[asterisk-dev] chan_sip SIP Authentication

Fri Jan 30 03:42:20 CST 2009

Johansson Olle E schrieb:
> 30 jan 2009 kl. 04.13 skrev Philipp Kempgen:
> 
>> Johansson Olle E schrieb:
>>>> Klaus Darilion schrieb:
>>>>> I think changing the priority (peer before user) might be a
>>>>> solution as
>>>>> well. Actually if someone uses "peers" for gateways and "users" for
>>>>> SIP
>>>>> clients IMO the gateways should have higher priority. Another
>>>>> matching
>>>>> option would be the order in sip.conf.
>>> But the recommendation still stands: You shalt not mix namespaces.
>> Just that there are no namespaces. A separate namespace for device
>> names has to be simulated by prefixing them with something that is
>> guaranteed not be be found in an extension, such as "device--",
>> provided the admin doesn't allow "--" in extensions.
>>
>> For obvious reasons it would be a bad idea to prefix extensions
>> with an artificial string.
>>
>>> You will confuse yourself and, if you are a service provider,
>>> reveal phone numbers in signalling that in some cases are supposed
>>> to be hidden. In Sweden, that will even be against regulation.
>> Is it ok to reveal device names then?
>>
>> And BTW: Thanks for adding
>> http://svn.digium.com/view/asterisk/branches/1.4/configs/sip.conf.sample?r1=142865&r2=171837
>>
>> I guess one of the reasons Dial(SIP/${EXTEN}) is so incredibly
>> popular is that there is no best practice type of explanation on
>> how to make up good device names which
>> a) are not the same as extensions (/phone numbers)
>> b) do not reveal any information about extensions (/phone numbers)
>> c) are not MAC addresses because that would reveal sensitive
>>   information as well
>> d) are not MAC addresses or anything that has a 1:1 relationship
>>   to physical devices
>>
>> For gateway that's easy. Just call them "gateway1" or something.
>>
>> For users (I'm not necessarily referring to type=user here) it's
>> a bit harder and there is a wording issue: device (hardware) !=
>> user.
>>
>> "user--<extension>" (e.g. "user--1234") is not a good device name
>> because it reveals information about my extension.
>>
>> "device--<macaddress>" (e.g. "device--000414000001") is not a good
>> device name (and unusable for hot-desking) because of the false
>> assumption that user == device. Multiple SIP accounts/users could
>> live on the same physical device (manufacturers of SIP phones
>> commonly refer to them as "lines" or "identities").
>>
>> "philipp" is not a good device name because that might be the
>> same as my extension.
>> "user--philipp" or more precisely "user--philipp-phone1",
>> "user--philipp-phone1" might work but reveals sensitive
>> information. (How hard is it to guess that "philipp" could
>> be my extension?)
>>
>> So what about completely random names such as "account--2hs9n"?
>>
>> But then again I still need to think about what influence this
>> might have on SIP <--> ISDN interworking for example.
>>
> 
> Historically "-" has been a bad choice too, I don't know the state of  
> that
> in current code, but it confused device states.
> 
> Remember also that using your name as a device name will make sure
> that no one called "philipp at something" will be able to call your PBX  
> from
> another SIP domain. Unless you have no secret, of course.

This also shows that "user" should also evaluate the domain part, not 
only the user part.

regards
klaus