[asterisk-dev] [Code Review] 4379: Example configuration scenario - Super Awesome Company: Phase 1 - Patch 1

Matt Jordan reviewboard at asterisk.org
Wed Feb 11 11:57:46 CST 2015



> On Jan. 29, 2015, 4:23 p.m., Mark Michelson wrote:
> > /branches/13/configs/examples/super_awesome_company/pjsip.conf, line 41
> > <https://reviewboard.asterisk.org/r/4379/diff/1/?file=71114#file71114line41>
> >
> >     I'm curious why you elected to use MAC addresses as the endpoint names.
> >     
> >     I'd personally find things a lot easier to configure/maintain if the SIP endpoint/aor/auth name is the same as the voicemail box number is the same as the extension number, etc.
> >     
> >     This also means that if Lindsey does some crazy extreme stunt that smashes her phone, then when she replaces it with a new one, you're going to have to change config values everywhere to have the new MAC address of the phone.
> 
> Matt Jordan wrote:
>     Hm. I think that's usually one of those "best practices". You generally don't want the auth user to be easily guessed.
>     
>     Of course, we could split the concept of the endpoint name from the auth user, which would then allow the endpoints to be named 107 (for example) and the auth user to be her MAC address.
> 
> Joshua Colp wrote:
>     I think in practice this would just cause problems. Not all devices allow those two things to be separate. It's annoying.
> 
> Mark Michelson wrote:
>     SAC uses Digium phones, and Digium phones allow separate user and authuser to be specified.
> 
> Joshua Colp wrote:
>     Your statement is true but it would be nice if we could err on the side of not falling into a trap of doing fundamental stuff which isn't applicable to the wide world.
> 
> rnewton wrote:
>     I used MAC addresses as that is what we use as an example in our security best practices document: http://svnview.digium.com/svn/asterisk/trunk/README-SERIOUSLY.bestpractices.txt?view=markup
>     
>     Perhaps this is a moot point. SAC's Asterisk system is behind NAT and firewall, so we could change the spec to specify that IT has locked down traffic between Asterisk and the public internet to only allow inbound traffic from the ITSP addresses.
>     
>     Or, on Asterisk we can use ACL's to limit traffic allowed to the internal network and ITSP addresses.
>     
>     With either of those approaches we should be able to use the less secure extension numbered auth users.
>     
>     What would be the issues either of these approaches other than an attacker on the internal network?

I think we need to come to some concurrence here so that the diffs can get updated. I suspect there are going to be additional rounds of review.

The purpose of this set of example configs is to provide a base for a recommended deployment. Regardless of the scheme chosen, the example absolutely should use the best practices so that people have a secure system. If someone wants to use 'alice' and 'bob' for their names, that may be suitable for some examples, but not suitable for a recommended deployment.

I don't care if we use MAC address or something else that is suitably difficult to guess, but MAC address is what A:TDG recommends [1] as well as our README-SERIOUSLY [2], and that feels like a decent starting point.

[1] http://www.asteriskdocs.org/en/3rd_Edition/asterisk-book-html-chunk/DeviceConfig_id216341.html#DeviceConfig_id291081
[2] http://svn.asterisk.org/svn/asterisk/trunk/README-SERIOUSLY.bestpractices.txt


- Matt


-----------------------------------------------------------
This is an automatically generated e-mail. To reply, visit:
https://reviewboard.asterisk.org/r/4379/#review14377
-----------------------------------------------------------


On Jan. 27, 2015, 1:15 p.m., rnewton wrote:
> 
> -----------------------------------------------------------
> This is an automatically generated e-mail. To reply, visit:
> https://reviewboard.asterisk.org/r/4379/
> -----------------------------------------------------------
> 
> (Updated Jan. 27, 2015, 1:15 p.m.)
> 
> 
> Review request for Asterisk Developers.
> 
> 
> Repository: Asterisk
> 
> 
> Description
> -------
> 
> One of things discussed at the last AstriDevCon was better documentation (for everything!), but in particular, we mentioned needing some example configurations that pertain to a real-world scenario. That is, as opposed to the current "sample" files which are sort of all over the place at this point.
> 
> This patch proposes a basic and minimal configuration of Asterisk to satisfy the requirements for the first phase of Super Awesome Company's implementation of Asterisk.
> 
> I will submit four separate patches for the first phase, so that we don't have to review the entire thing all at once. This review is for the first patch.
> 
> Who is Super Awesome Company? See https://wiki.asterisk.org/wiki/display/AST/Super+Awesome+Company
> 
> For the first patch, I am attempting to satisfy the below requirements. The patch does not include a new make target, as I believe Matt Jordan offered to handle that.
> 
> SAC requires:
> 
>     * PJSIP connectivity for all employee desk phones.
>     * The ability for employees to call one another inside of the office.
>     * Voicemail boxes for each of the employees.
> 
> "Basic" configuration
> 
> We want SAC to have a clean system. That means:
> 
>     * No 'autoload' in modules.conf. Explicitly load a basic configuration. If SAC doesn't need the module, don't load it.
>     * Every module loaded should have a configuration file that is appropriate for it. This includes all the 'core' things that need configuration.
> 
> pjsip.conf
> 
>     * A PJSIP configuration for their desk phones. Assume every endpoint that is a phone has:
>         * A voicemail mailbox that they can subscribe to
>         * A hint for their device
>         * Note that the PJSIP configuration should adhere to best practices. That means MAC addresses for device names, etc.
> 
> extensions.conf
> 
>     * A safe dialplan for intra-company communication. This should be templated out so that it is trivial to add additional devices (use pattern matching/pattern matching hints, etc.)
>     * Receiving a Busy/Unavailable should result in going to VoiceMail
>     * A user should be able to dial something and get to their VoiceMailMain without having to enter in their extension number 
>     * Note that mapping of MAC address endpoints to extension numbers should be done in some fashion that is easily extensible.
> 
> voicemail.conf
> 
>     * Set up mailboxes for every person in SAC. Assign 'default' pins. Create reasonable basic settings.
>     * Do not set up e-mail or pager addresses.
> 
> 
> REVIEW?
> 
> Please, if possible look at this from a few angles:
> 
>  * Use the configuration, configure a couple phones and call between them. Leave voicemails and retrieve them.
>  * Have I created any security issues?
>  * Is my dialplan easy to understand?
>  * Could anything be done more efficiently without making it over-complicated?
>  * Have I over-complicated anything?
>  * Are there any critical settings I'm missing from any of the files?
> 
> A couple, more specific questions:
> 
>  * We have sample configs in /configs/samples; what directory do we want these configurations in? (I used /configs/examples for now, but I don't really like it)
>  * We have the make target "make samples" for the current samples; what do we want for these new configs?
> 
> 
> Diffs
> -----
> 
>   /branches/13/configs/examples/super_awesome_company/voicemail.conf PRE-CREATION 
>   /branches/13/configs/examples/super_awesome_company/pjsip.conf PRE-CREATION 
>   /branches/13/configs/examples/super_awesome_company/musiconhold.conf PRE-CREATION 
>   /branches/13/configs/examples/super_awesome_company/modules.conf PRE-CREATION 
>   /branches/13/configs/examples/super_awesome_company/logger.conf PRE-CREATION 
>   /branches/13/configs/examples/super_awesome_company/indications.conf PRE-CREATION 
>   /branches/13/configs/examples/super_awesome_company/extensions.conf PRE-CREATION 
>   /branches/13/configs/examples/super_awesome_company/asterisk.conf PRE-CREATION 
>   /branches/13/configs/examples/super_awesome_company/README PRE-CREATION 
> 
> Diff: https://reviewboard.asterisk.org/r/4379/diff/
> 
> 
> Testing
> -------
> 
> Setup Asterisk with configuration, connected up three phones using the first three users. Made calls between them all, left voicemails and retrieved them with all users. Verified MWI working with all phones.
> 
> 
> Thanks,
> 
> rnewton
> 
>

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.digium.com/pipermail/asterisk-dev/attachments/20150211/cdcc4323/attachment-0001.html>


More information about the asterisk-dev mailing list