[asterisk-dev] bug or feature (use From: instead of Digest username to match INVITE) ?

Kevin P. Fleming kpfleming at digium.com
Thu Oct 12 07:39:29 MST 2006


----- Luigi Rizzo <rizzo at icir.org> wrote:
>         B:      [#1] do not even try to match, but unconditionally
>                 require authentication and generate a new nonce,
> nonce_1.

This will break many existing systems if it is not optional. There are quite a few SIP providers (Broadsoft-based ones in particular) that will NOT authenticate INVITES they send to you at all. You register to them, and they send you INVITEs based on where they know you are.

This will also break 'guest' access, and probably other things. It can also be trivially exploited as a DoS amplification attack (although Asterisk is already in that situation anyway).

-- 
Kevin P. Fleming
Senior Software Engineer
Digium, Inc.



More information about the asterisk-dev mailing list