[OpenSIPS-Users] Help with Inbound PSTN, and Inbound SIP URI Authentication Sub-Routine

T.R. Missner tr at voipjedi.com
Tue Sep 14 23:00:12 CEST 2010


I've used the permissions module for this in the past.
Essentially you can whitelist your carriers' IP addresses using permissions
module.

-tr

On Tue, Sep 14, 2010 at 4:52 PM, Brett Woollum <brett at woollum.com> wrote:

> Hi Kennard,
>
> I need to provide some level of authentication for incoming calls. This is
> because I need to allow my PSTN gateways to bring any calls for my DIDs into
> OpenSIPS, but I don't want to open the door and allow anybody from the
> internet to call any of my DIDs using a direct URI. I have a database table
> that contains incoming DIDs that I process calls from my gateway against,
> and a sepearate database table which contains incoming SIP URI's that I
> process completely unauthenticated calls against.
>
> In this scenario, my PSTN gateway can bring calls into sip:
> +13145551212 at mysipdomain.com, but an Internet user cannot call that
> number. On the other hand, an unauthenticated Internet user can call
> sip:mycompany at mysipdomain.com <sip%3Amycompany at mysipdomain.com>sucessfully.
>
> Does this make sense?
>
> Brett W
>
> Sent from my iPhone
>
> On Sep 14, 2010, at 8:44 AM, Kennard_White at logitech.com wrote:
>
> Hi Brett,
>
> For what it is worth, I do it the other way around: I check the source IP,
> and if from a PSTN provider process the telephone number as appropriate for
> them; otherwise I do user auth.
>
> A question: if you're allowing "outside" users to call in, why authenticate
> any INVITE traffic? (Ok, you have to authenticate traffic going to PSTN from
> your subscribers, but other than that...)?
>
> Regards,
> Kennard
>
> <graycol.gif>Brett Woollum ---09/14/2010 02:26:33 AM---David, The
> "is_from_local" function is just what I needed. It will allow me to decipher
> whether or
>
>
> From: Brett Woollum <brett at woollum.com>
> To: OpenSIPS users mailling list <users at lists.opensips.org>
> Date: 09/14/2010 02:26 AM
> Subject: Re: [OpenSIPS-Users] Help with Inbound PSTN, and Inbound SIP URI
> Authentication Sub-Routine
> Sent by: users-bounces at lists.opensips.org
>
> ------------------------------
>
>
>
> David,
>
> The "is_from_local" function is just what I needed. It will allow me to
> decipher whether or not the user appears local or not, and authenticate them
> if so (ie: a subscriber), or check their IP if not (ie: from my gw).
>
> Thanks!
>
> Brett Woollum
>  <Brett at Woollum.com>Brett at Woollum.com
>
>
> ----- Original Message -----
> From: "David J." <david at styleflare.com>
> To: "OpenSIPS users mailling list" <users at lists.opensips.org>
> Sent: Tuesday, September 14, 2010 1:08:38 AM GMT -08:00 US/Canada Pacific
> Subject: Re: [OpenSIPS-Users] Help with Inbound PSTN, and Inbound SIP URI
> Authentication Sub-Routine
>
> It depends on your configuration.
>
> You can place it before or after.
>
> Because you dont want to authenticate inbound calls, you can have a simple
> if statement that checks if the user is not local and alias exists, then
> relay to that alias.
>
> Not real code:
>
> if(not_from_local){
> if(alias()){
> relay;
> }
> }
>
> On 9/14/10 3:32 AM, Brett Woollum wrote:
>
>
>
>       Hi David,
>
>       As far as I can tell, the alias module is independent of how the
>       call is authenticated. My understanding is that it will look for a
>       replacement URI based on the current one, and replace if a new one is found.
>       It appears as though this "function" would go into the config file somewhere
>       after the section I'm working on now.
>
>       Is my understanding correct?
>
>       I'll need some way to determine if this is an inbound call (i.e.;
>       not originating from a subscriber's phone) prior to mapping it to the alias
>       module. Also, I'd like to determine if the incoming call is from my PSTN
>       gateway and give different aliases than if the call was a SIP URI call.
>
>       Brett Woollum
>       *Brett at Woollum.com* <Brett at Woollum.com>
>
>
>       ----- Original Message -----
>       From: "David J." *<david at styleflare.com>* <david at styleflare.com>
>       To: "OpenSIPS users mailling list" *<users at lists.opensips.org>*<users at lists.opensips.org>
>       Sent: Tuesday, September 14, 2010 12:20:23 AM GMT -08:00 US/Canada
>       Pacific
>       Subject: Re: [OpenSIPS-Users] Help with Inbound PSTN, and Inbound
>       SIP URI Authentication Sub-Routine
>
>       Hi Brett,
>
>       The common practice is to use the alias module for inbound routing.
>
>       You can look at the docs for its usage, but essentially you can map
>       DID's to local users.
>
>
>
>       On 9/14/10 3:18 AM, Brett Woollum wrote:
>
>             Hello!
>
>             I have an OpenSIPS 1.6.3 installation that is working well. I
>             have subscribers registering to OpenSIPS, and they can dial between each
>             other and outside of my domain (to my media servers and to the PSTN). All is
>             well.
>
>             I am now beginning to write the configuration that will
>             process inbound calls - meaning calls from non-subscribers. This will
>             include calls from the PSTN gateway, as well as direct SIP URI calls to the
>             OpenSIPS subscribers. For example, a person can call 515-555-1212 from a
>             regular phone, and the call will come to OpenSIPS as an un-authenticated
>             call from my PSTN gateway. Also, I'd like to accept SIP URI's for incoming
>             calls. For example, calling *mycompany at mysipdomain.com*<mycompany at mysipdomain.com>from a soft phone might route the call to subscriber A's phone.
>
>             The code I have that applies to this is: (This is currently
>             configured to authenticate all outbound calls from subscribers only.)
>             # authenticate if from local subscriber
>             if (!(method=="REGISTER")) {
>             if (!proxy_authorize("", "subscriber")) {
>             proxy_challenge("", "0");
>             exit;
>             }
>             if (!db_check_from()) {
>             send_reply("403","Forbidden auth ID");
>             exit;
>             }
>
>             consume_credentials();
>             # caller authenticated
>             }
>
>             I am looking for direction on how to expand this to determine
>             if the call is A) from a subscriber calling outbound, B) inbound from the
>             PSTN, or C) inbound from any other user calling my SIP URI's. Once I am able
>             to determine this information, I'll be able to route the call appropriately
>             within the rest of my scripts.
>
>             My problem is that my SIP phones usually attempt to place
>             calls without including authorization in the header (because they are
>             registered already), then OpenSIPS replies requiring proxy authentication.
>             The SIP phones will then try the call again including the credentials in the
>             header, which works. How can I re-write this section of code to allow
>             inbound SIP URI calls and calls from my PSTN gateway, while still asking my
>             subscribers to authenticate? Or, is there a method that might work better?
>
>             Notes:
>             - Each of my PSTN gateway's has a static IP.
>             - It's safe to assume a single-domain setup (mysipdomain.com).
>
>             Thanks in advance!
>
>             Brett Woollum*
>             **Brett at Woollum.com* <Brett at Woollum.com>
>
>
>             _______________________________________________
>             Users mailing list
>             *Users at lists.opensips.org* <Users at lists.opensips.org>
>             *http://lists.opensips.org/cgi-bin/mailman/listinfo/users*<http://lists.opensips.org/cgi-bin/mailman/listinfo/users>
>
>
>       _______________________________________________ Users mailing list *
>       Users at lists.opensips.org* <Users at lists.opensips.org> *
>       http://lists.opensips.org/cgi-bin/mailman/listinfo/users*<http://lists.opensips.org/cgi-bin/mailman/listinfo/users>
>
>       _______________________________________________
>       Users mailing list
>       *Users at lists.opensips.org* <Users at lists.opensips.org>
>       *http://lists.opensips.org/cgi-bin/mailman/listinfo/users*<http://lists.opensips.org/cgi-bin/mailman/listinfo/users>
>
>
>
> _______________________________________________ Users mailing list
> Users at lists.opensips.org
> <http://lists.opensips.org/cgi-bin/mailman/listinfo/users>
> http://lists.opensips.org/cgi-bin/mailman/listinfo/users
> _______________________________________________
> Users mailing list
>  <Users at lists.opensips.org>Users at lists.opensips.org
>  <http://lists.opensips.org/cgi-bin/mailman/listinfo/users>
> http://lists.opensips.org/cgi-bin/mailman/listinfo/users
>
> _______________________________________________
> Users mailing list
> Users at lists.opensips.org
> http://lists.opensips.org/cgi-bin/mailman/listinfo/users
>
>
> _______________________________________________
> Users mailing list
> Users at lists.opensips.org
> http://lists.opensips.org/cgi-bin/mailman/listinfo/users
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.opensips.org/pipermail/users/attachments/20100914/101a23cb/attachment.htm 


More information about the Users mailing list