Pjsip: Don’t Require Authentication From Remote I Register To

Home » Asterisk Users » Pjsip: Don’t Require Authentication From Remote I Register To
Asterisk Users 4 Comments

I’m being told by my ITSP that my Asterisk shouldn’t be challenging their system to authenticate (i.e. a 401 response) when they send me a SIP MESSAGE (or I suppose a SIP INVITE for that matter).

But I’m not sure what a pjsip.conf configuration for that looks like.

How does one associate an incoming call/message with an existing authenticated outgoing registration so that Asterisk doesn’t return a
401 requiring authentication?

Cheers, b.

4 thoughts on - Pjsip: Don’t Require Authentication From Remote I Register To

  • That’s what I did:

    [itsp]
    type=registration transport=transport-udp outbound_auth=itsp-auth server_uri=sip:pop1.itsp.example.com client_uri=sip:XXX@pop1.itsp.example.com

    [itsp-auth]
    type=auth auth_type=userpass password=XXX
    username=XXX

    [itsp-endpoint](!)
    type=endpoint transport=transport-udp context=from-itsp message_context=messages disallow=all allow=ulaw from_user=XXX
    outbound_auth=itsp-auth auth=itsp-auth send_pai=yes

    [itsp-aor](!)
    type=aor qualify_frequency=15

    [itsp-pop1](itsp-endpoint)
    aors=itsp-pop1
    [itsp-pop1](itsp-aor)
    contact=sip:XXX@pop1.itsp.example.com:5060

    [itsp-pop1]
    type=identify endpoint=itsp-pop1
    ;match=pop1.itsp.example.com match=192.168.5.6

    but SIP INVITE and SIP MESSAGE packets coming from 192.168.5.6 are still being challenged with 401 and not even printing any errors/warnings in the console about not being able to find an endpoint.

    I’ll read up on that and try in the meanwhile.

    Cheers, b.

  • My provider seems to implement this.

    However even with the line=… in the:

    SIP to address: sip:5555551212@:5060;line=dpnlyiu

    res_pjsip is still sending a 401 challenge.

    Removing the:

    auth=itsp-auth

    from my endpoint [template]:

    [itsp-endpoint](!)

    Has stopped pjsip from sending a 401 when my ITSP sends a SIP MESSAGE, but do I really want to have that endpoint without authentication?

    Cheers, b.

  • They are implying, as I am understanding them, that somehow SIP packets they send me shouldn’t need to be authenticated because they are associated (i.e. “identify”ed in pjsip nomenclature) with my registration to them. It all sounds suspect to me but that’s what I am understanding them to be saying.

    Ultimately, if I have this endpoint and it’s unauthenticated, does it create a security risk?

    I suppose anyone could forge a UDP packet as coming from their IP
    address, and as it’s “identify”ed by IP on my side and I would accept it without authentication being necessary.

    But then I suppose they are only getting access to being able to connect into an incoming dialplan context, so ringing extensions here, but not being able to launch in and outbound (money costing) phone call, at least without there being dialplan support to make outgoing calls when calling in (i.e. like a calling card application or somesuch, which should have it’s own authentication anyway).

    Yes, completely understood.

    b.

  • Can I eliminate the identify by IP address then, given that my ITSP is supporting the line parameter? Or make even better, require them both to be identified?

    I guess this is just a risk that everyone lives with. As a limited scope risk, anyway.

    Cheers, b.