[asterisk-dev] Plaintext auth support in IAX2

Matthew Jordan mjordan at digium.com
Mon Nov 4 11:10:23 CST 2013 

On Mon, Nov 4, 2013 at 2:21 AM, Eugene Varnavsky <varnavruz at gmail.com>wrote:

> Hello!
>
> I have opened a bug report (ASTERISK-22820) and submitted a patch, but, as
> Michael L. Young suggested there, it worth to discuss the issue in this
> mailing list first.
>
> Starting from draft 2 of RFC 5456 (October 23, 2006) plaintext auth is
> taken out from specifications of IAX2 protocol. Please refer to section
> 8.6.3 of RFC 5456. Reasons are obvious - it is very, very unsafe to send
> plaintext passwords over the net.
>
Section 8.6.3 of RFC 5456 is "CALLING ANI":
http://tools.ietf.org/html/rfc5456. I'm guessing that isn't what you were
referring to.

Section 10 however says the following:

  IAX registration is an area that requires careful attention.
   Previous protocol versions supported cleartext passwords; this
   feature has been eliminated.  The MD5 and RSA alternatives offer much
   higher security.


And in Section 12:


   With regards to security, many IAX implementations permit cleartext
   authentication.  This method is not secure and should not be used.


So the clearest indication we have is that implementations SHOULD NOT
(capitalization mine) implement clear text authentication. Not
surprising.


A SHOULD NOT is not a MUST NOT or SHALL NOT. A SHOULD NOT has the
following meaning (RFC 2119, http://tools.ietf.org/html/rfc2119):


4 <http://tools.ietf.org/html/rfc2119#section-4>. SHOULD NOT   This
phrase, or the phrase "NOT RECOMMENDED" mean that
   there may exist valid reasons in particular circumstances when the
   particular behavior is acceptable or even useful, but the full
   implications should be understood and the case carefully weighed
   before implementing any behavior described with this label.


I'm saying all of this to point out that the implementation of
chan_iax2 is not wrong, nor is it out of compliance with RFC 5456. It
just has an option which is, quite frankly, a bad thing to use. You
really shouldn't use it. But that does not mean that it is out of
compliance with RFC 5456 by including it.


None of this is to say that it shouldn't be removed at some point, just
that we shouldn't flame chan_iax2 too much :-)

But plaintext auth is still supported by Asterisk implementation of IAX2.
>
> I propose number of solutions, from more to less radical. Choose one:
>
> 1. Remove plaintext auth support completely (patch does this)
> 2. Accept, but never send plaintext passwords
> 3. Accept and send plaintext passwords, but never use plaintext auth by
> default (current defaults are MD5 first, plaintext second)
> 4. Declare plaintext auth deprecated, add warnings to logs and
> documentation
>
> I will make a patch for any of these variants, based on what community
> decides.
>
>
Here's what I'd recommend:

   - In Asterisk 12, patch chan_iax2 to emit a WARNING if auth=plaintext is
   used. That WARNING should tell a user that the option is deprecated.
   - Additionally, add a note in UPGRADE that the plaintext option has been
      deprecated.
   -  In trunk (Asterisk 13), remove support for "plaintext". This means:
      - If a user specified "plaintext", emit an ERROR and reject loading
      chan_iax2. Users should not be allowed to load the channel driver with an
      invalid configuration, and you don't want to "help them" with their
      authentication options.
      - Remove support for plaintext authentication in the code.
      - Add a note in UPGRADE that support for plaintext has been removed.

Matt

-- 
Matthew Jordan
Digium, Inc. | Engineering Manager
445 Jan Davis Drive NW - Huntsville, AL 35806 - USA
Check us out at: http://digium.com & http://asterisk.org
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.digium.com/pipermail/asterisk-dev/attachments/20131104/3d90565e/attachment.html>

More information about the asterisk-dev mailing list