Hi,
I'm working on extending my OpenSER configuration to allow a user account to have one or more aliases.
User A is reachable by calling A, but also using alias B or C. I have this working for calls to the UA, but I'm having problems with registration attempts from A and calls from A to other UA's or PSTN where it wants to send B or C as outgoing CLI.
For some reason, all UAs I've seen so far need to register their aliases to be able to send an alias as outgoing CLI. My OpenSER config uses the following to check authenticate the user (from an old SER example:
if (!www_authorize("domain", "subscriber")) { www_challenge("domain", "0"); exit; }
if (!check_to()) { log("LOG: To Cheating attempt\n"); sl_send_reply("403", "That is ugly -- use To=id in REGISTERs"); exit; };
When a UA tries to register an alias the www_authorize() succeeds, because the UA sends the correct authentication data for A, but uses the alias B or C in the To and From headers so check_to() fails with the error that B or C is being spoofed.
I (OpenSER) know that B and C are aliases of A, but how do I make this registration logic accept that and send a 200 OK message back? (I also don't want to save the registered alias in the location table, but that part I know how to do, I think).
The calls using outgoing CLI of the alias have I think the same problem where the From header has an alias where check_from() expects the data for A. I think the solution for this would be something comparable to solving the registration problem, correct?
Thanks!
Hi,
Not sure about the registration, but for allowing calls with different CLI then the auth-user, you could maintain a list of allowed CLIs per user in usr_preferences. Let's assume you store them as integer-avp 345, then something like this could work for invites:
# authenticate, load usr_preferences, then: if(!check_fom() && !avp_check("$fU", "eq/$avp(i:345/g")) { sl_send_reply("403", "Invalid CLI"); }
The check could be modified for registers as well, of course. And note that From is not the only way to transport CLIs, also check for P-Preferred/Asserted-Identity and Remote-Party-ID.
Andreas
Andreas Sikkema wrote:
Hi,
I'm working on extending my OpenSER configuration to allow a user account to have one or more aliases.
User A is reachable by calling A, but also using alias B or C. I have this working for calls to the UA, but I'm having problems with registration attempts from A and calls from A to other UA's or PSTN where it wants to send B or C as outgoing CLI.
For some reason, all UAs I've seen so far need to register their aliases to be able to send an alias as outgoing CLI. My OpenSER config uses the following to check authenticate the user (from an old SER example:
if (!www_authorize("domain", "subscriber")) { www_challenge("domain", "0"); exit; }
if (!check_to()) { log("LOG: To Cheating attempt\n"); sl_send_reply("403", "That is ugly -- use To=id in REGISTERs"); exit; };
When a UA tries to register an alias the www_authorize() succeeds, because the UA sends the correct authentication data for A, but uses the alias B or C in the To and From headers so check_to() fails with the error that B or C is being spoofed.
I (OpenSER) know that B and C are aliases of A, but how do I make this registration logic accept that and send a 200 OK message back? (I also don't want to save the registered alias in the location table, but that part I know how to do, I think).
The calls using outgoing CLI of the alias have I think the same problem where the From header has an alias where check_from() expects the data for A. I think the solution for this would be something comparable to solving the registration problem, correct?
Thanks!
This e-mail is confidential and may well also be legally privileged. If you have received it in error, you are on notice of its status. Please notify us immediately by reply e-mail and then delete this message from your system. Please do not copy it or use it for any purposes, or disclose its contents to any other person: to do so could be a breach of confidence. Thank you for your cooperation.
Andreas,
Not sure about the registration, but for allowing calls with different CLI then the auth-user, you could maintain a list of allowed CLIs per user in usr_preferences. Let's assume you store them as integer-avp 345, then something like this could work for invites:
I've never used AVP so far, so I'll have to ask some (possibly) newbie questions ;-)
So I add to usr_preferences rows with the following contents?
user=A, domain=DOMAIN, attribute=345, type=integer, value=ALIAS_B, ALIAS_C
Or multiple rows? But then I get into trouble with the primary key on this table...
# authenticate, load usr_preferences, then: if(!check_fom() && !avp_check("$fU", "eq/$avp(i:345/g")) { sl_send_reply("403", "Invalid CLI"); }
The check could be modified for registers as well, of course.
Naturally, once the above works, I can do the same for handling the INVITES
And note that From is not the only way to transport CLIs, also check for P-Preferred/Asserted-Identity and Remote-Party-ID.
I know, but unfortunately I don't seem to have UA's that use these methods a lot.
Hi Andreas,
what you are describing is more more multiple sip accounts per one auth account than aliases (aliases are only for inbound traffic).
if you want to have multiple SIP accounts (A, B, C) to use the same credentials, take a look at uri_db module: http://www.openser.org/docs/modules/1.2.x/uri_db.html
of course, you still need the alias support for the inbound part.
regards, bogdan
Andreas Sikkema wrote:
Hi,
I'm working on extending my OpenSER configuration to allow a user account to have one or more aliases.
User A is reachable by calling A, but also using alias B or C. I have this working for calls to the UA, but I'm having problems with registration attempts from A and calls from A to other UA's or PSTN where it wants to send B or C as outgoing CLI.
Bogdan,
what you are describing is more more multiple sip accounts per one auth account than aliases (aliases are only for inbound traffic).
if you want to have multiple SIP accounts (A, B, C) to use the same credentials, take a look at uri_db module: http://www.openser.org/docs/modules/1.2.x/uri_db.html
of course, you still need the alias support for the inbound part.
Ah, of course! I forgot about uri_db, thanks for pointing it out to me.
-
Andreas Granig -
Andreas Sikkema -
Bogdan-Andrei Iancu