# first sort out iptel.org requests from those destined somewhere else
####################################################################################

route[0] {
# request for iptel.org with IP address in it ... fix it and proceed
# note: may result in troubles as authentication covers URI
uri=~"^sip:.*195\.37\.77\.101" rewritehost("iptel.org"); route(1);

# request for iptel.org ... proceed
uri=~"iptel.org" route(1);

# requests to somewhere else
# - REGISTERs denied
method=="REGISTER" log("attempt to relay REGISTERs"); drop;

# - anything else relayed via our outbound proxy
uri=~"."  forward("benetnash.fokus.gmd.de", 9);
}


# iptel.org traffic
####################################################################################

route [1] {

# recognize traffic we want to authenticate -- handled first to make sure 
# it will be captured before we proceed to non-authenticating routes;
# authentication for registrations or calls via Telekom which start
# with optional + and 0

#PROFILE
(method=='REGISTER' | uri=~"sip:+?0[0-9]*@iptel\.org") forward("benetnash.fokus.gmd.de", 9);

# dealing with voicemail 
# we need to switch traffic to voicemail directly before CSPS
# would screw it up -- it cannot deal with port numbers

(uri=~'mail.iptel.org' | uri=~'iptel.org:6060' ) forward("benetnash.fokus.gmd.de", 9);

# default route: go to non-authenicating proxy
#PROFILE
(method=~".")					forward("benetnash.fokus.gmd.de", 9 );

}

# We split traffic to authenticating and non-authenticating
# SIP proxies here using sip_router. We only authenticate REGISTERs
# and PSTN destinations, everything else is not authenticated.
#
# This is a work-around for CSPS's authenticate all-or-nothing
# policy which would eliminate non-iptel.org users calling us.
# Both proxies run at separate hosts (because they would otherwise
# conflict with each other).
#
# I chose to put the non-authentication proxy on the public host
# because we use it for outbound routing -- that would not work
# if the proxy would be in non-routable realm. Drawback:
# SQL and Cisco synchronization noise between dog and fox.
# Note that this
# leaves a non-authenticating port 5060 which could be misued
# to steal REGISTERs. It would be perhaps a good idea to make
# it available only for requests from sip_router.
#
#                        /--REGISTERs----dog:5061,w/auth
#      iptel.org:5060---/                             ||   proprietary Cisco contact DB sharing
#                        \                            ||   and MySQL
#                        \---anything_else----iptel.org:5061,w/o/auth