[asterisk-bugs] [Asterisk 0013296]: "From" shouldn't be matched against "users" if INVITE arrives from a "peer" IP

Asterisk Bug Tracker noreply at bugs.digium.com
Wed Aug 13 08:14:11 CDT 2008


A NOTE has been added to this issue. 
====================================================================== 
http://bugs.digium.com/view.php?id=13296 
====================================================================== 
Reported By:                ibc
Assigned To:                
====================================================================== 
Project:                    Asterisk
Issue ID:                   13296
Category:                   Channels/chan_sip/General
Reproducibility:            have not tried
Severity:                   minor
Priority:                   normal
Status:                     new
Asterisk Version:           SVN 
SVN Branch (only for SVN checkouts, not tarball releases): N/A 
SVN Revision (number only!):  
Disclaimer on File?:        N/A 
Request Review:              
====================================================================== 
Date Submitted:             2008-08-13 04:30 CDT
Last Modified:              2008-08-13 08:14 CDT
====================================================================== 
Summary:                    "From" shouldn't be matched against "users" if
INVITE arrives from a "peer" IP
Description: 
Hi, I've realized that Asterisk matches "From" header even if the call
arrives via a defined "peer" IP, so Asterisk asks it for authentication
(that is not possible coming from a provider).

Example:

sip.conf:
----------
[200]
type=friend
host=dynamic
secret=*****

[provider]
type=peer
host=1.2.3.4
----------

If the following INVITE arrives from IP 1.2.3.4 then Asterisk will reject
it with "403 Forbidden" since it matches the "From:
sip:200 at sip_provider.com" against user 200:

---------------
INVITE sip:999888777 at asterisk_ip.org SIP/2.0
From: <sip:200 at sip_provider.com>
---------------

IMHO Asterisk must not try to match a user ("From") if the INVITE arrives
from a peer IP.
The only way to solve it is by ensuring that any INVITE arriving from the
peer has a "From" different than any Asterisk user, that is impossible
(imagine the case in which Asterisk receives a call from an external SIP
provider with peering relation with "sip_provider.com", something like:

---------------
INVITE sip:999888777 at asterisk_ip.org SIP/2.0
From: <sip:200 at sip_provider.com>
P-Asserted-Identity: <sip:999888777 at sip_provider.com>
---------------

PD: I know Asterisk doesn't handle PAI header, imagine then it's RPID.

====================================================================== 

---------------------------------------------------------------------- 
 (0091361) oej (manager) - 2008-08-13 08:14
 http://bugs.digium.com/view.php?id=13296#c91361 
---------------------------------------------------------------------- 
yes, thus the recommendation that you should not use user names that
correspond to extension names at all. use random strings or MAC addresses.
Anything else may cause namespace conflicts.

The device names and extensions are two different worlds. 

Issue History 
Date Modified    Username       Field                    Change               
====================================================================== 
2008-08-13 08:14 oej            Note Added: 0091361                          
======================================================================




More information about the asterisk-bugs mailing list