We have a scenario where we need multiple discrete SIP trunks (peers)
from/to a single endpoint. Because the authentication system starts by
matching IP address, it only ever matches on one of the SIP peer
entries, and ignores the others. This is documented behaviour and as
such is “correct”. I would like to propose an extension to how SIP
peers are authenticated in this case:
1) Initial INVITE arrives, scan the list of all matching peer IP addresses.
If a peer with no password is found, proceed with that peer immediately.
2) …otherwise, a password is required, so send 407 challenge
3) INVITE arrives with Basic-Auth.
Scan for /all/ matching peers based on IP address. If one of the
matching peers has a section name matching the Basic-Auth username,
use it to proceed.
4) I am not sure whether it is worth dropping through and testing auth
against other peers if there is no username match. Can auth ever
succeed under those circumstances (password matches, but not
Thanks for any feedback.