[asterisk-dev] chan_sip SIP Authentication
klaus.mailinglists at pernau.at
Wed Jan 28 08:41:32 CST 2009
Johansson Olle E schrieb:
> The problem arises since you use phone numbers as identifiers for the
> users. This is not a good thing (TM) and should be avoided. The
> dialplan is where you route phone numbers. Devices should have device
> names that you address in the dialplan on the extension that is
> supposed to connect to one or several devices.
That's the more elegant version, but then you need a mapping from number
to user. Thats why I use name=number to avoid this mapping
> I guess we have no make this need of namespace separation clear in the
> If we go ahead and change matching order, I'm afraid it will break
> backwards compatibility and stop many systems from working properly.
> We don't want that.
> The real solution to this users/peers/friends thing is to create a
> better solution and implement it. The first big step towards it was to
> kill the sip_user structure,
> and thus the need for users at all in 1.6.1. We now also match peers
> by name before we match IP.
Does this mean that my setups do not work anymore in 1.6.1. Does all
peers use this name checking or is this an configuration option?
> There are many bug reports in the bug tracker that all indicate
> frustration with this and some bad hacks that also breaks backwards
> compatibility and won't be accepted.
> I think the next step is to find a good way to define a trunk, a
> service, that will match separately. Nick Lewis has been working with
> that and I have code for it somewhere in my branches.
This sounds like changing names user->peer, peer->trunk.
> This implements a way to
> - register with SIp services
> - get the call back
> - match the proper peer, even if you have five accounts, we will match
> the proper peer
> - send the call to the called number (to: header), not using a pseudo-
> exten that overrides.
ahh. It took us many yours to tell vendors that To-based routing is wrong.
> I would call this type=service
> After that is done, we should implement type=trunk that matches on IP
> and/or domains.
> Check here for an old writeup of this:
> (Shameless plug: If any company out there wants to fund this work,
> please contact me! )
> 28 jan 2009 kl. 00.19 skrev Klaus Darilion:
>> I recently had the same problem.
>> One solution is to define everything as sip "peer" - also the sIP
>> This does not work out of the box if you use users.conf for user
>> provisioning. For this case I have submitted a patch (which was
>> as users.conf must not be flexible :-)
>> I think changing the priority (peer before user) might be a solution
>> well. Actually if someone uses "peers" for gateways and "users" for
>> clients IMO the gateways should have higher priority. Another matching
>> option would be the order in sip.conf.
>> asterisk at ntplx.net wrote:
>>> I have the same old problem that has come up before, I know this
>>> has asked before.
>>> I use a cisco AS5300 PRI gateway to connect the PSTN to asterisk 1.4
>>> with SIP. When a call comes into the PRI, the cisco sends it to
>>> asterisk with a from of the CID which is normally a 10 digit phone
>>> number. The cisco gateway is configured as a peer in the sip.conf
>>> and setup as insecure so asterisk can match the IP address.
>>> I also have some SIP ATA devices where the user name/device name is
>>> set as just the 10 digit phone number. This causes a problem for
>>> asterisk when one of the users calls back into the same system.
>>> The cisco box sends a SIP from with the 10 digit number and asterisk
>>> matches the username in sip.conf and says the authentication does
>>> not match (I want it to match the insecure gateway IP).
>>> If I change check_user_full in chan_sip.c to match IP peers first
>>> this seems to solve the problem for the cisco/asterisk system, but
>>> it may cause future authentication issues for users. When a user
>>> it matches the username and then later requests match the IP in the
>>> list. Are authenticated uses added as peers? Do they expire?
>>> Other then not using the 10 digit number as a name for authentication
>>> to solve this issue, is there a real problem matching IP peers first?
>>> Why is this not done now? Why does asterisk not match peers by IP
>>> an authentication failure?
>>> Does any/all of this change in version 1.6/trunk?
>>> --Bandwidth and Colocation Provided by http://www.api-digital.com--
>>> asterisk-dev mailing list
>>> To UNSUBSCRIBE or update options visit:
>> --Bandwidth and Colocation Provided by http://www.api-digital.com--
>> asterisk-dev mailing list
>> To UNSUBSCRIBE or update options visit:
> * Olle E Johansson - oej at edvina.net
> * Cell phone +46 70 593 68 51, Office +46 8 96 40 20, Sweden
> --Bandwidth and Colocation Provided by http://www.api-digital.com--
> asterisk-dev mailing list
> To UNSUBSCRIBE or update options visit:
More information about the asterisk-dev