[Serusers] Allowing incoming calls from trusted peers
Cameron Beattie
kjcsb at orcon.net.nz
Fri Mar 17 03:44:32 CET 2006
>I want to allow peering with specific providers and am not sure of the best
> way to do this. At the moment I have the following in ser.cfg:
> if (method=="INVITE" && !allow_trusted()) {
> if (!proxy_authorize("","subscriber")) {
> proxy_challenge("","0");
> break;
> } else if (!check_from()) {
> sl_send_reply("403", "Use From=ID");
> break;
> };
>
> consume_credentials();
> };
>
> SER sends a 407 back to any server trying to send a call to my server.
>
> As I understand it allow_trusted only allows specification of trusted IP
> addresses. I'm not clear what it is checking though. Is it the IP address
> of the host provided in the URI, or From, or something else?
>
> What if I want to validate based on domain name? What are the risks of the
> following approach?
> if (method=="INVITE" && !is_from_local()) {
>
> Any help appreciated.
>
> Cameron
For those interested here is what I ended up with:
My ser.cfg is based on the onsip.org v5 model config. I have changed the
first line in route[3]. See below:
if (!allow_trusted() && !is_uri_host_local()) {
if (!proxy_authorize("","subscriber")) {
proxy_challenge("","0");
break;
} else if (!check_from()) {
sl_send_reply("403", "Use From=ID");
break;
};
consume_credentials();
};
What this block achieves (I believe) is to ensure that INVITES are either
from a trusted IP (allow_trusted()) or to a sip uri in a trusted domain
(is_uri_host_local()). If not then a proxy authentication request is sent.
If proxy authentication credentials are provided then we ensure that the
call is from an authenticated user. This now lets calls in to my users from
external proxies or gateways (just like the good old PSTN).
If there are any flaws in my logic I'd appreciate the advice.
Thanks
Cameron
More information about the sr-users
mailing list