[asterisk-dev] chan_sip SIP Authentication

Klaus Darilion klaus.mailinglists at pernau.at
Fri Jan 30 03:42:20 CST 2009

Johansson Olle E schrieb:
> 30 jan 2009 kl. 04.13 skrev Philipp Kempgen:
>> Johansson Olle E schrieb:
>>>> Klaus Darilion schrieb:
>>>>> I think changing the priority (peer before user) might be a
>>>>> solution as
>>>>> well. Actually if someone uses "peers" for gateways and "users" for
>>>>> SIP
>>>>> clients IMO the gateways should have higher priority. Another
>>>>> matching
>>>>> option would be the order in sip.conf.
>>> But the recommendation still stands: You shalt not mix namespaces.
>> Just that there are no namespaces. A separate namespace for device
>> names has to be simulated by prefixing them with something that is
>> guaranteed not be be found in an extension, such as "device--",
>> provided the admin doesn't allow "--" in extensions.
>> For obvious reasons it would be a bad idea to prefix extensions
>> with an artificial string.
>>> You will confuse yourself and, if you are a service provider,
>>> reveal phone numbers in signalling that in some cases are supposed
>>> to be hidden. In Sweden, that will even be against regulation.
>> Is it ok to reveal device names then?
>> And BTW: Thanks for adding
>> http://svn.digium.com/view/asterisk/branches/1.4/configs/sip.conf.sample?r1=142865&r2=171837
>> I guess one of the reasons Dial(SIP/${EXTEN}) is so incredibly
>> popular is that there is no best practice type of explanation on
>> how to make up good device names which
>> a) are not the same as extensions (/phone numbers)
>> b) do not reveal any information about extensions (/phone numbers)
>> c) are not MAC addresses because that would reveal sensitive
>>   information as well
>> d) are not MAC addresses or anything that has a 1:1 relationship
>>   to physical devices
>> For gateway that's easy. Just call them "gateway1" or something.
>> For users (I'm not necessarily referring to type=user here) it's
>> a bit harder and there is a wording issue: device (hardware) !=
>> user.
>> "user--<extension>" (e.g. "user--1234") is not a good device name
>> because it reveals information about my extension.
>> "device--<macaddress>" (e.g. "device--000414000001") is not a good
>> device name (and unusable for hot-desking) because of the false
>> assumption that user == device. Multiple SIP accounts/users could
>> live on the same physical device (manufacturers of SIP phones
>> commonly refer to them as "lines" or "identities").
>> "philipp" is not a good device name because that might be the
>> same as my extension.
>> "user--philipp" or more precisely "user--philipp-phone1",
>> "user--philipp-phone1" might work but reveals sensitive
>> information. (How hard is it to guess that "philipp" could
>> be my extension?)
>> So what about completely random names such as "account--2hs9n"?
>> But then again I still need to think about what influence this
>> might have on SIP <--> ISDN interworking for example.
> Historically "-" has been a bad choice too, I don't know the state of  
> that
> in current code, but it confused device states.
> Remember also that using your name as a device name will make sure
> that no one called "philipp at something" will be able to call your PBX  
> from
> another SIP domain. Unless you have no secret, of course.

This also shows that "user" should also evaluate the domain part, not 
only the user part.


More information about the asterisk-dev mailing list