[asterisk-bugs] [JIRA] (ASTERISK-23322) Unable to use SIP INVITE authentication with type=peer and device name mismatch with username

Thu Feb 20 00:04:03 CST 2014

    [ https://issues.asterisk.org/jira/browse/ASTERISK-23322?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=215465#comment-215465 ] 

Igor Nikolaev commented on ASTERISK-23322:
------------------------------------------

You can still use type=peer with insecure=invite as described with doc. Also, w/o patch, w/o insecure=invite you always got "username mismatch" message if device name not equal remote auth name.

Ok, is following situation is possible in real life?

1. I have two different remote systems (uplinks), where I must register. That systems have different IPs, auth passwords, but unfortunally auth names are the same. Different VoIP providers can have same auth names, because they know nothing about each other.

sip.conf
[device1]
type=peer ; may be type=friend, result is the same
host=host1
fromuser=authname1
secret=secret1

...

[device2]
type=peer ; may be type=friend, result is the same
host=host2
fromuser=authname2
secret=secret2

where authname1 == authname2

2. I need to determine, from which provider i got incoming call. Yes, i can do it by describe two devices with different names and type=peer and insecure=invite. But this is not secure solution, because anybody can set fake source IP (for UDP is not difficult) as my uplink and i receive call, originated by fake system, not by my operators. Therefore we can't use several uplinks with same auth name w/o security hole.

> Unable to use SIP INVITE authentication with type=peer and device name mismatch with username
> ---------------------------------------------------------------------------------------------
>
>                 Key: ASTERISK-23322
>                 URL: https://issues.asterisk.org/jira/browse/ASTERISK-23322
>             Project: Asterisk
>          Issue Type: Improvement
>      Security Level: None
>          Components: Channels/chan_sip/General
>    Affects Versions: 11.7.0
>            Reporter: Igor Nikolaev
>            Assignee: Igor Nikolaev
>            Severity: Trivial
>         Attachments: asterisk-chan_sip-inbound-invite-auth.patch
>
>
> Scenario:
> sip.conf
> {noformat}
> [devicename]
> type=peer
> fromuser=authuser
> secret=...
> {noformat}
> In this case if devicename not equal authuser you need add statement "insecure=invite" for receiving incoming calls. But this INVITEs is not authenticated by receiving system. It's security hole.

--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators: https://issues.asterisk.org/jira/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira