[asterisk-dev] chan_sip SIP Authentication

Klaus Darilion klaus.mailinglists at pernau.at
Fri Jan 30 01:34:24 CST 2009 


Philipp Kempgen schrieb:
> Johansson Olle E schrieb:
>>> Klaus Darilion schrieb:
> 
>>>> I think changing the priority (peer before user) might be a  
>>>> solution as
>>>> well. Actually if someone uses "peers" for gateways and "users" for  
>>>> SIP
>>>> clients IMO the gateways should have higher priority. Another  
>>>> matching
>>>> option would be the order in sip.conf.
> 
>> But the recommendation still stands: You shalt not mix namespaces.
> 
> Just that there are no namespaces. A separate namespace for device
> names has to be simulated by prefixing them with something that is
> guaranteed not be be found in an extension, such as "device--",
> provided the admin doesn't allow "--" in extensions.
> 
> For obvious reasons it would be a bad idea to prefix extensions
> with an artificial string.

As the system I currently set up is purely uses phone numbers, I think I 
prefix the username just with a single letter, that will give me 2 
separate namespaces

>> You will confuse yourself and, if you are a service provider,
>> reveal phone numbers in signalling that in some cases are supposed
>> to be hidden. In Sweden, that will even be against regulation.
> 
> Is it ok to reveal device names then?
> 
> And BTW: Thanks for adding
> http://svn.digium.com/view/asterisk/branches/1.4/configs/sip.conf.sample?r1=142865&r2=171837

Yes, great. But one question:

 > Note: The parameter "username" is not the username and in most
 > cases is not needed at all. Check below. In later releases,
 > it's renamed to "defaultuser" which is a better name, since it
 > is used in combination with the "defaultip" setting.

I do not understand that clearly. I always thought that "username" is 
the authentication user. (in this cause it should be renamed to authuser)

The other appearances make me think that "username" is also allowed for 
users - but it is not listed in the user section.


btw: shouldn't it be possible to configure a peer's outgoing and 
incoming credentials separate? (Using [authentication] realm does not 
solve this when peers use the same realm)

> 
> So what about completely random names such as "account--2hs9n"?

Actually this is really PITA. Maybe the namespace separation should be 
done on the full SIP URI, not only the user part, e.g. use 
sip:+4312345 at pbx.example.com for the SIP account, but use 
sip:+4312345 at gw.example.com for phone numbers. I know Asterisk supports 
a multi domain mode - but I have never used it yet. So, would this be 
possible to prevent the "user" matching the "peer" if domain mode is 
activated and GW uses a different domain?

Of course even nicer would be if the GW uses tel:+4312345 in the From 
header, then the "user" should not match too.

regards
klaus


> But then again I still need to think about what influence this
> might have on SIP <--> ISDN interworking for example.
> 
> 
>    Philipp Kempgen
>

More information about the asterisk-dev mailing list