-----Original Message----- From: Douglas Garstang Sent: Friday, March 17, 2006 9:57 AM To: arek@perceval.net Cc: openser Subject: RE: [Users] Trying to find a solution to a sticky problem here.
-----Original Message----- From: Arek Bekiersz [mailto:arek@perceval.net] Sent: Friday, March 17, 2006 9:21 AM To: Douglas Garstang Cc: openser Subject: Re: [Users] Trying to find a solution to a sticky problem here.
Hi,
Just a first impression, after quickly reading the mail. May be useful. Or may be noise:
I do it IP based. I use few Asterisk boxes not exactly the way like you, but I also need to talk betweeen SERs and Asterisks without problems. I just put one or more SERs as a trusted peers at all Asterisks. Then at SER I disable authentication of requests, coming for specified Asterisk addresses.
When it comes to your REFER problem (or similar), I just put record-route to all requests flying thru SER. Then all UAs are obliged to send subsequent requests in a dialog thru proxy. This is what record-route is for.
Whoa! I didn't realise I could do that. Just exactly where would I put the record_route()? I tried putting it after the logic that tests for an INVITE... but it didn't seem to work.
Hmmm. Then I tried putting a record_route() right at the beginning of the route {} block. Actually I watched the packets with ngrep and I can see a Record-Route: header with OpenSER's IP address, but refers are still being sent directly from the phone to Asterisk. Any ideas?
If this is not enough, because you are outside of a dialog or have particularly stupid UA - my SIP routing is based on domains. So UAs are always configured to use proxy and proxy is in textual format of a realm (FQDN). Thus, they will never send any dialog initiating request ommiting proxy. Or they are very stupid UAs :-)
Conclusion: trusted peers on (*) and IP-based policy on SER works well for me.
-- Regards, Arek Bekiersz
Douglas Garstang wrote:
Trying to find a solution to a sticky problem here.
We have 3 OpenSER systems. Phones register with the OpenSER
systems, and after they authenticate the user, pass the registration info using OpenSER's send() command to all Asterisk boxes sitting behind them. Each asterisk system then knows about every phone.
For this to work, I had to turn off authentication in
Asterisk for both registrations and invites. If it's on, asterisk sends a 407 Proxy Auth required to the phone in addition to OpenSER. This confuses the phone, as it's now receiving two 407 proxy auth requests, and it basically just drops the second request on the floor.
This is obviously a big security problem and it can't stay
this way. I thought maybe if authentication was on in Asterisk, that considering by the time it receives the authenticated register or invite from OpenSER, the MD5 password was already contained in the packet, that Asterisk wouldn't ask again. It does. :(
We could use IP tables to only allow connections from the
OpenSER systems, but that doesn't always work. When a caller transfers a call, the phones will send a REFER message directly to Asterisk, so all the phones would have to also be in the ip tables allow list. Not an elegent solution.
We could run mediaproxy on OpenSER and force all RTP
streams back through it. Might work, but it might also break other stuff. We could then configure ip tables to only allow RTP streams from the OpenSER systems.
It might be possible to configure OpenSER to perform the
logic necessary to make it talk to Asterisk properly, but it's beyond my abilities and time.
Anyone ever done this? Anyone got any ideas?
Doug
Users mailing list Users@openser.org http://openser.org/cgi-bin/mailman/listinfo/users
Hi,
Douglas Garstang wrote:
Hmmm. Then I tried putting a record_route() right at the beginning of the route {} block. Actually I watched the packets with ngrep and I can see a Record-Route: header with OpenSER's IP address, but refers are still being sent directly from the phone to Asterisk. Any ideas?
IMHO this is UA problem. Try to upgrade UA, otherwise put pressure on vendor to change that. Sometimes you shall be able to persuade vendor to make such adjustments.
My UAs always send requests thru proxy, including REFER. I have over 10 different vendors. I can send trace logs on priv email to proove that fact, if vendor is reluctant to admit he's got a bug.
Generally I'm fed up with SIP vendors and SIP operators doing what they want.. Every UA vendor understands SIP differently.. Like my last vendor whose device behind NAT puts public IPs everywhere. Or one of old providers, that always send OK, wherever the call to PSTN was successful or not :-) He was one of the biggest intl carriers. Great :)
One more thing - do you put record_route on all requests? I have call to record_route() at the very beginning of the script. It ensures that all requests will be record routed.
Check if last request received by UA contains record-route. It may happen that for example ACK does not contain record-route. Then UA will assume you do not want record route anymore and will send new REFER straight to remote UA.
Douglas Garstang wrote:
Hmmm. Then I tried putting a record_route() right at the beginning of the route {} block. Actually I watched the packets with ngrep and I can see a Record-Route: header with OpenSER's IP address, but refers are still being sent directly from the phone to Asterisk. Any ideas?
-
Arek Bekiersz -
Douglas Garstang