[asterisk-dev] Reminder: Matching peers on contact in invite is wrong and potentially dangerous.

[Russell Bryant]

Olle E. Johansson wrote:
> Just a reminder. We need to fix this as this is an issue in released  
> code.
> 
> A) It changes the current behaviour without proper documentation. We  
> should not do that. We should add config option to change matching.
> B) Relying on contact for matching incoming calls is, well, just plain  
> wrong and with the current TCP implementation open for bad stuff to  
> happen.
> 
> I still don't understand the comment about not being able to get the  
> sender's address for TCP connections? That the port is different is  
> well known, so we will have to stick with matching on IP and document  
> it carefully. That is an existing function in the peer matching and we  
> can turn that on by default for TCP with or without TLS. And document  
> it everywhere possible.
> 
>  From sip.conf.sample:
> 
> ;insecure=port                   ; Allow matching of peer by IP  
> address without
>                                   ; matching port number

Thanks a lot for your input on this issue.  I should have remembered
about insecure=port earlier!  I have discussed this with David Vossel,
and we'll get it fixed up very soon.

-- 
Russell Bryant
Digium, Inc. | Engineering Manager, Open Source Software
445 Jan Davis Drive NW - Huntsville, AL 35806 - USA
Check us out at: www.digium.com & www.asterisk.org