Opensips

classic Classic list List threaded Threaded
2 messages Options
Reply | Threaded
Open this post in threaded view
|

Opensips

LAVer
Hi. Please help.
We have:
One MGW: Cisco AS5350
UserID=telephone number and registration on OpenSips through MySQL
Call to PSTN pass through MGW with prefix 9999:

Now, such a scheme works:

(UAC       )---->sip----->Opensips 1.7--->SIP--->MGW Cisco
85.85.85.95               85.85.85.85                 85.85.85.11
RTP----------------------------------------------------------->MGW Cisco-------->PSTN

Here is an example CFG-file that works now:
The message "183" prefix and visible IP gateway. And that could be a threat of fraud.
Here: if you use the function topology_hiding (); it does not happen a fair exchange:
"BYE" comes to the message "404", "Not here" rather than "200 OK"
I use client_nat_test to cut off all requests for registration are NAT
, but it does not work!

port=5060
listen=udp:85.85.85.85:5060 #Opensips-server
route{
if (has_totag()) {
    if (loose_route()) {
    if (is_method("BYE")) {
    setflag(1);
    setflag(3);}
    else if (is_method("INVITE")) {
    #topology_hiding();
    record_route();    }
    route(1);}
    else {
    if ( is_method("ACK") ) {
    if ( t_check_trans() ) {
    t_relay();
    exit;}
    else {
    exit;
    }}
    sl_send_reply("404","Not here");
    }
    exit;
}

#initial requests
if (is_method("CANCEL")){
if (t_check_trans())
t_relay();
exit;}

t_check_trans();

# authenticate if from local subscriber (uncomment to enable auth)
# authenticate all initial non-REGISTER request that pretend to be
# generated by local subscriber (domain from FROM URI is local)

if (!(method=="REGISTER") && from_uri==myself) #/*no multidomain version*/
{if (!proxy_authorize("", "subscriber"))
{proxy_challenge("", "0");
exit;}
if (!db_check_from())
{sl_send_reply("403","Forbidden auth ID");
exit;}
consume_credentials();
}

# preloaded route checking
if (loose_route())
{xlog("L_ERR","Attempt to route with preloaded Route's [$fu/$tu/$ru/$ci]");
if (!is_method("ACK"))    sl_send_reply("403","Preload Route denied");
exit;
}

# record routing
if (!is_method("REGISTER|MESSAGE")) record_route();

# account only INVITEs    if (is_method("INVITE"))
{
# if (!src_ip=="85.85.85.11") #CISCO MGW IP
#{
#        topology_hiding();
#        }
setflag(1); # do accounting
}

if (!uri==myself)    ## replace with following line if multi-domain support is used
{
route(1);}

# requests for my domain
if (is_method("PUBLISH")){
sl_send_reply("503", "Service Unavailable");
exit;}

if (is_method("REGISTER")){
#        if(client_nat_test("3"))
#        {
#            sl_send_reply("403", "Not working NAT");
#            exit;
#        }

# authenticate the REGISTER requests (uncomment to enable auth)
if (!www_authorize("", "subscriber"))    {
www_challenge("", "0");
exit;}
if (!db_check_to()) {
sl_send_reply("403","Forbidden auth ID");
exit;}
if (!save("location"))
sl_reply_error();
exit;
}

if ($rU==NULL) {
# request with no Username in RURI
sl_send_reply("484","Address Incomplete");
exit;
}

# do lookup with method filtering
if ((src_ip=="85.85.85.11") && (!lookup("location")))
{
switch ($retcode) {
case -1:
case -3:
t_newtran();
t_reply("404", "Not Found");
exit;
case -2:
sl_send_reply("405", "Method Not Allowed");
exit;
}}

# when routing via usrloc, log the missed calls also
setflag(2);

if (src_ip=="85.85.85.11") {
route(1);}
route(3);
}

route[1] {
# for INVITEs enable some additional helper routes
if (is_method("INVITE")) {
t_on_branch("2");
t_on_reply("2");
t_on_failure("1");}
if (!t_relay()) {
sl_reply_error();};
exit;}
####################################################
route[3] {
prefix("9999");
rewritehostport("85.85.85.11:5060");
if (!t_relay()) {
sl_reply_error();
};exit;
}
####################################################
branch_route[2] { xlog("new branch at $ru\n");}
onreply_route[2] { xlog("incoming reply\n"); }

failure_route[1] {
if (t_was_cancelled()) {exit;}}


It's not safe, it's necessary to build a new wiring diagram:
(UAC      )--->sip,RTP---->(Opensips--->rtp,SIP------>)----->MGW Cisco--->PSTN
85.85.85.95                    (85.85.85.85   192.168.0.2)      192.168.0.3

questions:
1. to hide the network topology from the users (can be used dialog module, function: topology_hiding?)
2. hide RTP traffic to MGW for Opensips-server (can be used MediaProxy or rtpproxy)?
3. Cut off all who are NAT!!!
Please, give examples opensips.cfg-file ?

_______________________________________________
Users mailing list
[hidden email]
http://lists.opensips.org/cgi-bin/mailman/listinfo/users
Reply | Threaded
Open this post in threaded view
|

Re: Opensips

Bogdan-Andrei Iancu-2
Hello,

The best options for you is to use dialog module with topology hiding. This can be easily combined with any of the media relays (rtpproxy or mediaproxy) for hiding the media path.

Regards,
Bogdan-Andrei Iancu
OpenSIPS Founder and Developer
http://www.opensips-solutions.com
On 28.02.2014 10:14, Антон Лытаев wrote:
Hi. Please help.
We have:
One MGW: Cisco AS5350
UserID=telephone number and registration on OpenSips through MySQL
Call to PSTN pass through MGW with prefix 9999:

Now, such a scheme works:

(UAC       )---->sip----->Opensips 1.7--->SIP--->MGW Cisco
85.85.85.95               85.85.85.85                 85.85.85.11
RTP----------------------------------------------------------->MGW Cisco-------->PSTN

Here is an example CFG-file that works now:
The message "183" prefix and visible IP gateway. And that could be a threat of fraud.
Here: if you use the function topology_hiding (); it does not happen a fair exchange:
"BYE" comes to the message "404", "Not here" rather than "200 OK"
I use client_nat_test to cut off all requests for registration are NAT
, but it does not work!

port=5060
listen=udp:85.85.85.85:5060 #Opensips-server
route{
if (has_totag()) {
    if (loose_route()) {
    if (is_method("BYE")) {
    setflag(1);
    setflag(3);}
    else if (is_method("INVITE")) {
    #topology_hiding();
    record_route();    }
    route(1);}
    else {
    if ( is_method("ACK") ) {
    if ( t_check_trans() ) {
    t_relay();
    exit;}
    else {
    exit;
    }}
    sl_send_reply("404","Not here");
    }
    exit;
}

#initial requests
if (is_method("CANCEL")){
if (t_check_trans())
t_relay();
exit;}

t_check_trans();

# authenticate if from local subscriber (uncomment to enable auth)
# authenticate all initial non-REGISTER request that pretend to be
# generated by local subscriber (domain from FROM URI is local)

if (!(method=="REGISTER") && from_uri==myself) #/*no multidomain version*/
{if (!proxy_authorize("", "subscriber"))
{proxy_challenge("", "0");
exit;}
if (!db_check_from())
{sl_send_reply("403","Forbidden auth ID");
exit;}
consume_credentials();
}

# preloaded route checking
if (loose_route())
{xlog("L_ERR","Attempt to route with preloaded Route's [$fu/$tu/$ru/$ci]");
if (!is_method("ACK"))    sl_send_reply("403","Preload Route denied");
exit;
}

# record routing
if (!is_method("REGISTER|MESSAGE")) record_route();

# account only INVITEs    if (is_method("INVITE"))
{
# if (!src_ip=="85.85.85.11") #CISCO MGW IP
#{
#        topology_hiding();
#        }
setflag(1); # do accounting
}

if (!uri==myself)    ## replace with following line if multi-domain support is used
{
route(1);}

# requests for my domain
if (is_method("PUBLISH")){
sl_send_reply("503", "Service Unavailable");
exit;}

if (is_method("REGISTER")){
#        if(client_nat_test("3"))
#        {
#            sl_send_reply("403", "Not working NAT");
#            exit;
#        }

# authenticate the REGISTER requests (uncomment to enable auth)
if (!www_authorize("", "subscriber"))    {
www_challenge("", "0");
exit;}
if (!db_check_to()) {
sl_send_reply("403","Forbidden auth ID");
exit;}
if (!save("location"))
sl_reply_error();
exit;
}

if ($rU==NULL) {
# request with no Username in RURI
sl_send_reply("484","Address Incomplete");
exit;
}

# do lookup with method filtering
if ((src_ip=="85.85.85.11") && (!lookup("location")))
{
switch ($retcode) {
case -1:
case -3:
t_newtran();
t_reply("404", "Not Found");
exit;
case -2:
sl_send_reply("405", "Method Not Allowed");
exit;
}}

# when routing via usrloc, log the missed calls also
setflag(2);

if (src_ip=="85.85.85.11") {
route(1);}
route(3);
}

route[1] {
# for INVITEs enable some additional helper routes
if (is_method("INVITE")) {
t_on_branch("2");
t_on_reply("2");
t_on_failure("1");}
if (!t_relay()) {
sl_reply_error();};
exit;}
####################################################
route[3] {
prefix("9999");
rewritehostport("85.85.85.11:5060");
if (!t_relay()) {
sl_reply_error();
};exit;
}
####################################################
branch_route[2] { xlog("new branch at $ru\n");}
onreply_route[2] { xlog("incoming reply\n"); }

failure_route[1] {
if (t_was_cancelled()) {exit;}}


It's not safe, it's necessary to build a new wiring diagram:
(UAC      )--->sip,RTP---->(Opensips--->rtp,SIP------>)----->MGW Cisco--->PSTN
85.85.85.95                    (85.85.85.85   192.168.0.2)      192.168.0.3

questions:
1. to hide the network topology from the users (can be used dialog module, function: topology_hiding?)
2. hide RTP traffic to MGW for Opensips-server (can be used MediaProxy or rtpproxy)?
3. Cut off all who are NAT!!!
Please, give examples opensips.cfg-file ?


_______________________________________________
Users mailing list
[hidden email]
http://lists.opensips.org/cgi-bin/mailman/listinfo/users


_______________________________________________
Users mailing list
[hidden email]
http://lists.opensips.org/cgi-bin/mailman/listinfo/users