18 Mar
2015
18 Mar
'15
5:32 p.m.
Been struggling with this for awhile now.
So far I am finding it rather difficult to come up with way to
authenticate SIP trunks taking into account all possible scenarios. My
setup is Kamailio combined with Asterisk realtime. Everything is in a
MySQL database. All authentication is done by Kamailio. Kamailio
handles SIP extension (user) authentication quite well but seems poorly
equipped for SIP trunk (peer) authentication. The biggest problem I
have run into so far is that SIP trunks typically use DNS names and
Kamailio is not at all designed to used DNS names. Also SIP trunks do
not use named "realms" whereas that is a key part of Kamailio
authentication.
For IP authentication about the only solution I have found is to DNS
lookup and save all returned IP addresses in the ip_addr mysql table.
Then I do:
#!ifdef WITH_IPAUTH
if((!is_method("REGISTER")) && allow_source_address() &&
$au == "") {
# source IP allowed
return;
}
I can run a cron job every hour to DNS lookup and update the ip_addr
table as needed so I think this is a satisfactory solution for IP
authentication.
SIP trunk user/pass authentication is the one I am now struggling with.
This standard Kamailio authentication section does not work for SIP trunks.
if (is_method("REGISTER|INVITE") || from_uri==myself)
{
# authenticate requests
#if (!auth_check("$fd", "subscriber", "1")) {
if (!auth_check("$fd", "subscriber", "0")) {
auth_challenge("$fd", "0");
exit;
}
# user authenticated - remove auth header
if(!is_method("REGISTER|PUBLISH"))
consume_credentials();
This is a multidomain setup and therefore:
modparam("auth_db", "use_domain", 1)
So the authentication section will try authenticate the realm of the
trunk which will always be an IP address. However the SIP trunk realm
will usually be saved in the "subscriber" database as the FQDN. There
is no mechanism for auth_check() to directly or indirectly check against
FQDN. The other problem is that even if I used the ip_addr table
somehow it will only try use the user/pass of the first instance of a
matching IP address. For SIP trunks it is possible I could have
multiple subaccounts and therefore multiple instances of the same IP
with different user/pass. So auth_check() is not designed for being
used this way as far as I can tell.
Seems to me like there should almost be a special kamailio module just
for SIP trunks. I had a look a carrierroute module it's not designed
for this either.
18 Mar
18 Mar
6:03 p.m.
On Wednesday 18 March 2015 08:32:10 canuck15 wrote:
I can run a cron job every hour to DNS lookup and
update the ip_addr
table as needed so I think this is a satisfactory solution for IP
authentication.
Is there a mechanism to identify all originating servers for a
hostname/domain? If the answer is no (and AFAIK is it) then this solution
doesn't work.
I used this in the past, a subscriber has a userpref with ip/port combo. But
this ins't an answer for subaccounts on trunks (unles you can get the sender
to actually use different ports). 3 is the whitelist for ip adresses on
record. I abandoned this due to to much problems with trunks, they just have
to authenticate or go elsewere.
BTW only for tcp since udp sources can be spoofed. I guess the best way is to
use tls with certificate verification (good luck getting the trunks to
implement this :)
route[AUTHENTICATE]
{
if(!is_method("REGISTER") && allow_address("3",
"$si", "$sp") &&
$proto=="tcp")
{
if(!avp_db_query("select username from usr_preferences where
attribute='ip_authentication' and domain='$td' and
(value='$si:$sp' or value
like '$si:%') order by length(value) limit 1"))
{
xlog("L_ALERT","ACL: $rm from $fu
(IP:$si:$sp)\n");
sl_send_reply("403", "Not Allowed by AUTHENTICATE
ACL");
exit;
}
$avp(au)=$avp(i:1);
}
else
{
$var(authenticated)=www_authenticate("$td",
"subscriber");
if (!www_authenticate("$td", "subscriber")) {
xlog("L_ALERT","AUTHENTICATE: $rm from $fu to $tu
(IP:
$si:$sp)\n");
www_challenge("$td", "1");
exit;
}
$avp(au)=$au;
consume_credentials();
}
19 Mar
19 Mar
7:38 p.m.
It looks like auth_check() will work. It seems intelligent enough to
scan all instances of the same domain as long as the username is unique
so that should get things working.
The problem here is that there is a fundamental difference between
Asterisk and Kamailio authentication. Asterisk authentication works
with FQDN or IP. However, Kamailio is not designed to authenticate
anything with FQDN unless it is also a realm and identified as such by
the UA. I believe that is the main issue here. SIP trunks typically do
not use or care about realm. So after the initial invite response from
Kamailio the SIP trunk provider typically responds with the IP address
as the realm.
It does almost seem like there should be a special module to deal with
this sort of thing. None of the existing modules seem to be the right fit.
On 3/18/2015 9:03 AM, Daniel Tryba wrote:
On Wednesday 18 March 2015 08:32:10 canuck15 wrote:
I can run a cron job every hour to DNS lookup and
update the ip_addr
table as needed so I think this is a satisfactory solution for IP
authentication.
Is there a mechanism to identify all originating servers for a
hostname/domain? If the answer is no (and AFAIK is it) then this solution
doesn't work.
I used this in the past, a subscriber has a userpref with ip/port combo. But
this ins't an answer for subaccounts on trunks (unles you can get the sender
to actually use different ports). 3 is the whitelist for ip adresses on
record. I abandoned this due to to much problems with trunks, they just have
to authenticate or go elsewere.
BTW only for tcp since udp sources can be spoofed. I guess the best way is to
use tls with certificate verification (good luck getting the trunks to
implement this :)
route[AUTHENTICATE]
{
if(!is_method("REGISTER") && allow_address("3",
"$si", "$sp") &&
$proto=="tcp")
{
if(!avp_db_query("select username from usr_preferences where
attribute='ip_authentication' and domain='$td' and
(value='$si:$sp' or value
like '$si:%') order by length(value) limit 1"))
{
xlog("L_ALERT","ACL: $rm from $fu
(IP:$si:$sp)\n");
sl_send_reply("403", "Not Allowed by
AUTHENTICATE
ACL");
exit;
}
$avp(au)=$avp(i:1);
}
else
{
$var(authenticated)=www_authenticate("$td",
"subscriber");
if (!www_authenticate("$td", "subscriber")) {
xlog("L_ALERT","AUTHENTICATE: $rm from $fu to $tu
(IP:
$si:$sp)\n");
www_challenge("$td", "1");
exit;
}
$avp(au)=$au;
consume_credentials();
}
23 Mar
23 Mar
10:55 a.m.
On 19 Mar 2015, at 18:38, canuck15 <canuck15(a)hotmail.com> wrote:
It looks like auth_check() will work. It seems
intelligent enough to scan all instances of the same domain as long as the username is
unique so that should get things working.
The problem here is that there is a fundamental difference between Asterisk and Kamailio
authentication. Asterisk authentication works with FQDN or IP. However, Kamailio is not
designed to authenticate anything with FQDN unless it is also a realm and identified as
such by the UA. I believe that is the main issue here. SIP trunks typically do not use
or care about realm. So after the initial invite response from Kamailio the SIP trunk
provider typically responds with the IP address as the realm.
Asterisk
authentication is kind of broken - it disregards the domain and is based on the user name
or only use IP/port. Many years ago I worked on adding
multiple domain support in asterisk - part of the code is still there. Then the project
leader added a huge patch for single-domain TLS and I gave up that
work.
Kamailio is much more flexible. While the auth module only handles realm, you can easily
connect the account to a set of specific From: SIP URI's and do a full authentication
and authorization scheme that works as you want. You can build in a number of ways - which
makes it very mush more SIP-compliant and flexible.
It does almost seem like there should be a special module to deal with this sort of
thing. None of the existing modules seem to be the right fit.
Kamailio is a
toolkit. Don't take a single module as the only solution. It's like linux, you
combine a set of small functions and build solutions.
Very different from Asterisk.
I don't think we need a new module. You can already build stuff like this by combining
functionality in different modules.
/O
On 3/18/2015 9:03 AM, Daniel Tryba wrote:
On Wednesday 18 March 2015 08:32:10 canuck15
wrote:
_______________________________________________
SIP Express Router (SER) and Kamailio (OpenSER) - sr-users mailing list
sr-users(a)lists.sip-router.org
http://lists.sip-router.org/cgi-bin/mailman/listinfo/sr-users I can run a cron job every hour to DNS lookup and
update the ip_addr
table as needed so I think this is a satisfactory solution for IP
authentication.
Is there a mechanism to identify all originating servers for a
hostname/domain? If the answer is no (and AFAIK is it) then this solution
doesn't work.
I used this in the past, a subscriber has a userpref with ip/port combo. But
this ins't an answer for subaccounts on trunks (unles you can get the sender
to actually use different ports). 3 is the whitelist for ip adresses on
record. I abandoned this due to to much problems with trunks, they just have
to authenticate or go elsewere.
BTW only for tcp since udp sources can be spoofed. I guess the best way is to
use tls with certificate verification (good luck getting the trunks to
implement this :)
route[AUTHENTICATE]
{
if(!is_method("REGISTER") && allow_address("3",
"$si", "$sp") &&
$proto=="tcp")
{
if(!avp_db_query("select username from usr_preferences where
attribute='ip_authentication' and domain='$td' and
(value='$si:$sp' or value
like '$si:%') order by length(value) limit 1"))
{
xlog("L_ALERT","ACL: $rm from $fu
(IP:$si:$sp)\n");
sl_send_reply("403", "Not Allowed by AUTHENTICATE
ACL");
exit;
}
$avp(au)=$avp(i:1);
}
else
{
$var(authenticated)=www_authenticate("$td",
"subscriber");
if (!www_authenticate("$td", "subscriber")) {
xlog("L_ALERT","AUTHENTICATE: $rm from $fu to $tu
(IP:
$si:$sp)\n");
www_challenge("$td", "1");
exit;
}
$avp(au)=$au;
consume_credentials();
}
19 Mar
19 Mar
8:36 a.m.
i suggest you use tls common names to identify servers behind your
trunks,
-- juha
3:48 p.m.
Please keep in mind that I have no control over SIP trunk providers.
The vast majority do not allow me to do any of these things as far as I
know. This is something that needs to be solved in Kamailio with
standard user/pass/realm authentication. TLS is not an option for me.
On 3/18/2015 11:36 PM, Juha Heinanen wrote:
i suggest you use tls common names to identify servers
behind your
trunks,
-- juha
_______________________________________________
SIP Express Router (SER) and Kamailio (OpenSER) - sr-users mailing list
sr-users(a)lists.sip-router.org
http://lists.sip-router.org/cgi-bin/mailman/listinfo/sr-users
4:07 p.m.
canuck15 writes:
The vast majority do not allow me to do any of these
things as far as I
know. This is something that needs to be solved in Kamailio with
standard user/pass/realm authentication. TLS is not an option for me.
then the vast majority don't care a bit about security, which is very
bad for your customers.
-- juha
3532
days inactive
3537
days old
6 comments
4 participants
participants (4)
-
canuck15 -
Daniel Tryba -
Juha Heinanen -
Olle E. Johansson