[asterisk-bugs] [JIRA] (ASTERISK-29624) Contact identifier is not updated when FDQN resolves to a new address

George Joseph (JIRA) noreply at issues.asterisk.org
Thu Sep 9 09:28:33 CDT 2021 

    [ https://issues.asterisk.org/jira/browse/ASTERISK-29624?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=256207#comment-256207 ] 

George Joseph commented on ASTERISK-29624:
------------------------------------------

So, for outbound transactions, we can do a DNS query each time we create a request.   For inbound requests using IP identify matching, what do we look up?   The host in the From, Contact, Via, etc. headers can all be spoofed so they're no good.  The only thing we can match on is the source IP address.   This means that every time we get a new request, we'd have to iterate over all of the identify objects and do a DNS lookup to get an IP address to match to.  That's just not practical.

Your alternatives are...
 * Make the client register.  This scenario is what registration was designed for.
 * Make the client authenticate and use the auth_username option in both the global endpoint_identifier_order parameter and the endpoint identify_by option.




> Contact identifier is not updated when FDQN resolves to a new address
> ---------------------------------------------------------------------
>
>                 Key: ASTERISK-29624
>                 URL: https://issues.asterisk.org/jira/browse/ASTERISK-29624
>             Project: Asterisk
>          Issue Type: Bug
>      Security Level: None
>          Components: Resources/res_pjsip_endpoint_identifier_ip
>    Affects Versions: 16.19.0
>         Environment: FreePBX : 15.0.17.48
> PBX Distro:12.7.8-2107-3.sng7
> Asterisk Version:16.19.0
>            Reporter: Philip Young
>            Assignee: Unassigned
>
> We have PJSIP Trunks on server side configured as follows :
> Authentication  None
> Registration None
> SIP Server : FQDN
> Everything works fine unless the client's ISP changes the public IP address. The FQDN set in the trunk is updated correctly because I can see the server sending OPTIONS and inbound INVITE to the client's new IP address to which the FDQN now matches. However, outbound calls (from client to this server) are unauthorized. Why ? I noticed the identity in the contact is never updated! I've let it go for 48 hours and it still hasn't updated the identifier of this contact. It will keep the old IP address in the Identifier Match.
>  
> Ex : 
> Server = 100.200.300.400
> Client = example.wtv.com
> example.wtv.com resolves to 1.2.3.4
> Following a power outage or modem reboot or other the ISP gives the client a new IP address 5.7.8.9
> The FQDN is updated correctly and the server now sends OPTION or INVITE to 5.7.8.9.
> When the client (5.7.8.9) sends OPTION or INVITE, it is unauthorized:
> Server logs : SECURITY[2133] res_security_log.c: SecurityEvent="ChallengeSent",EventTV="2021-08-18T11:53:21.136-0400",Severity="Informational",Service="PJSIP",EventVersion="1",AccountID="<unknown>",SessionID="350543f20dc11068458494337421216d",LocalAddress="IPV4/UDP/100.200.300.400/5060",RemoteAddress="IPV4/UDP/5.7.8.9/5060",Challenge=""
> The peer stays the same :
> Peer :
> Endpoint:  democlient                                              Unavailable   0 of inf
> Aor:  demo client                                           0
> Contact:  democlient/sip:example.wtv.com:5060   2c5be4772a Unavail         nan
> Transport:  0.0.0.0-udp               udp      3     96  0.0.0.0:5060
> Identify:  democlient/democlient
> Match: 1.2.3.4/32
>  
> I think this should be updated to 5.7.8.9!



--
This message was sent by Atlassian JIRA
(v6.2#6252)

More information about the asterisk-bugs mailing list