[asterisk-dev] AstriDevCon Follow Up - Asterisk and Kamailio - smoother integration

Wed Mar 11 18:26:55 CDT 2015

On 11/03/15 22:11, Matthew Jordan wrote:
> On Wed, Mar 11, 2015 at 3:31 PM, Olle E. Johansson <oej at edvina.net> wrote:
>>>> So far most of authorization between Kamailio and Asterisk relies on IP
>>>> addresses, but those need to be provisioned one by one in both sides. The
>>>> new module is practically adding a custom header with a hash over parts of
>>>> the message or other environment attributes (eg., IP address) and a shared
>>>> secret. The www-digest with username and password has the overhead of an
>>>> extra round of signaling messages, but also the constraint on CSeq increment
>>>> after the challenge. Also, the MD5 is rather week hashing these days.
>>>>
>> Why can't this be done in the dialplan?. This is exactly why I implemented the MD5
>> dialplan stuff in Asterisk years ago. We need something else than MD5 today,
>> but still - both Asterisk and Kamailio can handle it without modules or extra coding...
>>
>> The IETF is working on OAUTH authentication for SIP - which is the solution
>> we really want to look into - not copy weak auth from the API world... :-)

Continuing the thread, but answering to Olle's remarks -- yes, many
things can be done via config, as I noted it is mainly about the
management of the shared secret rather than the computing of the
hashing. I consider it important to be able to work verifying against
many keys at the same time, but using one (the most recent) for adding
the header.

Then I didn't want a complex scripting around it, with db queries and
managing the result in the config, putting extra complexity there. The
idea was to make it as scalable and elastic as possible. Also, C coding
is the easiest I can do ;-) and again, I wanted to come up with some
real stuff, not just theoretical discussion. Being something good or
bad, is now opened for discussions.

One problem with IETF is that takes ages for new good specs and the 'API
guys' will be further ahead with new auth mechanisms by that time. Not
to say that many things from IETF come out without any practical
background, being based on pure theoretical concepts from some
specs-writting-machine-guys.

While I am all for standardization and open specifications, I think that
some concepts can be tested before pushing to a formalization. And open
source should be the perfect ground for such ideas, if found useful
and/or practical, someone can take the lead on standardization process.
In other words, I want open source to be more involve in standardizing
practical things, rather than implementing specs from others --
definitely will be more feasible specs out of such process.

> Do you really want to spin up a PBX thread for every single request
> that fails authentication?
>

Yep, not all web auth models are suitable for real time comms.

Cheers,
Daniel

-- 
Daniel-Constantin Mierla
http://twitter.com/#!/miconda - http://www.linkedin.com/in/miconda
Kamailio World Conference, May 27-29, 2015
Berlin, Germany - http://www.kamailioworld.com