[asterisk-dev] Pinetree :: For Asterisk SIP trunks behind a SIP proxy
Olle E. Johansson
oej at edvina.net
Tue Sep 1 09:47:45 CDT 2009
1 sep 2009 kl. 16.22 skrev Klaus Darilion:
>
>
> Olle E. Johansson schrieb:
>> Hackers!
>>
>> In the middle of the debate about peer matching, I'm adding another
>> recipe to the pot: Peer matching behind a SIP proxy.
>>
>> Many of us implement asterisk behind SIP proxys for load balancing or
>> failover or both. That means that all messages to Asterisk is sent by
>> the proxy and all peer matching on IP/port fails. Asterisk simply
>> doesn't know how to separate the devices behind the proxy.
>>
>> With my new code, you can add a rule to the SIP proxy [peer] section,
>> saying "don't match me, match who sent to me". The way Asterisk does
>> that, is by reading the second VIA header. This is the device that
>> sent the message to Asterisk - another proxy or an endpoint. You can
>> also be very strict and say "match last via" - which always will be
>> the other endpoint.
>
> Hope this uses "received" and "rport" param, as Via is easily
> spoofable
Well, it's always a matter of who you trust, right. I did not choose
that approach, but it's an interesting addition.
Anything is spoofable, so you want authentication at ingress point to
check who's spoofing what :-)
/O
More information about the asterisk-dev
mailing list