[asterisk-dev] chan_sip SIP Authentication

Mark Michelson mmichelson at digium.com
Fri Jan 30 09:50:29 CST 2009

Johansson Olle E wrote:
> 30 jan 2009 kl. 04.13 skrev Philipp Kempgen:
>> Johansson Olle E schrieb:
>>>> Klaus Darilion schrieb:
>>>>> I think changing the priority (peer before user) might be a
>>>>> solution as
>>>>> well. Actually if someone uses "peers" for gateways and "users" for
>>>>> SIP
>>>>> clients IMO the gateways should have higher priority. Another
>>>>> matching
>>>>> option would be the order in sip.conf.
>>> But the recommendation still stands: You shalt not mix namespaces.
>> Just that there are no namespaces. A separate namespace for device
>> names has to be simulated by prefixing them with something that is
>> guaranteed not be be found in an extension, such as "device--",
>> provided the admin doesn't allow "--" in extensions.
>> For obvious reasons it would be a bad idea to prefix extensions
>> with an artificial string.
>>> You will confuse yourself and, if you are a service provider,
>>> reveal phone numbers in signalling that in some cases are supposed
>>> to be hidden. In Sweden, that will even be against regulation.
>> Is it ok to reveal device names then?
>> And BTW: Thanks for adding
>> http://svn.digium.com/view/asterisk/branches/1.4/configs/sip.conf.sample?r1=142865&r2=171837
>> I guess one of the reasons Dial(SIP/${EXTEN}) is so incredibly
>> popular is that there is no best practice type of explanation on
>> how to make up good device names which
>> a) are not the same as extensions (/phone numbers)
>> b) do not reveal any information about extensions (/phone numbers)
>> c) are not MAC addresses because that would reveal sensitive
>>   information as well
>> d) are not MAC addresses or anything that has a 1:1 relationship
>>   to physical devices
>> For gateway that's easy. Just call them "gateway1" or something.
>> For users (I'm not necessarily referring to type=user here) it's
>> a bit harder and there is a wording issue: device (hardware) !=
>> user.
>> "user--<extension>" (e.g. "user--1234") is not a good device name
>> because it reveals information about my extension.
>> "device--<macaddress>" (e.g. "device--000414000001") is not a good
>> device name (and unusable for hot-desking) because of the false
>> assumption that user == device. Multiple SIP accounts/users could
>> live on the same physical device (manufacturers of SIP phones
>> commonly refer to them as "lines" or "identities").
>> "philipp" is not a good device name because that might be the
>> same as my extension.
>> "user--philipp" or more precisely "user--philipp-phone1",
>> "user--philipp-phone1" might work but reveals sensitive
>> information. (How hard is it to guess that "philipp" could
>> be my extension?)
>> So what about completely random names such as "account--2hs9n"?
>> But then again I still need to think about what influence this
>> might have on SIP <--> ISDN interworking for example.
> Historically "-" has been a bad choice too, I don't know the state of  
> that
> in current code, but it confused device states.

You're definitely right about "-" confusing the device state engine in the past, 
but this has been widely fixed in current releases of Asterisk. I'll not claim 
that things are perfect as far as "-" in device names, but if you use a release 
of Asterisk from 1.4.22 or beyond, then the appropriate fix(es) are present.

Sorry to threadjack, but just thought that I'd get this in for the archives just 
in case.

Mark Michelson

More information about the asterisk-dev mailing list