[OpenSIPS-Users] IP Based Authentication on Asterisk with OpenSIP (Bogdan-Andrei Iancu)

Muhammad Zulqarnain mzulqarnain2002 at yahoo.com
Mon Dec 14 17:33:02 CET 2009


Hello Brett Nemeroff!

Thanks for your valuable suggestion and for security measure to avoid spoofing by bad customers, I will try it.

Thanks
Regards,
Zulqarnain




>Honestly, this is outside of the scope of this mailing list. but this
>may get you on track.

>First you'll need an asterisk context in the [general] section of your sip.conf:
>[general]
>context=defalut

>then in extensions.conf you'll need to use the SIP_HEADER function, to
>check for the header and do your magic based on the result. For your
>reference, here's the doc for the SIP_HEADER function

>[Syntax]
>SIP_HEADER(<name>[,<number>])

>[Synopsis]
>Gets the specified SIP header

>[Description]
>Since there are several headers (such as Via) which can occur multiple
>times, SIP_HEADER takes an optional second argument to specify which header with
>that name to retrieve. Headers start at offset 1.
======%<===========


>Lastly, if you are going to add a header with opensips to include
>something that is an authoritative reference to the customer, then you
>MUST first remove the header from the incoming message or your
>customer could spoof it. Let me give you an example, I'm a "bad
>customer" and I see you are on the mailing list and are using
>X-source-ip: header to authenticate calls. So before I send you calls,
>I'll stick in a:
>X-source-ip: 192.168.1.1

>to mess you up. If you don't first remove the header, both headers (I
>think?) will likely reach the asterisk and heaven only knows which one
>asterisk will use. :)

>Of course, alternatively, you can just do this IN opensips. I do this,
>works great. And as a big plus, It doesn't use asterisk or funky
>headers. :)
>-Brett



On Sat, Dec 12, 2009 at 1:31 PM, Muhammad Zulqarnain
<mzulqarnain2002 at yahoo.com> wrote:
> Hello!
>
> Thanks Bodgan!
>
> I have added following to sip header which add source IP in sip packet
> before sending to asterisk.
>         append_hf("X-customer-ip: $si\r\n");
> Sip trace got following packet which add X-customer-ip: x.x.x.x to sip
> header but I am wondering how to told/setup asterisk to read source IP from
> additional sip header instead of network level. Also I have another switch
> named Voipswitch on which I would not be able to customize any thing to
> honor incoming sip header for source ip validation so solution should work
> for all GW/Server other then asterisk only.
>
> U 2009/12/12 18:58:32.829652 y.y.y.y:5060 -> z.z.z.z:5060
> INVITE sip:123456789 at y.y.y.y SIP/2.0.
> Record-Route: <sip:y.y.y.y;lr;ftag=a16f2b41;did=882.11d0f5f>.
> To: <sip:123456789 at y.y.y.y>.
> From: hello<sip:hello at y.y.y.y>;tag=a16f2b41.
> Via: SIP/2.0/UDP y.y.y.y;branch=z9hG4bKfb2e.a79595a4.0.
> Via: SIP/2.0/UDP
> x.x.x.x:7266;received=x.x.x.x;branch=z9hG4bK-d87543-197592634-1--d87543-;rport=7266.
> Call-ID: 9867b13bdc3a4f30.
> CSeq: 1 INVITE.
> Contact: <sip:hello at x.x.x.x:7266>.
> Max-Forwards: 69.
> Allow: INVITE, ACK, CANCEL, OPTIONS, BYE, REFER, NOTIFY, MESSAGE, SUBSCRIBE,
> INFO.
> Content-Type: application/sdp.
> User-Agent: eyeBeam release 3007n stamp 17816.
> Content-Length: 237.
> X-customer-ip: x.x.x.x.
>
> Please suggest solution with sample configs.
>
> Thanks
> Regards
> Muhammad Zulqarnain
>
>
>>Hi Muhammad,
>>
>>What you can do (and I know for sure it works with Asterisk), is to
>> configure opensips (LB) to add the real src IP (IP of the client) >into a
>> SIP header (in the request) and send it to Asterisk - asterisk will do IP
>> based auth but will take IP from that header (custom >name) instead of
>> taking it from network level.
>
>>Regards,
>>Bogdan
>
> Muhammad Zulqarnain wrote:
>> Hello!
>>
>> This is Zulqarnain and my first post to this mailing list. I just start
>> using OpenSIP and trying to get myself familiar with OpenSIP and it's config
>> files, method etc.
>>
>> Well, I am trying to achieve following:
>> Client IP: x.x.x.x
>> OpenSIP: y.y.y.y
>> Asterisk: z.z.z.z
>>
>> 1) Client -> OpenSIP (Load_balancer) -> Asterisk1, Asterisk2....
>>    a) If Client Request is Register -> Relay to Asterisk (It is working
>> fine as peer is defined with user/passwd auth, host=dynamic)
>>    b) If Client Request is INVITE -> Relay to Asterisk (Asterisk Reject as
>> peer is defined as IP Auth, type=peer, host=x.x.x.x)
>>
>> "b" scenario failed as Asterisk read OpenSIP IP y.y.y.y and reject the
>> call as Asterisk is expecting Source IP x.x.x.x instead of y.y.y.y
>>
>> I tried following to fix but no success:
>>
>> 1) 302 Redirect for GW Clients, who can only authenticate by IP and don't
>> support registration with user/passwd. But my DID Provider don't support 302
>> redirect although i have tested with Eyebeam Client in peer to peer mode and
>> it works. But as it didn't work with my provider so I tried another way:
>>
>> 2) uac_replace_from & uac_replace_to function of uac.so module, I tried to
>> replace from/to field with client IP but still Invite is from OpenSIP IP
>> y.y.y.y and again Asterisk/Voipswitch (another switch) reject call.
>>
>> If required I can post my config file as well here or pastebin for your
>> expert reviews. I would like to know if it is possible to achive above
>> scenario with OpenSIP, if Yes then how, any example would appreciated.
>>
>> Another small problem is that while setting up 302 redirect I wanted to
>> pass $du value to rewritehost("") as $du have the address return by
>> load_balancer of destination IP and rewritehost() only accept string.
>> Looking for suggestion on this as well.
>>
>> Hopefully to receive positive reply by community.
>>
>> Thanks
>> Regards,
>> Muhammad Zulqarnain
>> MSN: zulqarnain at globalitvision.com
>>
>> ------------------------------------------------------------------------
>>
>> _______________________________________________
>> Users mailing list
>> Users at lists.opensips.org
>> http://lists.opensips.org/cgi-bin/mailman/listinfo/users
>>
>
>
> -- Bogdan-Andrei Iancu
> www.voice-system.ro
>
>
> _______________________________________________
> Users mailing list
> Users at lists.opensips.org
> http://lists.opensips.org/cgi-bin/mailman/listinfo/users
>
>



      
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.opensips.org/pipermail/users/attachments/20091214/90c2ec93/attachment.htm 


More information about the Users mailing list