[asterisk-dev] Security Request for discussion: Should sip.conf allowguest=yes be the default

Kai Hoerner kai at ciphron.de
Tue Nov 17 09:25:32 CST 2009 

Tzafrir Cohen schrieb:
> The problem is not guest users. The problem is unintended relays
> from one trunk to another. If you unintentionally allow authenticated
> incomming SIP calls to make outgoing paid calls[1].
>
> The basic tool Asterisk has for authorization[2] is dialplan contexts.
>
>
> So, consider a sample context such as:
>
> ;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
> ;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
>
> [incoming]
> ; A separate context for incoming calls:
> ; We don't trust those callers, and thus only allow them the things they
> ; really need:
> include => demo
> ; Make sure this context will not allow outgoing calls through a paid
> ; trunk.
>
> ;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
> ;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
>
> We must remember that the sample dialplan is mostly documentation. There 
> are those who use it, but most people just write dialplan from scratch.
>
> [1] I use "paid calls" for the sake of clarity. It may be paid PSTN
> calls, paid SIP calls, or maybe some unpaid calls you assume those
> incling callers should not be able to do. For instance, a special
> extension to switch between day-time and night-time.
>
> [2] don't mix authorization and authentication.
>   
> I still don't agree. I believe that focusing on guests here misses the

Hi Tzafrir,

I do not see where i mixed up authorization and authentication.

Authenticated users are not automatically authorized to use special 
extensions for dialout or internal day/night switches for example.
That's where the contexts come into play. [2]

Authenticated trunks/peers/friends/users should have a context 
specified, that authorizes them for the use of a set of extensions.
If it is not specified, the "defaultcontext" in inherited, okay.

I suggested an additional option like "guest_context" to seperate 
"unauthenticated" (guest) calls from "authenticated but maybe not 
authorized" (trunk) calls.
With the solution as-is, both of them end up in the default context.

I do not understand how unintended relay applies at all to this topic.
Isn't bad dialplan design a configuration issue?

It is, but this difficulty can be aided by adding more control over what 
calls go into which context.


Regargs,

Kaii

More information about the asterisk-dev mailing list