[asterisk-dev] chan_sip SIP Authentication

Johansson Olle E oej at edvina.net
Wed Jan 28 02:06:46 CST 2009 

Well,

The problem arises since you use phone numbers as identifiers for the  
users. This is not a good thing (TM) and should be avoided. The  
dialplan is where you route phone numbers. Devices should have device  
names that you address in the dialplan on the extension that is  
supposed to connect to one or several devices.

I guess we have no make this need of namespace separation clear in the  
documentation.

If we go ahead and change matching order, I'm afraid it will break  
backwards compatibility and stop many systems from working properly.  
We don't want that.

The real solution to this users/peers/friends thing is to create a  
better solution and implement it. The first big step towards it was to  
kill the sip_user structure,
and thus the need for users at all in 1.6.1. We now also match peers  
by name before we match IP.

There are many bug reports in the bug tracker that all indicate  
frustration with this and some bad hacks that also breaks backwards  
compatibility and won't be accepted.

I think the next step is to find a good way to define a trunk, a  
service, that will match separately. Nick Lewis has been working with  
that and I have code for it somewhere in my branches.

This implements a way to
- register with SIp services
- get the call back
- match the proper peer, even if you have five accounts, we will match  
the proper peer
- send the call to the called number (to: header), not using a pseudo- 
exten that overrides.

I would call this type=service

After that is done, we should implement type=trunk that matches on IP  
and/or domains.
Check here for an old writeup of this:
http://www.codename-pineapple.org/newtypes.shtml

(Shameless plug: If any company out there wants to fund this work,  
please contact me! )

/O

28 jan 2009 kl. 00.19 skrev Klaus Darilion:

> Hi!
>
> I recently had the same problem.
>
> One solution is to define everything as sip "peer" - also the sIP  
> clients.
>
> This does not work out of the box if you use users.conf for user
> provisioning. For this case I have submitted a patch (which was  
> rejected
> as users.conf must not be flexible :-)
> http://bugs.digium.com/view.php?id=14188
>
> I think changing the priority (peer before user) might be a solution  
> as
> well. Actually if someone uses "peers" for gateways and "users" for  
> SIP
> clients IMO the gateways should have higher priority. Another matching
> option would be the order in sip.conf.
>
> regards
> klaus
>
> asterisk at ntplx.net wrote:
>> I have the same old problem that has come up before, I know this
>> has asked before.
>>
>> I use a cisco AS5300 PRI gateway to connect the PSTN to asterisk 1.4
>> with SIP. When a call comes into the PRI, the cisco sends it to
>> asterisk with a from of the CID which is normally a 10 digit phone
>> number. The cisco gateway is configured as a peer in the sip.conf  
>> file
>> and setup as insecure so asterisk can match the IP address.
>>
>> I also have some SIP ATA devices where the user name/device name is
>> set as just the 10 digit phone number. This causes a problem for
>> asterisk when one of the users calls back into the same system.
>> The cisco box sends a SIP from with the 10 digit number and asterisk
>> matches the username in sip.conf and says the authentication does
>> not match (I want it to match the insecure gateway IP).
>>
>> If I change check_user_full in chan_sip.c to match IP peers first  
>> then
>> this seems to solve the problem for the cisco/asterisk system, but  
>> seems
>> it may cause future authentication issues for users. When a user  
>> connects
>> it matches the username and then later requests match the IP in the  
>> peer
>> list. Are authenticated uses added as peers? Do they expire?
>>
>> Other then not using the 10 digit number as a name for authentication
>> to solve this issue, is there a real problem matching IP peers first?
>> Why is this not done now? Why does asterisk not match peers by IP  
>> after
>> an authentication failure?
>>
>> Does any/all of this change in version 1.6/trunk?
>>
>>    Andrew
>>
>>
>>
>>
>> _______________________________________________
>> --Bandwidth and Colocation Provided by http://www.api-digital.com--
>>
>> asterisk-dev mailing list
>> To UNSUBSCRIBE or update options visit:
>>   http://lists.digium.com/mailman/listinfo/asterisk-dev
>
>
> _______________________________________________
> --Bandwidth and Colocation Provided by http://www.api-digital.com--
>
> asterisk-dev mailing list
> To UNSUBSCRIBE or update options visit:
>   http://lists.digium.com/mailman/listinfo/asterisk-dev

---
* Olle E Johansson - oej at edvina.net
* Cell phone +46 70 593 68 51, Office +46 8 96 40 20, Sweden

More information about the asterisk-dev mailing list