[asterisk-dev] chan_sip SIP Authentication

Johansson Olle E oej at edvina.net
Fri Jan 30 02:44:08 CST 2009


30 jan 2009 kl. 04.13 skrev Philipp Kempgen:

> Johansson Olle E schrieb:
>>> Klaus Darilion schrieb:
>
>>>> I think changing the priority (peer before user) might be a
>>>> solution as
>>>> well. Actually if someone uses "peers" for gateways and "users" for
>>>> SIP
>>>> clients IMO the gateways should have higher priority. Another
>>>> matching
>>>> option would be the order in sip.conf.
>
>> But the recommendation still stands: You shalt not mix namespaces.
>
> Just that there are no namespaces. A separate namespace for device
> names has to be simulated by prefixing them with something that is
> guaranteed not be be found in an extension, such as "device--",
> provided the admin doesn't allow "--" in extensions.
>
> For obvious reasons it would be a bad idea to prefix extensions
> with an artificial string.
>
>>
>> You will confuse yourself and, if you are a service provider,
>> reveal phone numbers in signalling that in some cases are supposed
>> to be hidden. In Sweden, that will even be against regulation.
>
> Is it ok to reveal device names then?
>
> And BTW: Thanks for adding
> http://svn.digium.com/view/asterisk/branches/1.4/configs/sip.conf.sample?r1=142865&r2=171837
>
> I guess one of the reasons Dial(SIP/${EXTEN}) is so incredibly
> popular is that there is no best practice type of explanation on
> how to make up good device names which
> a) are not the same as extensions (/phone numbers)
> b) do not reveal any information about extensions (/phone numbers)
> c) are not MAC addresses because that would reveal sensitive
>   information as well
> d) are not MAC addresses or anything that has a 1:1 relationship
>   to physical devices
>
> For gateway that's easy. Just call them "gateway1" or something.
>
> For users (I'm not necessarily referring to type=user here) it's
> a bit harder and there is a wording issue: device (hardware) !=
> user.
>
> "user--<extension>" (e.g. "user--1234") is not a good device name
> because it reveals information about my extension.
>
> "device--<macaddress>" (e.g. "device--000414000001") is not a good
> device name (and unusable for hot-desking) because of the false
> assumption that user == device. Multiple SIP accounts/users could
> live on the same physical device (manufacturers of SIP phones
> commonly refer to them as "lines" or "identities").
>
> "philipp" is not a good device name because that might be the
> same as my extension.
> "user--philipp" or more precisely "user--philipp-phone1",
> "user--philipp-phone1" might work but reveals sensitive
> information. (How hard is it to guess that "philipp" could
> be my extension?)
>
> So what about completely random names such as "account--2hs9n"?
>
> But then again I still need to think about what influence this
> might have on SIP <--> ISDN interworking for example.
>

Historically "-" has been a bad choice too, I don't know the state of  
that
in current code, but it confused device states.

Remember also that using your name as a device name will make sure
that no one called "philipp at something" will be able to call your PBX  
from
another SIP domain. Unless you have no secret, of course.

We should propably come up with a document describing this. Your
mail is a good start.

hepatica:asterisk-1.6.1 olle$ openssl md5
olle-1234
^D
352a1c09aa40c9d13d75e59d77de3d77

Might be one recommendation for generating a device name, but then
debugging might be hard. Prefixing it with the user if the account is
tied to a specific user is a good thing for memory.

Signed
/olle_352a1c0aa









More information about the asterisk-dev mailing list