[Asterisk-Dev] acl in sip
John Todd
jtodd at loligo.com
Tue Sep 23 07:06:23 MST 2003
>another one,
>i think we ought to increase the security of the sip acl,
>authentication is fine using digest but there are "broken"
>sip endpoints which couldn't really support the digest
>authentication or endpoints which are really static, (using static
>registration would lessen overhead).
>
>my point is, when you put defaultip=x.x.x.x in sip.conf, changing ip
>addresses would enable me to attack * by flooding invites. * permits
>calls even though the defaultip tag in sip.conf does not match the
>caller's ip address. usually, like ser or vocal, it 'may' challenge
>the invites it receives so that if it is not properly authenticated,
>it will be rejected and not proxied. in this case, if we set the
>defaultip, i think * should only allow sip message to and from the
>provisioned user.
>
>another note, can we like have an entry in sip.conf that will enable
>you to provision a high density fxs box, let's say 24 ports in just
>1 entry? for example:
>
>[1300-1323]
>type=friend
>defaultip=x.x.x.x
>
>this will yield a much more simpler configuration, besides all those
>extensions use just 1 ip address. ata 186 will also benefit from
>this configuration...
>
Kelvin -
Some good ideas in here. Can you perhaps start working on patches
to implement the changes so it can be evaluated by the community?
JT
More information about the asterisk-dev
mailing list