[Users] Trying to find a solution to a sticky problem here.

Douglas Garstang dgarstang at oneeighty.com
Fri Mar 17 18:09:56 CET 2006 

> -----Original Message-----
> From: Douglas Garstang 
> Sent: Friday, March 17, 2006 9:57 AM
> To: arek at perceval.net
> Cc: openser
> Subject: RE: [Users] Trying to find a solution to a sticky 
> problem here.
> 
> 
> > -----Original Message-----
> > From: Arek Bekiersz [mailto:arek at perceval.net]
> > Sent: Friday, March 17, 2006 9:21 AM
> > To: Douglas Garstang
> > Cc: openser
> > Subject: Re: [Users] Trying to find a solution to a sticky 
> > problem here.
> > 
> > 
> > Hi,
> > 
> > 
> > Just a first impression, after quickly reading the mail.
> > May be useful. Or may be noise:
> > 
> > I do it IP based. I use few Asterisk boxes not exactly the 
> > way like you, 
> > but I also need to talk betweeen SERs and Asterisks without 
> > problems. I 
> > just put one or more SERs as a trusted peers at all 
> > Asterisks. Then at 
> > SER I disable authentication of requests, coming for 
> > specified Asterisk 
> > addresses.
> > 
> > When it comes to your REFER problem (or similar), I just put 
> > record-route to all requests flying thru SER. Then all UAs 
> > are obliged 
> > to send subsequent requests in a dialog thru proxy. This is what 
> > record-route is for.
> Whoa! I didn't realise I could do that. Just exactly where 
> would I put the record_route()? I tried putting it after the 
> logic that tests for an INVITE... but it didn't seem to work.
Hmmm. Then I tried putting a record_route() right at the beginning of the route {} block. Actually I watched the packets with ngrep and I can see a Record-Route: header with OpenSER's IP address, but refers are still being sent directly from the phone to Asterisk.
Any ideas?
 
> > 
> > If this is not enough, because you are outside of a dialog or have 
> > particularly stupid UA - my SIP routing is based on domains. 
> > So UAs are 
> > always configured to use proxy and proxy is in textual format 
> > of a realm 
> > (FQDN). Thus, they will never send any dialog initiating request 
> > ommiting proxy. Or they are very stupid UAs :-)
> > 
> > Conclusion: trusted peers on (*) and IP-based policy on SER 
> > works well 
> > for me.
> > 
> > -- 
> > Regards,
> > Arek Bekiersz
> > 
> > 
> > 
> > 
> > Douglas Garstang wrote:
> > > Trying to find a solution to a sticky problem here.
> > > 
> > > We have 3 OpenSER systems. Phones register with the OpenSER 
> > systems, and after they authenticate the user, pass the 
> > registration info using OpenSER's send() command to all 
> > Asterisk boxes sitting behind them. Each asterisk system then 
> > knows about every phone.
> > > 
> > > For this to work, I had to turn off authentication in 
> > Asterisk for both registrations and invites. If it's on, 
> > asterisk sends a 407 Proxy Auth required to the phone in 
> > addition to OpenSER. This confuses the phone, as it's now 
> > receiving two 407 proxy auth requests, and it basically just 
> > drops the second request on the floor. 
> > > 
> > > This is obviously a big security problem and it can't stay 
> > this way. I thought maybe if authentication was on in 
> > Asterisk, that considering by the time it receives the 
> > authenticated register or invite from OpenSER, the MD5 
> > password was already contained in the packet, that Asterisk 
> > wouldn't ask again. It does. :(
> > > 
> > > We could use IP tables to only allow connections from the 
> > OpenSER systems, but that doesn't always work. When a caller 
> > transfers a call, the phones will send a REFER message 
> > directly to Asterisk, so all the phones would have to also be 
> > in the ip tables allow list. Not an elegent solution.
> > > 
> > > We could run mediaproxy on OpenSER and force all RTP 
> > streams back through it. Might work, but it might also break 
> > other stuff. We could then configure ip tables to only allow 
> > RTP streams from the OpenSER systems.
> > > 
> > > It might be possible to configure OpenSER to perform the 
> > logic necessary to make it talk to Asterisk properly, but 
> > it's beyond my abilities and time.
> > > 
> > > Anyone ever done this? Anyone got any ideas?
> > > 
> > > Doug
> > 
> 
> _______________________________________________
> Users mailing list
> Users at openser.org
> http://openser.org/cgi-bin/mailman/listinfo/users
>

More information about the Users mailing list