"
So I'm guessing we're expecting the challenge to come from elsewhere in cases like the example above? Or is there something else I'm missing here? Thanks!
BR, George
Kamailio (SER) - Users Mailing List sr-users@lists.kamailio.org https://lists.kamailio.org/cgi-bin/mailman/listinfo/sr-users
Sorry, I replied before I could read your second post.
Ah, I can see now where this is going, although it's completely unfit for the use of kamailio I'm investigating. Thanks!
On 2 August 2017 at 22:11, Jurijs Ivolga jurijs.ivolga@gmail.com wrote:
Hi George,
I misread your email, sorry.
In your case scenario is when somebody from outside tries to call user registered in kamailio, by default it is allowed. We do not need to challenge such request, because it is user from outside, not our subscriber and by default kamailio allows such calls and in this case such call will finish in location route and eventually will reach user.
I hope I understood you and I didn't messed anything again. :)
With kind regards,
Jurijs
On Wed, Aug 2, 2017 at 4:01 PM, George Diamantopoulos < georgediam@gmail.com> wrote:
Hello again,
Still getting familiar with kamailio, and I'm wondering about the AUTH route in the example configuration file. Here's a reducted-simplified version of it for reference (from git master, without IP AUTH and comments):
route[AUTH] { if (is_method("REGISTER") || from_uri==myself) { if (!auth_check("$fd", "subscriber", "1")) { auth_challenge("$fd", "0"); exit; } if(!is_method("REGISTER|PUBLISH")) consume_credentials(); } if (from_uri!=myself && uri!=myself) { sl_send_reply("403","Not relaying"); exit; } return; } ______________________________________________
So the way I see it, what happens is the following:
- All REGISTERs will be challenged
- All SIP messages with kamailio's aliases in the "From" header URI will
be challenged
- All SIP messages with no reference to kamailio's aliases in both R-URI
and "From" header URI will be dropped
The question is, what about messages that do not enter either of the two conditionals? For example, I expect the following to be very common:
- Method: INVITE
- R-URI: myself
- From: username@"UAC's local IP address" (not myself)
- To: myself
So in the example above, the auth route will return without either having challenged or dropped the request, am I correct? This is because:
- For the challenge: Method is not REGISTER and "From URI" is not one of
kamailio host's aliases (cumulatively)
- For dropping after sending 403: "From URI" is not one of kamailio's
host's aliases (which calculates to true) but R-URI is "myself"
So I'm guessing we're expecting the challenge to come from elsewhere in cases like the example above? Or is there something else I'm missing here? Thanks!
BR, George
Kamailio (SER) - Users Mailing List sr-users@lists.kamailio.org https://lists.kamailio.org/cgi-bin/mailman/listinfo/sr-users
Kamailio (SER) - Users Mailing List sr-users@lists.kamailio.org https://lists.kamailio.org/cgi-bin/mailman/listinfo/sr-users
Hi George,
Kamailio is very flexible application and don't be afraid to change default config file. ;)
So if default config file do not fit you, just update accordingly.
With kind regards,
Jurijs
On Wed, Aug 2, 2017 at 10:17 PM, George Diamantopoulos <georgediam@gmail.com
wrote:
Sorry, I replied before I could read your second post.
Ah, I can see now where this is going, although it's completely unfit for the use of kamailio I'm investigating. Thanks!
On 2 August 2017 at 22:11, Jurijs Ivolga jurijs.ivolga@gmail.com wrote:
Hi George,
I misread your email, sorry.
In your case scenario is when somebody from outside tries to call user registered in kamailio, by default it is allowed. We do not need to challenge such request, because it is user from outside, not our subscriber and by default kamailio allows such calls and in this case such call will finish in location route and eventually will reach user.
I hope I understood you and I didn't messed anything again. :)
With kind regards,
Jurijs
On Wed, Aug 2, 2017 at 4:01 PM, George Diamantopoulos < georgediam@gmail.com> wrote:
Hello again,
Still getting familiar with kamailio, and I'm wondering about the AUTH route in the example configuration file. Here's a reducted-simplified version of it for reference (from git master, without IP AUTH and comments):
route[AUTH] { if (is_method("REGISTER") || from_uri==myself) { if (!auth_check("$fd", "subscriber", "1")) { auth_challenge("$fd", "0"); exit; } if(!is_method("REGISTER|PUBLISH")) consume_credentials(); } if (from_uri!=myself && uri!=myself) { sl_send_reply("403","Not relaying"); exit; } return; } ______________________________________________
So the way I see it, what happens is the following:
- All REGISTERs will be challenged
- All SIP messages with kamailio's aliases in the "From" header URI will
be challenged
- All SIP messages with no reference to kamailio's aliases in both R-URI
and "From" header URI will be dropped
The question is, what about messages that do not enter either of the two conditionals? For example, I expect the following to be very common:
- Method: INVITE
- R-URI: myself
- From: username@"UAC's local IP address" (not myself)
- To: myself
So in the example above, the auth route will return without either having challenged or dropped the request, am I correct? This is because:
- For the challenge: Method is not REGISTER and "From URI" is not one of
kamailio host's aliases (cumulatively)
- For dropping after sending 403: "From URI" is not one of kamailio's
host's aliases (which calculates to true) but R-URI is "myself"
So I'm guessing we're expecting the challenge to come from elsewhere in cases like the example above? Or is there something else I'm missing here? Thanks!
BR, George
Kamailio (SER) - Users Mailing List sr-users@lists.kamailio.org https://lists.kamailio.org/cgi-bin/mailman/listinfo/sr-users
Kamailio (SER) - Users Mailing List sr-users@lists.kamailio.org https://lists.kamailio.org/cgi-bin/mailman/listinfo/sr-users
Kamailio (SER) - Users Mailing List sr-users@lists.kamailio.org https://lists.kamailio.org/cgi-bin/mailman/listinfo/sr-users
-
George Diamantopoulos -
Jurijs Ivolga