[asterisk-dev] 'IAX2 call variable passing between servers '

[Andrew Kohlsmith]

On Thursday 03 August 2006 15:05, Steven Critchfield wrote:
> If you used IAX2 to get from one machine to another, then the call is
> not SIP. Remember that IAX2 is not just a protocol to use with in your
> company. IAX2 is a protocol to accept calls from the outside world as
> well. Do you really think you should be exposed to whatever variables I
> want to inject into your system when I make a connection to your
> machine. Think about the fun if I decided what the account code should
> be on your system. If I really didn't like you, I could throw all kinds
> of obscenities in as the account code and mess with your accounting.

That is a VERY poor excuse.  If you are concerned about security you 
explicitly define the accountcode in the user/peer entry, or add an option 
"insecure=yes" or "trust=no" or something in the iax.conf entry to protect 
against this.

You have the same kind of issues by allowing IAX2 peers to define which 
context they want to be dropped into.

> Just because you aren't getting the information you want from one side
> to the other does not mean it is broken. It means either the developers
> haven't decided it should be done yet or there is a good security reason
> for it not being done yet.

I half-agree with that statement.  :-)  DISA is a security risk, but we allow 
it.  I certainly would like to see security taken seriously with Asterisk, 
but at the same time there is no need to go overboard and turn Asterisk into 
some kind of nanny of the phone network, or of my own system.

-A.