[asterisk-bugs] [Asterisk 0013296]: "From" shouldn't be matched against "users" if INVITE arrives from a "peer" IP

Asterisk Bug Tracker noreply at bugs.digium.com
Wed Aug 13 11:31:33 CDT 2008 

A NOTE has been added to this issue. 
====================================================================== 
http://bugs.digium.com/view.php?id=13296 
====================================================================== 
Reported By:                ibc
Assigned To:                
====================================================================== 
Project:                    Asterisk
Issue ID:                   13296
Category:                   Channels/chan_sip/General
Reproducibility:            have not tried
Severity:                   minor
Priority:                   normal
Status:                     new
Asterisk Version:           SVN 
SVN Branch (only for SVN checkouts, not tarball releases): N/A 
SVN Revision (number only!):  
Disclaimer on File?:        N/A 
Request Review:              
====================================================================== 
Date Submitted:             2008-08-13 04:30 CDT
Last Modified:              2008-08-13 11:31 CDT
====================================================================== 
Summary:                    "From" shouldn't be matched against "users" if
INVITE arrives from a "peer" IP
Description: 
Hi, I've realized that Asterisk matches "From" header even if the call
arrives via a defined "peer" IP, so Asterisk asks it for authentication
(that is not possible coming from a provider).

Example:

sip.conf:
----------
[200]
type=friend
host=dynamic
secret=*****

[provider]
type=peer
host=1.2.3.4
----------

If the following INVITE arrives from IP 1.2.3.4 then Asterisk will reject
it with "403 Forbidden" since it matches the "From:
sip:200 at sip_provider.com" against user 200:

---------------
INVITE sip:999888777 at asterisk_ip.org SIP/2.0
From: <sip:200 at sip_provider.com>
---------------

IMHO Asterisk must not try to match a user ("From") if the INVITE arrives
from a peer IP.
The only way to solve it is by ensuring that any INVITE arriving from the
peer has a "From" different than any Asterisk user, that is impossible
(imagine the case in which Asterisk receives a call from an external SIP
provider with peering relation with "sip_provider.com", something like:

---------------
INVITE sip:999888777 at asterisk_ip.org SIP/2.0
From: <sip:200 at sip_provider.com>
P-Asserted-Identity: <sip:999888777 at sip_provider.com>
---------------

PD: I know Asterisk doesn't handle PAI header, imagine then it's RPID.

====================================================================== 

---------------------------------------------------------------------- 
 (0091369) ibc (reporter) - 2008-08-13 11:31
 http://bugs.digium.com/view.php?id=13296#c91369 
---------------------------------------------------------------------- 
@jsmith:
AFAIK Asterisk does can know if the call came from a peer (by looking the
source IP:port before mathing the "From"). I understand it's not
implemented in this way, that's way I **suggest** it.


You said:
> I also second oej's recommendation not to mix extension names with
device
> names. It'll only cause you heartache and trouble.

Maybe I must improve my REAL example (it has occured to me today):

The world is more than ISUP/SS7 calls and VoIP is each time more extended.
For example I admin a small SIP provider and of course I allow direct
SIP_2_SIP calls between users. Also any SIP provider with peering
relationship with others does the same.

- From my phone (sip:211 in my local Asterisk) I called a PSTN number
(999888777).

- Asterisk added "P-Asserted-Identity: 999000111" before send the INVITE
to the SIP provider.

- The SIP provider (my SIP provider in fact) checks the PAI number (it's
allowed this one for this user) and since the destination 999888777 is also
other local user (identified with "sip:client2 at sip_provider.com") then my
proxy forwards the INVITE to the location of "sip:client2 at sip_provider.com"
(another Asterisk).

- So the INVITE arriving to the second Asterisk is like:
 ---------------
 INVITE sip:999888777 at asterisk2_IP SIP/2.0
 From: <sip:211 at asterisk1_domain.com>
 P-Asserted-Identity: <sip:999000111 at asterisk1_domain.com>
 ---------------

- Now the problem occurs because 211 is **also** a local user of Asterisk
2, so Asterisk 2 rejects the call (because it matches the INVITE as coming
from an user instead of coming fro mthe peer).


As you can imagine, I **cannot** control that ANY local extension in any
other Asterisk doesn't match other local extension in any other Asterisk.
It's impossible at all!

So I hope you understand that an Asterisk administrator can do NOTHING to
avoid this problem in case it uses a SIP provider to receive calls.

So, in my opinion:
- Asterisk should first check if the call comes from a peer (IP:port).
- If not chech if it's a local user.

If not, IMHO Asterisk is not ready for a SIP world :( 

Issue History 
Date Modified    Username       Field                    Change               
====================================================================== 
2008-08-13 11:31 ibc            Note Added: 0091369                          
======================================================================

More information about the asterisk-bugs mailing list