[Serusers] Advice needed

[Greger V. Teigre]

>>> As for ip auth I guess it's just not good enough. UDP invites don't
>>> require any handshake it's not hard at all to spoof ip address. I
>>> believe sending 2 invites worth the security it actually adds.
>>
>> Yes, but you can also do TCP.
>
> Yes, it's possible if provider supports it. I'm not sure that it's
> better in terms
> of performance that sending 2 UDP INVITEs and I'd still prefer to
> authenticate,
> but it's a possibility. Thanks.

Agree.

>>> Also I don't understand what you mean by #3. Taking ip address from
>>> authenticated REGISTER and then doing IP auth on that?
>>
>> No, using sipsak to actually do a REGISTER on behalf of your ser. No
>> IP auth, basically it makes your ser a registered client of the GW.
>> Of course, if INVITEs still must be authenticated, you are back to
>> the UAC module problem.
>
> Sorry, Greger, I still don't understand how would registering adds
> any INVITE-security if INVITEs not authenticated. Still anyone can
> send INVITE putting ip address of
> my server as source of ip packet.

;-) Yes, that's is exactly what I'm saying. I was just listing the various 
alternatives, not complete solutions. Basically, as a GW provider, you 
decide on your level of security and how you want to implement it.  Ex. ACLs 
on IP addresses and always replying to source IP is one way. Authenticating 
INVITEs is another. It all boils down to working with your providers to 
figure out the best way to do it.  (AFAIK, you are the customer when buying 
PSTN minutes...)
g-)