Re: [OpenSIPS-Users] Opensips

Wed, 05 Mar 2014 10:06:13 -0800 

Hello,
The best options for you is to use dialog module with topology hiding. This can be easily combined with any of the media relays (rtpproxy or mediaproxy) for hiding the media path. 

Regards,

Bogdan-Andrei Iancu
OpenSIPS Founder and Developer
http://www.opensips-solutions.com

On 28.02.2014 10:14, ????? ?????? wrote:

Hi. Please help.
We have:
One MGW: Cisco AS5350
UserID=telephone number and registration on OpenSips through MySQL
Call to PSTN pass through MGW with prefix 9999:

Now, such a scheme works:

(UAC       )---->sip----->Opensips 1.7--->SIP--->MGW Cisco
85.85.85.95               85.85.85.85 85.85.85.11

RTP----------------------------------------------------------->MGW 
Cisco-------->PSTN


Here is an example CFG-file that works now:

The message "183" prefix and visible IP gateway. And that could be a 
threat of fraud.
Here: if you use the function topology_hiding (); it does not happen a 
fair exchange:

"BYE" comes to the message "404", "Not here" rather than "200 OK"

I use client_nat_test to cut off all requests for registration are 
NAT, but it does not work!


port=5060
listen=udp:85.85.85.85:5060 <http://85.85.85.85:5060> #Opensips-server
route{
if (has_totag()) {
    if (loose_route()) {
    if (is_method("BYE")) {
    setflag(1);
    setflag(3);}
    else if (is_method("INVITE")) {
    #topology_hiding();
    record_route();    }
    route(1);}
    else {
    if ( is_method("ACK") ) {
    if ( t_check_trans() ) {
    t_relay();
    exit;}
    else {
    exit;
    }}
    sl_send_reply("404","Not here");
    }
    exit;
}

#initial requests
if (is_method("CANCEL")){
if (t_check_trans())
t_relay();
exit;}

t_check_trans();

# authenticate if from local subscriber (uncomment to enable auth)
# authenticate all initial non-REGISTER request that pretend to be
# generated by local subscriber (domain from FROM URI is local)

if (!(method=="REGISTER") && from_uri==myself) #/*no multidomain version*/
{if (!proxy_authorize("", "subscriber"))
{proxy_challenge("", "0");
exit;}
if (!db_check_from())
{sl_send_reply("403","Forbidden auth ID");
exit;}
consume_credentials();
}

# preloaded route checking
if (loose_route())

{xlog("L_ERR","Attempt to route with preloaded Route's 
[$fu/$tu/$ru/$ci]");

if (!is_method("ACK"))    sl_send_reply("403","Preload Route denied");
exit;
}

# record routing
if (!is_method("REGISTER|MESSAGE")) record_route();

# account only INVITEs    if (is_method("INVITE"))
{
# if (!src_ip=="85.85.85.11") #CISCO MGW IP
#{
#        topology_hiding();
#        }
setflag(1); # do accounting
}


if (!uri==myself)    ## replace with following line if multi-domain 
support is used

{
route(1);}

# requests for my domain
if (is_method("PUBLISH")){
sl_send_reply("503", "Service Unavailable");
exit;}

if (is_method("REGISTER")){
#        if(client_nat_test("3"))
#        {
#            sl_send_reply("403", "Not working NAT");
#            exit;
#        }

# authenticate the REGISTER requests (uncomment to enable auth)
if (!www_authorize("", "subscriber"))    {
www_challenge("", "0");
exit;}
if (!db_check_to()) {
sl_send_reply("403","Forbidden auth ID");
exit;}
if (!save("location"))
sl_reply_error();
exit;
}

if ($rU==NULL) {
# request with no Username in RURI
sl_send_reply("484","Address Incomplete");
exit;
}

# do lookup with method filtering
if ((src_ip=="85.85.85.11") && (!lookup("location")))
{
switch ($retcode) {
case -1:
case -3:
t_newtran();
t_reply("404", "Not Found");
exit;
case -2:
sl_send_reply("405", "Method Not Allowed");
exit;
}}

# when routing via usrloc, log the missed calls also
setflag(2);

if (src_ip=="85.85.85.11") {
route(1);}
route(3);
}

route[1] {
# for INVITEs enable some additional helper routes
if (is_method("INVITE")) {
t_on_branch("2");
t_on_reply("2");
t_on_failure("1");}
if (!t_relay()) {
sl_reply_error();};
exit;}
####################################################
route[3] {
prefix("9999");
rewritehostport("85.85.85.11:5060 <http://85.85.85.11:5060>");
if (!t_relay()) {
sl_reply_error();
};exit;
}
####################################################
branch_route[2] { xlog("new branch at $ru\n");}
onreply_route[2] { xlog("incoming reply\n"); }

failure_route[1] {
if (t_was_cancelled()) {exit;}}


It's not safe, it's necessary to build a new wiring diagram:
(UAC  )--->sip,RTP---->(Opensips--->rtp,SIP------>)----->MGW Cisco--->PSTN
85.85.85.95                    (85.85.85.85   192.168.0.2) 192.168.0.3

questions:

1. to hide the network topology from the users (can be used dialog 
module, function: topology_hiding?)
2. hide RTP traffic to MGW for Opensips-server (can be used MediaProxy 
or rtpproxy)?

3. Cut off all who are NAT!!!
Please, give examples opensips.cfg-file ?


_______________________________________________
Users mailing list
Users@lists.opensips.org
http://lists.opensips.org/cgi-bin/mailman/listinfo/users



_______________________________________________
Users mailing list
Users@lists.opensips.org
http://lists.opensips.org/cgi-bin/mailman/listinfo/users






















					Reply via email to