[asterisk-dev] [Code Review] 2554: Pimp my SIP: alwaysauthreject
Matthew Jordan
mjordan at digium.com
Fri Jun 7 07:37:57 CDT 2013
On 05/25/2013 02:15 AM, Olle E. Johansson wrote:
>
> 24 maj 2013 kl. 23:39 skrev Kevin Harwell <reviewboard at asterisk.org
> <mailto:reviewboard at asterisk.org>>:
>
>> Adds support for 'alwaysauthreject' to the new SIP channel driver. When the 'alwaysauthreject' option is set to 'yes' (default) and no matching endpoint is found for the incoming request, after challenging, Asterisk will respond with a 401 Unauthorized regardless of the reason it rejects the request.
>>
> Alwaysauthreject was a fix for a bug that existed in asterisk. We had to
> keep the old behaviour being afraid of breaking stuff out there.
>
> Why are we replicating the bug and the fix in a *new* channel driver? It
> doesn't make much sense. We have no old versions of this channel driver
> that's broken in production anywhere.
>
> Are there any use cases for discovery of sip accounts by getting a 404
> for non-existing accounts?
>
Forgetting for a second the current alwaysauthreject setting and how it
came to be...
As I understand it, the goal for Asterisk should be to prevent a
malicious attacker from enumerating valid endpoints in its SIP stack. If
I'm said malicious attacker, and I send a request for 1000, then 1001,
then 1002, etc. - I should get back the same responses for each
particular endpoint - even if they exist.
In general, if 1001 existed and 1002 did not exist - and we had no
setting to control this behaviour - then I would get a 401/403 (assuming
they didn't have the correct authentication) for 1001 and a 404 for
1002. I would thus know that 1001 existed.
The proposal is to always send the 401/403 pair when some setting is
enabled as opposed to the 404 response. I think Asterisk providing some
mechanism to make the responses all look the same is a useful security
setting, regardless of what we call it.
Is there a reason we shouldn't be doing this?
Matt
--
Matthew Jordan
Digium, Inc. | Engineering Manager
445 Jan Davis Drive NW - Huntsville, AL 35806 - USA
Check us out at: http://digium.com & http://asterisk.org
More information about the asterisk-dev
mailing list