[asterisk-dev] chan_sip SIP Authentication

Philipp Kempgen philipp.kempgen at amooma.de
Thu Jan 29 21:13:31 CST 2009 

Johansson Olle E schrieb:
>> Klaus Darilion schrieb:

>>> I think changing the priority (peer before user) might be a  
>>> solution as
>>> well. Actually if someone uses "peers" for gateways and "users" for  
>>> SIP
>>> clients IMO the gateways should have higher priority. Another  
>>> matching
>>> option would be the order in sip.conf.

> But the recommendation still stands: You shalt not mix namespaces.

Just that there are no namespaces. A separate namespace for device
names has to be simulated by prefixing them with something that is
guaranteed not be be found in an extension, such as "device--",
provided the admin doesn't allow "--" in extensions.

For obvious reasons it would be a bad idea to prefix extensions
with an artificial string.

> 
> You will confuse yourself and, if you are a service provider,
> reveal phone numbers in signalling that in some cases are supposed
> to be hidden. In Sweden, that will even be against regulation.

Is it ok to reveal device names then?

And BTW: Thanks for adding
http://svn.digium.com/view/asterisk/branches/1.4/configs/sip.conf.sample?r1=142865&r2=171837

I guess one of the reasons Dial(SIP/${EXTEN}) is so incredibly
popular is that there is no best practice type of explanation on
how to make up good device names which
a) are not the same as extensions (/phone numbers)
b) do not reveal any information about extensions (/phone numbers)
c) are not MAC addresses because that would reveal sensitive
   information as well
d) are not MAC addresses or anything that has a 1:1 relationship
   to physical devices

For gateway that's easy. Just call them "gateway1" or something.

For users (I'm not necessarily referring to type=user here) it's
a bit harder and there is a wording issue: device (hardware) !=
user.

"user--<extension>" (e.g. "user--1234") is not a good device name
because it reveals information about my extension.

"device--<macaddress>" (e.g. "device--000414000001") is not a good
device name (and unusable for hot-desking) because of the false
assumption that user == device. Multiple SIP accounts/users could
live on the same physical device (manufacturers of SIP phones
commonly refer to them as "lines" or "identities").

"philipp" is not a good device name because that might be the
same as my extension.
"user--philipp" or more precisely "user--philipp-phone1",
"user--philipp-phone1" might work but reveals sensitive
information. (How hard is it to guess that "philipp" could
be my extension?)

So what about completely random names such as "account--2hs9n"?

But then again I still need to think about what influence this
might have on SIP <--> ISDN interworking for example.


   Philipp Kempgen

-- 
AMOOCON 2009, May 4-5, Rostock / Germany   ->  http://www.amoocon.de
Asterisk: http://the-asterisk-book.com - http://das-asterisk-buch.de
AMOOMA GmbH - Bachstr. 126 - 56566 Neuwied  ->  http://www.amooma.de
Geschäftsführer: Stefan Wintermeyer, Handelsregister: Neuwied B14998
--

More information about the asterisk-dev mailing list