[asterisk-bugs] [Asterisk 0012005]: SIP INVITES authorization from multiple IP addresses

noreply at bugs.digium.com noreply at bugs.digium.com
Sat Feb 16 04:53:31 CST 2008 

A NOTE has been added to this issue. 
====================================================================== 
http://bugs.digium.com/view.php?id=12005 
====================================================================== 
Reported By:                fkasumovic
Assigned To:                
====================================================================== 
Project:                    Asterisk
Issue ID:                   12005
Category:                   Channels/chan_sip/Registration
Reproducibility:            always
Severity:                   feature
Priority:                   normal
Status:                     new
Asterisk Version:           SVN 
SVN Branch (only for SVN checkouts, not tarball releases):  trunk 
SVN Revision (number only!): 103307 
Disclaimer on File?:        N/A 
Request Review:              
====================================================================== 
Date Submitted:             02-15-2008 10:23 CST
Last Modified:              02-16-2008 04:53 CST
====================================================================== 
Summary:                    SIP INVITES authorization from multiple IP addresses
Description: 
In current implementation, SIP INVITES are authorized either per username
or per single IP address. Many providers send SIP INVITEs from multiple C
classes and therefore it is very hard (if not impossible) to configure that
via SIP peers.

The only workaround is combination of [general] context and iptables.

Here is a patch that provides such functionality. SIP peer has to be
configured as type=peer, insecure=invite (or insecure=very) with defined
permit/deny rules:

[provider]
type=peer
insecure=very
deny=0.0.0.0/0.0.0.0
permit=10.2.1.0/255.255.255.0
permit=192.168.0.0/255.255.0.0

This is almost identical as to how permit/deny rules work for SIP REGISTER
packets.
====================================================================== 

---------------------------------------------------------------------- 
 oej - 02-16-08 04:53  
---------------------------------------------------------------------- 
Hmm. I see from reading your patch that you have the issue on incoming
calls from the provider. My misunderstanding.

I would rather go by domain matching in combination with ACL. Only using
ACL and no host or domain entry is not a solution I would favour. 

Issue History 
Date Modified   Username       Field                    Change               
====================================================================== 
02-16-08 04:53  oej            Note Added: 0082362                          
======================================================================

More information about the asterisk-bugs mailing list