[asterisk-dev] bug or feature (use From: instead of Digest
username to match INVITE) ?
Luigi Rizzo
rizzo at icir.org
Thu Oct 12 08:02:15 MST 2006
On Thu, Oct 12, 2006 at 09:39:29AM -0500, Kevin P. Fleming wrote:
> ----- Luigi Rizzo <rizzo at icir.org> wrote:
> > B: [#1] do not even try to match, but unconditionally
> > require authentication and generate a new nonce,
> > nonce_1.
>
> This will break many existing systems if it is not optional. There are quite a few SIP providers (Broadsoft-based ones in particular) that will NOT authenticate INVITES they send to you at all. You register to them, and they send you INVITEs based on where they know you are.
ok, this means that we need to identify the incoming request
based on IP/PORT the packet comes from.
In any case, we already have this problem, as the attempt to match
an entry in the "users" list based on the From: field comes first.
> This will also break 'guest' access, and probably other things. It can also be trivially exploited as a DoS amplification attack (although Asterisk is already in that situation anyway).
understood. for these "guest" i don't have an answer right away.
anyways - not that i want to push/rush for this or another solution,
but right now with asterisk, and depending on the conflicts between
sip device names and From: identifiers, we can hit one of these cases:
1. we are lucky and all goes well.
2. we refuse calls because we match the wrong entry on a
non-authenticated INVITE, and this causes a "username" mismatch
3. we allow calls because we match the wrong entry on a
non-authenticated INVITE and hit one that does not need authentication.
the latter seems the most serious problem...
So if we could at least put in some (optional) mechanism to
reduce the chance of problems, it would be a step forward.
cheers
luigi
More information about the asterisk-dev
mailing list