<html>
<head>
<meta content="text/html; charset=ISO-8859-1"
http-equiv="Content-Type">
</head>
<body bgcolor="#FFFFFF" text="#000000">
From experiences of the past cases, it can be indeed problematic
with some client. But can be done as Alex said.<br>
<br>
I just wanted to add a bit about how I preferred to do it when I had
to. I try to auth only caller always, as it was for initial INVITE.
The way to do it is to append from tag to record route and detect
direction. If it is from caller and from header matches local
domain, then the call can be authentication.<br>
<br>
Authenticating the callee is more complex, since with hardphones, To
header very likely has the local domain always (even when going to
pstn or other networks, which are routed by some prefix in r-uri
username). You would need to lookup in database to see if it is a
local user. Then if you have short dialing, aliases, dids, then you
would practically need to do all kind of translations to get to the
user id to check if it is local user or not.<br>
<br>
Alternative would be using dialog module with some flags to know
whether to auth caller/callee for withing dialog requests, setting
these flags at call setup.<br>
<br>
Cheers,<br>
Daniel<br>
<br>
On 3/23/12 11:34 PM, Alex Balashov wrote:
<blockquote
cite="mid:t2s3uiip52mr8p7hoeds14cg.1332542045776@email.android.com"
type="cite">Clearly, you can only authenticate sequential requests
corresponding to calls whose initial requests were subject to
authentication. If the initial request was not authenticated,
there is no reason to believe that the endpoint would support
authentication of sequential requests.<br>
<br>
As to whether you should do this, that is a controversial matter.
I suppose that the security-maximising approach would be to
challenge all requests, but it invites problems with many
endpoints.<br>
<br>
--<br>
Alex Balashov - Principal<br>
Evariste Systems LLC<br>
235 E Ponce de Leon Ave<br>
Suite 106<br>
Atlanta, GA 30030<br>
Tel: +1-678-954-0671<br>
Web: <a class="moz-txt-link-freetext" href="http://www.evaristesys.com/">http://www.evaristesys.com/</a>, <a class="moz-txt-link-freetext" href="http://www.alexbalashov.com">http://www.alexbalashov.com</a><br>
<br>
David <a class="moz-txt-link-rfc2396E" href="mailto:kamailio.org@spam.lublink.net"><kamailio.org@spam.lublink.net></a> wrote:<br>
<br>
<p>Hello,</p>
<p>Should I be requiring users to authenticate before letting them
into loose_route(); ? What about anonymous calls from E164, how
do I authenticate these calls after they have started?</p>
<p>Thanks,</p>
<p>David</p>
<p> </p>
<div> </div>
<br>
<fieldset class="mimeAttachmentHeader"></fieldset>
<br>
<pre wrap="">_______________________________________________
SIP Express Router (SER) and Kamailio (OpenSER) - sr-users mailing list
<a class="moz-txt-link-abbreviated" href="mailto:sr-users@lists.sip-router.org">sr-users@lists.sip-router.org</a>
<a class="moz-txt-link-freetext" href="http://lists.sip-router.org/cgi-bin/mailman/listinfo/sr-users">http://lists.sip-router.org/cgi-bin/mailman/listinfo/sr-users</a>
</pre>
</blockquote>
<br>
<pre class="moz-signature" cols="72">--
Daniel-Constantin Mierla
Kamailio Advanced Training, April 23-26, 2012, Berlin, Germany
<a class="moz-txt-link-freetext" href="http://www.asipto.com/index.php/kamailio-advanced-training/">http://www.asipto.com/index.php/kamailio-advanced-training/</a></pre>
</body>
</html>