asterisk users - Mar 2008 - Sip exten matching based on contact: sip header?

Asterisk: 1.4.17 with sip realtime
Openser 1.3.x

Hi,

I had this setup working fine until I try putting OpenSER in the picture as
a proxy.  

Unauthenticated calls go to a PRI based app via a ZAP channel, calls to sip
users get send to them etc.  Now with a proxy in the picture asterisk asks
the incoming calls for authentication "407 Proxy Authentication
Required".

It seems that the sip channel matching is based only on source IP address
instead of also checking the contact: header as mentioned in the O'Reilly
book.

According to Asterisk 2nd edition it says about insecure "... If you set
insecure=invite, you'll determine which peer to match on by comparing the IP
address or hostname and port number to those provided in the contact field
of the SIP header with the host and port options in sip.conf.  If a match is
found, authentication will not be required on the initial INVITE, and the
call will be allowed."

The funny thing is that if I do a 'sip reload' and receive a call from
one
my DIDs through the provider it goes to the default context when received
through OpenSER as expected.  But once a sip realtime user makes a call it
will match their peer instead of the one specified with the provider's Ip
address.

I've seen this in my logs after turning on sip debugging, it looks like
different users get matched based on the sort of the sip peers list (which
can change based on how long ago a reload was done and who has been active
because of sip realtime).

[Mar 24 17:04:23] Sending to 74.x.x.x : 5060 (no NAT)
[Mar 24 17:04:23] Using INVITE request as basis request - blahblah at 64.x.x.x
[Mar 24 17:04:23] Found peer 'some_peer'

The sip users have their host=ip_of_openser so I can understand why it would
get confused if it didn't check the contact header for clairification since
a call is also coming from that source IP address when proxied through
openser.

Maybe I'm approaching this from the wrong direction, anyone have any ideas?

Mike

[privider1a]
type=peer
host=67.x.x.x
insecure=invite,port
context=default
qualify=999

[provider1a]
type=peer
host=67.x.x.x
insecure=invite,port
context=default
qualify=999

[provider2]
type=peer
;host=sip.provider2.com
host=64.x.x.x
insecure=invite,port
context=default
qualify=999

>On Tue, Mar 25, 2008 at 4:04 AM, Mike Fedyk <mike at reachme.com>
wrote:
>
>  It seems that the sip channel matching is based only on source IP address
>  instead of also checking the contact: header as mentioned in the
O'Reilly
>  book.
>
>  According to Asterisk 2nd edition it says about insecure "... If you
set
>  insecure=invite, you'll determine which peer to match on by comparing
the IP
>  address or hostname and port number to those provided in the contact field
>  of the SIP header with the host and port options in sip.conf.  If a match
is
>  found, authentication will not be required on the initial INVITE, and the
>  call will be allowed."
Hi Mike,

I've never heard of Asterisk authenticating based on the Contact
header. The Contact header set by client side user agents will often
contain a private IP address and it's also possible it could contain a
hostname so authenticating based on it would be a tricky proposition.

My understanding of using insecure=invite was that ONLY the host and
port would be used for matching the INVITE requests to an Asterisk SIP
account entry rather than the username and secret. You could also use
insecure=port to specify that the port, username and secret would all
be ignored and only the host used when matching.

Regards,

Greyman.