Is anyone using any of the Ovislink PSTN gateways (eLive 400/800) with SER?
The products specs state support for H.323 and SIP. Like many products it means that the unit supports only H.323, and you need to download new firmware which replaces H.323 with SIP. I'm new to SIP in general, and haven't got a working configuration yet.
How is PSTN gateway security supposed to work? I see in the manual there is an example using SER to protect a "simple" gateway. Ovislink definitely fits into that category. I guess that means that I need to put ACLs on the router to make sure that all SIP traffic to the gateway is blocked except from the SER server. How do better gateways implement security?
Any nice PSTN gateways around that anyone can recommend for use? I'm looking at Cisco, which seems like a lot of people use. I've looked at Patton and Vegastream too. Neither of these companies has a 8 port POTS PSTN gateway though.
Tom
Tom wrote:
Is anyone using any of the Ovislink PSTN gateways (eLive 400/800) with SER?
The products specs state support for H.323 and SIP. Like many products it means that the unit supports only H.323, and you need to download new firmware which replaces H.323 with SIP. I'm new to SIP in general, and haven't got a working configuration yet.
How is PSTN gateway security supposed to work? I see in the manual there is an example using SER to protect a "simple" gateway. Ovislink definitely fits into that category. I guess that means that I need to put ACLs on the router to make sure that all SIP traffic to the gateway is blocked except from the SER server. How do better gateways implement security?
The gateway should only accept requests fromt he IP address of your proxy and only TCP requests (UDP can be spoofed).
klaus
Any nice PSTN gateways around that anyone can recommend for use? I'm looking at Cisco, which seems like a lot of people use. I've looked at Patton and Vegastream too. Neither of these companies has a 8 port POTS PSTN gateway though.
Tom
Serusers mailing list serusers@lists.iptel.org http://lists.iptel.org/mailman/listinfo/serusers
On Wed, 24 Mar 2004, Klaus Darilion wrote:
...
The gateway should only accept requests fromt he IP address of your proxy and only TCP requests (UDP can be spoofed).
Some gateways (Vegastream, Patton) say they support DIGEST SIP security. How does this work? Is SER expected to add an authentication password to the SIP request before routing it to the PSTN gateway?
klaus
Tom
--On 24 March 2004 10:27 -0800 Tom tom@sdf.com wrote:
DIGEST SIP security. How does this work?
Short answer: almost identically to HTTP authentication. IE a SIP request is sent, server replies with "authentication required" plus a a number (the challenge), the UA responds with a response containing a DIGEST calculation of the number, and the password. The SIP server then compares the digest response with its calculated digest based on the number plus the password. If they are equal, it grants access.
Long answer: read the RFCs
Alex
On Wed, 24 Mar 2004, Alex Bligh wrote:
--On 24 March 2004 10:27 -0800 Tom tom@sdf.com wrote:
DIGEST SIP security. How does this work?
Short answer: almost identically to HTTP authentication. IE a SIP request is sent, server replies with "authentication required" plus a a number (the challenge), the UA responds with a response containing a DIGEST calculation of the number, and the password. The SIP server then compares the digest response with its calculated digest based on the number plus the password. If they are equal, it grants access.
Long answer: read the RFCs
Alex
I think UA auth is well understood due to it similarity to HTTP auth. But how does a SIP server auth itself to a PSTN gateway? Other than host-based security, how does a PSTN gateway know that it is speaking to a trusted SIP server?
RFC3072, which covers a number of auth issues, really deals with the proxy auth, not UA and gateway. RF3329 deals with security between the UA and the first hop SIP entity.
Tom
The problem is that SIP authentication only supports: caller - callee caller - proxy
but it does not support proxy - callee, which would be necessary for authentication against a gateway. This can be solved using TLS betwenn proxy and gateway and trust every request which cames along the TLS connection.
Klaus
Alex Bligh wrote:
--On 24 March 2004 10:27 -0800 Tom tom@sdf.com wrote:
DIGEST SIP security. How does this work?
Short answer: almost identically to HTTP authentication. IE a SIP request is sent, server replies with "authentication required" plus a a number (the challenge), the UA responds with a response containing a DIGEST calculation of the number, and the password. The SIP server then compares the digest response with its calculated digest based on the number plus the password. If they are equal, it grants access.
Long answer: read the RFCs
Alex
-
Alex Bligh -
Klaus Darilion -
Tom