[Asterisk-Dev] acl in sip
Kelvin Chua
kchua at up.edu.ph
Tue Sep 23 20:13:04 MST 2003
i currently don't have much time to code. but i will try my best :)
On Tue, 2003-09-23 at 22:06, John Todd wrote:
> >another one,
> >i think we ought to increase the security of the sip acl,
> >authentication is fine using digest but there are "broken"
> >sip endpoints which couldn't really support the digest
> >authentication or endpoints which are really static, (using static
> >registration would lessen overhead).
> >
> >my point is, when you put defaultip=x.x.x.x in sip.conf, changing ip
> >addresses would enable me to attack * by flooding invites. * permits
> >calls even though the defaultip tag in sip.conf does not match the
> >caller's ip address. usually, like ser or vocal, it 'may' challenge
> >the invites it receives so that if it is not properly authenticated,
> >it will be rejected and not proxied. in this case, if we set the
> >defaultip, i think * should only allow sip message to and from the
> >provisioned user.
> >
> >another note, can we like have an entry in sip.conf that will enable
> >you to provision a high density fxs box, let's say 24 ports in just
> >1 entry? for example:
> >
> >[1300-1323]
> >type=friend
> >defaultip=x.x.x.x
> >
> >this will yield a much more simpler configuration, besides all those
> >extensions use just 1 ip address. ata 186 will also benefit from
> >this configuration...
> >
>
> Kelvin -
> Some good ideas in here. Can you perhaps start working on patches
> to implement the changes so it can be evaluated by the community?
>
> JT
> _______________________________________________
> Asterisk-Dev mailing list
> Asterisk-Dev at lists.digium.com
> http://lists.digium.com/mailman/listinfo/asterisk-dev
More information about the asterisk-dev
mailing list