[asterisk-dev] asterisk sip authentication flawed?
Kevin P. Fleming
kpfleming at digium.com
Thu Jan 4 13:07:28 MST 2007
Damon Estep wrote:
> Right now it seems truly impossible to fully trust a user by IP, since
> an invite can be formed in such a way that certain calls are rejected
> with the SIP 407 message.
Well, I can think of a couple of comments... First, the way Asterisk
does SIP authentication right now is far too complex and out of the
'spirit' of the RFCs anyway, so Olle is working on changing that. That
work won't appear until Asterisk 1.6, though.
Second, Asterisk 1.4 already supports a limited amount of 'domain based'
authentication, and this could be used to segregate the calls from your
trusted peers by having them direct the calls to a specific domain you
have setup for that purpose.
Third, most people find it cumbersome and impractical to name SIP users
using any pattern that would appear as the From: username (which is
frequently the CNAM/CLID info), instead they use something completely
different as a user/peer naming scheme. While this is not ideal, it is a
way to avoid this issue.
More information about the asterisk-dev
mailing list