[asterisk-bugs] [Asterisk 0012005]: SIP INVITES authorization from multiple IP addresses
noreply at bugs.digium.com
noreply at bugs.digium.com
Tue Feb 19 03:49:57 CST 2008
A NOTE has been added to this issue.
======================================================================
http://bugs.digium.com/view.php?id=12005
======================================================================
Reported By: fkasumovic
Assigned To:
======================================================================
Project: Asterisk
Issue ID: 12005
Category: Channels/chan_sip/Registration
Reproducibility: always
Severity: feature
Priority: normal
Status: new
Asterisk Version: SVN
SVN Branch (only for SVN checkouts, not tarball releases): trunk
SVN Revision (number only!): 103307
Disclaimer on File?: N/A
Request Review:
======================================================================
Date Submitted: 02-15-2008 10:23 CST
Last Modified: 02-19-2008 03:49 CST
======================================================================
Summary: SIP INVITES authorization from multiple IP addresses
Description:
In current implementation, SIP INVITES are authorized either per username
or per single IP address. Many providers send SIP INVITEs from multiple C
classes and therefore it is very hard (if not impossible) to configure that
via SIP peers.
The only workaround is combination of [general] context and iptables.
Here is a patch that provides such functionality. SIP peer has to be
configured as type=peer, insecure=invite (or insecure=very) with defined
permit/deny rules:
[provider]
type=peer
insecure=very
deny=0.0.0.0/0.0.0.0
permit=10.2.1.0/255.255.255.0
permit=192.168.0.0/255.255.0.0
This is almost identical as to how permit/deny rules work for SIP REGISTER
packets.
======================================================================
----------------------------------------------------------------------
fkasumovic - 02-19-08 03:49
----------------------------------------------------------------------
Sure. This is base.
Except providers don't use host domain for this.
Not bad idea to have it.
You can not have hundreds of entries in configuration, its unpractical.
Its better to have ability to add multiple ip classes in one peer entry.
You can still use host domain authentication for one ip address
(host=1.2.3.4).
Many people have this issue.
Hopefully You will add this to trunk.
Issue History
Date Modified Username Field Change
======================================================================
02-19-08 03:49 fkasumovic Note Added: 0082554
======================================================================
More information about the asterisk-bugs
mailing list