[asterisk-dev] chan_sip SIP Authentication

Klaus Darilion klaus.mailinglists at pernau.at
Wed Jan 28 08:41:32 CST 2009 


Johansson Olle E schrieb:
> Well,
> 
> The problem arises since you use phone numbers as identifiers for the  
> users. This is not a good thing (TM) and should be avoided. The  
> dialplan is where you route phone numbers. Devices should have device  
> names that you address in the dialplan on the extension that is  
> supposed to connect to one or several devices.

That's the more elegant version, but then you need a mapping from number 
to user. Thats why I use name=number to avoid this mapping
> 
> I guess we have no make this need of namespace separation clear in the  
> documentation.
> 
> If we go ahead and change matching order, I'm afraid it will break  
> backwards compatibility and stop many systems from working properly.  
> We don't want that.
> 
> The real solution to this users/peers/friends thing is to create a  
> better solution and implement it. The first big step towards it was to  
> kill the sip_user structure,
> and thus the need for users at all in 1.6.1. We now also match peers  
> by name before we match IP.

Does this mean that my setups do not work anymore in 1.6.1. Does all 
peers use this name checking or is this an configuration option?

> There are many bug reports in the bug tracker that all indicate  
> frustration with this and some bad hacks that also breaks backwards  
> compatibility and won't be accepted.
> 
> I think the next step is to find a good way to define a trunk, a  
> service, that will match separately. Nick Lewis has been working with  
> that and I have code for it somewhere in my branches.

This sounds like changing names user->peer, peer->trunk.

> This implements a way to
> - register with SIp services
> - get the call back
> - match the proper peer, even if you have five accounts, we will match  
> the proper peer
> - send the call to the called number (to: header), not using a pseudo- 
> exten that overrides.

ahh. It took us many yours to tell vendors that To-based routing is wrong.

regards
klaus



> I would call this type=service

> After that is done, we should implement type=trunk that matches on IP  
> and/or domains.
> Check here for an old writeup of this:
> http://www.codename-pineapple.org/newtypes.shtml
> 
> (Shameless plug: If any company out there wants to fund this work,  
> please contact me! )
> 
> /O
> 
> 28 jan 2009 kl. 00.19 skrev Klaus Darilion:
> 
>> Hi!
>>
>> I recently had the same problem.
>>
>> One solution is to define everything as sip "peer" - also the sIP  
>> clients.
>>
>> This does not work out of the box if you use users.conf for user
>> provisioning. For this case I have submitted a patch (which was  
>> rejected
>> as users.conf must not be flexible :-)
>> http://bugs.digium.com/view.php?id=14188
>>
>> I think changing the priority (peer before user) might be a solution  
>> as
>> well. Actually if someone uses "peers" for gateways and "users" for  
>> SIP
>> clients IMO the gateways should have higher priority. Another matching
>> option would be the order in sip.conf.
>>
>> regards
>> klaus
>>
>> asterisk at ntplx.net wrote:
>>> I have the same old problem that has come up before, I know this
>>> has asked before.
>>>
>>> I use a cisco AS5300 PRI gateway to connect the PSTN to asterisk 1.4
>>> with SIP. When a call comes into the PRI, the cisco sends it to
>>> asterisk with a from of the CID which is normally a 10 digit phone
>>> number. The cisco gateway is configured as a peer in the sip.conf  
>>> file
>>> and setup as insecure so asterisk can match the IP address.
>>>
>>> I also have some SIP ATA devices where the user name/device name is
>>> set as just the 10 digit phone number. This causes a problem for
>>> asterisk when one of the users calls back into the same system.
>>> The cisco box sends a SIP from with the 10 digit number and asterisk
>>> matches the username in sip.conf and says the authentication does
>>> not match (I want it to match the insecure gateway IP).
>>>
>>> If I change check_user_full in chan_sip.c to match IP peers first  
>>> then
>>> this seems to solve the problem for the cisco/asterisk system, but  
>>> seems
>>> it may cause future authentication issues for users. When a user  
>>> connects
>>> it matches the username and then later requests match the IP in the  
>>> peer
>>> list. Are authenticated uses added as peers? Do they expire?
>>>
>>> Other then not using the 10 digit number as a name for authentication
>>> to solve this issue, is there a real problem matching IP peers first?
>>> Why is this not done now? Why does asterisk not match peers by IP  
>>> after
>>> an authentication failure?
>>>
>>> Does any/all of this change in version 1.6/trunk?
>>>
>>>    Andrew
>>>
>>>
>>>
>>>
>>> _______________________________________________
>>> --Bandwidth and Colocation Provided by http://www.api-digital.com--
>>>
>>> asterisk-dev mailing list
>>> To UNSUBSCRIBE or update options visit:
>>>   http://lists.digium.com/mailman/listinfo/asterisk-dev
>>
>> _______________________________________________
>> --Bandwidth and Colocation Provided by http://www.api-digital.com--
>>
>> asterisk-dev mailing list
>> To UNSUBSCRIBE or update options visit:
>>   http://lists.digium.com/mailman/listinfo/asterisk-dev
> 
> ---
> * Olle E Johansson - oej at edvina.net
> * Cell phone +46 70 593 68 51, Office +46 8 96 40 20, Sweden
> 
> 
> 
> 
> _______________________________________________
> --Bandwidth and Colocation Provided by http://www.api-digital.com--
> 
> asterisk-dev mailing list
> To UNSUBSCRIBE or update options visit:
>    http://lists.digium.com/mailman/listinfo/asterisk-dev

More information about the asterisk-dev mailing list