Summary: | ASTERISK-11449: [patch] SIP INVITES authorization from multiple IP addresses | ||
Reporter: | BicomSystems Ltd. (fkasumovic) | Labels: | |
Date Opened: | 2008-02-15 10:23:20.000-0600 | Date Closed: | 2011-06-07 14:02:39 |
Priority: | Major | Regression? | No |
Status: | Closed/Complete | Components: | Channels/chan_sip/NewFeature |
Versions: | Frequency of Occurrence | ||
Related Issues: | |||
Environment: | Attachments: | ( 0) chan_sip_12.diff ( 1) chan_sip.c.diff | |
Description: | In current implementation, SIP INVITES are authorized either per username or per single IP address. Many providers send SIP INVITEs from multiple C classes and therefore it is very hard (if not impossible) to configure that via SIP peers. The only workaround is combination of [general] context and iptables. Here is a patch that provides such functionality. SIP peer has to be configured as type=peer, insecure=invite (or insecure=very) with defined permit/deny rules: [provider] type=peer insecure=very deny=0.0.0.0/0.0.0.0 permit=10.2.1.0/255.255.255.0 permit=192.168.0.0/255.255.0.0 This is almost identical as to how permit/deny rules work for SIP REGISTER packets. ****** ADDITIONAL INFORMATION ****** There are two patches one for asterisk trunk, other one is for old, unmaintained 1.2 version | ||
Comments: | By: Olle Johansson (oej) 2008-02-16 04:51:33.000-0600 Why don't you use the realm based authentication? that is made for this case. By: Olle Johansson (oej) 2008-02-16 04:53:31.000-0600 Hmm. I see from reading your patch that you have the issue on incoming calls from the provider. My misunderstanding. I would rather go by domain matching in combination with ACL. Only using ACL and no host or domain entry is not a solution I would favour. By: BicomSystems Ltd. (fkasumovic) 2008-02-19 03:49:57.000-0600 Sure. This is base. Except providers don't use host domain for this. Not bad idea to have it. You can not have hundreds of entries in configuration, its unpractical. Its better to have ability to add multiple ip classes in one peer entry. You can still use host domain authentication for one ip address (host=1.2.3.4). Many people have this issue. Hopefully You will add this to trunk. By: Joshua C. Colp (jcolp) 2008-04-14 10:46:36 I would definitely agree that something like this is needed, but agree with oej on implementation. By: Olle Johansson (oej) 2008-07-03 11:25:13 Ok, so we agree that you have pinpointed a problem we need to solve, but that we don't use your patch. We'll add it to our todo-list. If you would like to work on this with the help of us, please find us in the IRC channel or by e-mail. Thank you for contributing to Asterisk! By: Leif Madsen (lmadsen) 2008-12-05 10:09:07.000-0600 Is the original reporter interested in providing a patch using the aforementioned method? If not, the I am sorry to say I will need to suspend this issue for now until someone wishes to move this forward with code. Thanks! By: Olle Johansson (oej) 2009-01-29 07:26:54.000-0600 No response from reporter. Filing this for the future. |