[asterisk-dev] chan_sip SIP Authentication
Johansson Olle E
oej at edvina.net
Fri Jan 30 09:58:12 CST 2009
30 jan 2009 kl. 16.50 skrev Mark Michelson:
> Johansson Olle E wrote:
>> 30 jan 2009 kl. 04.13 skrev Philipp Kempgen:
>>
>>> Johansson Olle E schrieb:
>>>>> Klaus Darilion schrieb:
>>>>>> I think changing the priority (peer before user) might be a
>>>>>> solution as
>>>>>> well. Actually if someone uses "peers" for gateways and "users"
>>>>>> for
>>>>>> SIP
>>>>>> clients IMO the gateways should have higher priority. Another
>>>>>> matching
>>>>>> option would be the order in sip.conf.
>>>> But the recommendation still stands: You shalt not mix namespaces.
>>> Just that there are no namespaces. A separate namespace for device
>>> names has to be simulated by prefixing them with something that is
>>> guaranteed not be be found in an extension, such as "device--",
>>> provided the admin doesn't allow "--" in extensions.
>>>
>>> For obvious reasons it would be a bad idea to prefix extensions
>>> with an artificial string.
>>>
>>>> You will confuse yourself and, if you are a service provider,
>>>> reveal phone numbers in signalling that in some cases are supposed
>>>> to be hidden. In Sweden, that will even be against regulation.
>>> Is it ok to reveal device names then?
>>>
>>> And BTW: Thanks for adding
>>> http://svn.digium.com/view/asterisk/branches/1.4/configs/sip.conf.sample?r1=142865&r2=171837
>>>
>>> I guess one of the reasons Dial(SIP/${EXTEN}) is so incredibly
>>> popular is that there is no best practice type of explanation on
>>> how to make up good device names which
>>> a) are not the same as extensions (/phone numbers)
>>> b) do not reveal any information about extensions (/phone numbers)
>>> c) are not MAC addresses because that would reveal sensitive
>>> information as well
>>> d) are not MAC addresses or anything that has a 1:1 relationship
>>> to physical devices
>>>
>>> For gateway that's easy. Just call them "gateway1" or something.
>>>
>>> For users (I'm not necessarily referring to type=user here) it's
>>> a bit harder and there is a wording issue: device (hardware) !=
>>> user.
>>>
>>> "user--<extension>" (e.g. "user--1234") is not a good device name
>>> because it reveals information about my extension.
>>>
>>> "device--<macaddress>" (e.g. "device--000414000001") is not a good
>>> device name (and unusable for hot-desking) because of the false
>>> assumption that user == device. Multiple SIP accounts/users could
>>> live on the same physical device (manufacturers of SIP phones
>>> commonly refer to them as "lines" or "identities").
>>>
>>> "philipp" is not a good device name because that might be the
>>> same as my extension.
>>> "user--philipp" or more precisely "user--philipp-phone1",
>>> "user--philipp-phone1" might work but reveals sensitive
>>> information. (How hard is it to guess that "philipp" could
>>> be my extension?)
>>>
>>> So what about completely random names such as "account--2hs9n"?
>>>
>>> But then again I still need to think about what influence this
>>> might have on SIP <--> ISDN interworking for example.
>>>
>>
>> Historically "-" has been a bad choice too, I don't know the state of
>> that
>> in current code, but it confused device states.
>
> You're definitely right about "-" confusing the device state engine
> in the past,
> but this has been widely fixed in current releases of Asterisk. I'll
> not claim
> that things are perfect as far as "-" in device names, but if you
> use a release
> of Asterisk from 1.4.22 or beyond, then the appropriate fix(es) are
> present.
>
> Sorry to threadjack, but just thought that I'd get this in for the
> archives just
> in case.
>
It was a hook for someone like you to catch :-)
Thanks for the response.
/O
More information about the asterisk-dev
mailing list