[asterisk-bugs] [Asterisk 0013296]: "From" shouldn't be matched against "users" if INVITE arrives from a "peer" IP

Asterisk Bug Tracker noreply at bugs.digium.com
Wed Aug 13 07:43:03 CDT 2008


A NOTE has been added to this issue. 
====================================================================== 
http://bugs.digium.com/view.php?id=13296 
====================================================================== 
Reported By:                ibc
Assigned To:                
====================================================================== 
Project:                    Asterisk
Issue ID:                   13296
Category:                   Channels/chan_sip/General
Reproducibility:            have not tried
Severity:                   minor
Priority:                   normal
Status:                     new
Asterisk Version:           SVN 
SVN Branch (only for SVN checkouts, not tarball releases): N/A 
SVN Revision (number only!):  
Disclaimer on File?:        N/A 
Request Review:              
====================================================================== 
Date Submitted:             2008-08-13 04:30 CDT
Last Modified:              2008-08-13 07:43 CDT
====================================================================== 
Summary:                    "From" shouldn't be matched against "users" if
INVITE arrives from a "peer" IP
Description: 
Hi, I've realized that Asterisk matches "From" header even if the call
arrives via a defined "peer" IP, so Asterisk asks it for authentication
(that is not possible coming from a provider).

Example:

sip.conf:
----------
[200]
type=friend
host=dynamic
secret=*****

[provider]
type=peer
host=1.2.3.4
----------

If the following INVITE arrives from IP 1.2.3.4 then Asterisk will reject
it with "403 Forbidden" since it matches the "From:
sip:200 at sip_provider.com" against user 200:

---------------
INVITE sip:999888777 at asterisk_ip.org SIP/2.0
From: <sip:200 at sip_provider.com>
---------------

IMHO Asterisk must not try to match a user ("From") if the INVITE arrives
from a peer IP.
The only way to solve it is by ensuring that any INVITE arriving from the
peer has a "From" different than any Asterisk user, that is impossible
(imagine the case in which Asterisk receives a call from an external SIP
provider with peering relation with "sip_provider.com", something like:

---------------
INVITE sip:999888777 at asterisk_ip.org SIP/2.0
From: <sip:200 at sip_provider.com>
P-Asserted-Identity: <sip:999888777 at sip_provider.com>
---------------

PD: I know Asterisk doesn't handle PAI header, imagine then it's RPID.

====================================================================== 

---------------------------------------------------------------------- 
 (0091360) ibc (reporter) - 2008-08-13 07:43
 http://bugs.digium.com/view.php?id=13296#c91360 
---------------------------------------------------------------------- 
Yep, I already know this is the "expected" behaviour. But what I wonder is
if it's should be.

Note the example above in which Asterisk receives, via a peer, a call with
a "From" matching a user (but it's just casuality, also the domains are
differents).

Do you mean that this can't be handled in chan_sip and involves
architecture changes? 

Issue History 
Date Modified    Username       Field                    Change               
====================================================================== 
2008-08-13 07:43 ibc            Note Added: 0091360                          
======================================================================




More information about the asterisk-bugs mailing list