[asterisk-dev] Security Request for discussion: Should sip.conf allowguest=yes be the default

Tzafrir Cohen tzafrir.cohen at xorcom.com
Tue Nov 17 10:08:34 CST 2009


On Tue, Nov 17, 2009 at 04:25:32PM +0100, Kai Hoerner wrote:
> Tzafrir Cohen schrieb:
> > The problem is not guest users. The problem is unintended relays
> > from one trunk to another. If you unintentionally allow authenticated
> > incomming SIP calls to make outgoing paid calls[1].
> >
> > The basic tool Asterisk has for authorization[2] is dialplan contexts.
> >
> >
> > So, consider a sample context such as:
> >
> > ;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
> > ;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
> >
> > [incoming]
> > ; A separate context for incoming calls:
> > ; We don't trust those callers, and thus only allow them the things they
> > ; really need:
> > include => demo
> > ; Make sure this context will not allow outgoing calls through a paid
> > ; trunk.
> >
> > ;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
> > ;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
> >
> > We must remember that the sample dialplan is mostly documentation. There 
> > are those who use it, but most people just write dialplan from scratch.
> >
> > [1] I use "paid calls" for the sake of clarity. It may be paid PSTN
> > calls, paid SIP calls, or maybe some unpaid calls you assume those
> > incling callers should not be able to do. For instance, a special
> > extension to switch between day-time and night-time.
> >
> > [2] don't mix authorization and authentication.
> >   
> > I still don't agree. I believe that focusing on guests here misses the
> 
> Hi Tzafrir,
> 
> I do not see where i mixed up authorization and authentication.

That was a general comment, and I was not referring to anything specific
in the discussion.

> 
> Authenticated users are not automatically authorized to use special 
> extensions for dialout or internal day/night switches for example.
> That's where the contexts come into play. [2]
> 
> Authenticated trunks/peers/friends/users should have a context 
> specified, that authorizes them for the use of a set of extensions.
> If it is not specified, the "defaultcontext" in inherited, okay.
> 
> I suggested an additional option like "guest_context" to seperate 
> "unauthenticated" (guest) calls from "authenticated but maybe not 
> authorized" (trunk) calls.

As per that comment, the dialplan is exatly about authrization. There
are no unauthorized actions in the dialplan[1].

You can set up an arbitrary variable at channel creation time (e.g.:
'setvar'. 

Sounds like we could really use a dummy entry for the "guest user"[2]
in sip.conf . So you could set up context, extra variables, language and
whatever. This sounds so simple and obvoius, that there must be some
sound technical reasons why it won't work well.

> With the solution as-is, both of them end up in the default context.
> 
> I do not understand how unintended relay applies at all to this topic.
> Isn't bad dialplan design a configuration issue?

This whole problem is about bad dialplan design. It is about beginners
not planning their dialplan well.

I want to allow random Joe SIP user call my phone. I consider this a
feature. This call takes out a bit of my bandwidth. But if this is a
problem, I can hang up.

I do not want Joe to call into my PBX and from there out through another
trunk.

> 
> It is, but this difficulty can be aided by adding more control over what 
> calls go into which context.

The dialplan already gives you good control.

> 
> 
> Regargs,
> 
> Kaii

[1] Or rather: there maybe some actions that the sysadmin thinks are
unauthorized but sadly are authorized.

[2] If Olle doesn't kill it first.

-- 
               Tzafrir Cohen
icq#16849755              jabber:tzafrir.cohen at xorcom.com
+972-50-7952406           mailto:tzafrir.cohen at xorcom.com
http://www.xorcom.com  iax:guest at local.xorcom.com/tzafrir



More information about the asterisk-dev mailing list