Summary:ASTERISK-11449: [patch] SIP INVITES authorization from multiple IP addresses
Reporter:BicomSystems Ltd. (fkasumovic)Labels:
Date Opened:2008-02-15 10:23:20.000-0600Date Closed:2011-06-07 14:02:39
Versions:Frequency of
Environment:Attachments:( 0) chan_sip_12.diff
( 1) chan_sip.c.diff
Description:In current implementation, SIP INVITES are authorized either per username or per single IP address. Many providers send SIP INVITEs from multiple C classes and therefore it is very hard (if not impossible) to configure that via SIP peers.

The only workaround is combination of [general] context and iptables.

Here is a patch that provides such functionality. SIP peer has to be configured as type=peer, insecure=invite (or insecure=very) with defined permit/deny rules:


This is almost identical as to how permit/deny rules work for SIP REGISTER packets.


There are two patches one for asterisk trunk,
other one is for old, unmaintained 1.2 version
Comments:By: Olle Johansson (oej) 2008-02-16 04:51:33.000-0600

Why don't you use the realm  based authentication? that is made for this case.

By: Olle Johansson (oej) 2008-02-16 04:53:31.000-0600

Hmm. I see from reading your patch that you have the issue on incoming calls from the provider. My misunderstanding.

I would rather go by domain matching in combination with ACL. Only using ACL and no host or domain entry is not a solution I would favour.

By: BicomSystems Ltd. (fkasumovic) 2008-02-19 03:49:57.000-0600

Sure. This is base.
Except providers don't use host domain for this.
Not bad idea to have it.

You can not have hundreds of entries in configuration, its unpractical.
Its better to have ability to add multiple ip classes in one peer entry.
You can still use host domain authentication for one ip address (host=

Many people have this issue.
Hopefully You will add this to trunk.

By: Joshua C. Colp (jcolp) 2008-04-14 10:46:36

I would definitely agree that something like this is needed, but agree with oej on implementation.

By: Olle Johansson (oej) 2008-07-03 11:25:13

Ok, so we agree that you have pinpointed a problem we need to solve, but that we don't use your patch. We'll add it to our todo-list. If you would like to work on this with the help of us, please find us in the IRC channel or by e-mail.

Thank you for contributing to Asterisk!

By: Leif Madsen (lmadsen) 2008-12-05 10:09:07.000-0600

Is the original reporter interested in providing a patch using the aforementioned method? If not, the I am sorry to say I will need to suspend this issue for now until someone wishes to move this forward with code. Thanks!

By: Olle Johansson (oej) 2009-01-29 07:26:54.000-0600

No response from reporter. Filing this for the future.