<div dir="ltr"><br><div class="gmail_extra"><div class="gmail_quote">On Mon, Nov 4, 2013 at 2:21 AM, Eugene Varnavsky <span dir="ltr"><<a href="mailto:varnavruz@gmail.com" target="_blank">varnavruz@gmail.com</a>></span> wrote:<br>
<blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left-width:1px;border-left-color:rgb(204,204,204);border-left-style:solid;padding-left:1ex"><div dir="ltr"><div>Hello!<br><br></div><div>I have opened a bug report (ASTERISK-22820) and submitted a patch, but, as Michael L. Young suggested there, it worth to discuss the issue in this mailing list first.<br>
<p>Starting from draft 2 of RFC 5456 (October 23, 2006) plaintext auth
is taken out from specifications of IAX2 protocol. Please refer to section 8.6.3 of RFC
5456. Reasons are obvious - it is very, very unsafe to send plaintext passwords over the net.<br></p></div></div></blockquote><div style>Section 8.6.3 of RFC 5456 is "CALLING ANI": <a href="http://tools.ietf.org/html/rfc5456">http://tools.ietf.org/html/rfc5456</a>. I'm guessing that isn't what you were referring to.</div>
<div style><br></div><div style>Section 10 however says the following:</div><div style><br></div><pre class="" style="font-size:1em;margin-top:0px;margin-bottom:0px;color:rgb(0,0,0)"> IAX registration is an area that requires careful attention.
Previous protocol versions supported cleartext passwords; this
feature has been eliminated. The MD5 and RSA alternatives offer much
higher security. </pre><pre class="" style="font-size:1em;margin-top:0px;margin-bottom:0px;color:rgb(0,0,0)"><span style="font-family:arial;font-size:small;color:rgb(34,34,34)"><br></span></pre><pre class="" style="margin-top:0px;margin-bottom:0px">
<font color="#000000" face="arial, helvetica, sans-serif">And in Section 12:</font></pre><pre class="" style="margin-top:0px;margin-bottom:0px"><font color="#000000" face="arial, helvetica, sans-serif"><br></font></pre><pre class="" style="margin-top:0px;margin-bottom:0px">
<pre class="" style="font-size:1em;margin-top:0px;margin-bottom:0px;color:rgb(0,0,0)"> With regards to security, many IAX implementations permit cleartext
authentication. This method is not secure and should not be used.</pre></pre><pre class="" style="margin-top:0px;margin-bottom:0px"><font color="#000000" face="arial, helvetica, sans-serif"><br></font></pre><pre class="" style="margin-top:0px;margin-bottom:0px">
<font color="#000000" face="arial, helvetica, sans-serif">So the clearest indication we have is that implementations SHOULD NOT (capitalization mine) implement clear text authentication. Not surprising.</font></pre><pre class="" style="margin-top:0px;margin-bottom:0px">
<font color="#000000" face="arial, helvetica, sans-serif"><br></font></pre><pre class="" style="margin-top:0px;margin-bottom:0px"><font color="#000000" face="arial, helvetica, sans-serif">A SHOULD NOT is not a MUST NOT or SHALL NOT. A SHOULD NOT has the following meaning (RFC 2119, </font><a href="http://tools.ietf.org/html/rfc2119" style="font-family:arial">http://tools.ietf.org/html/rfc2119</a>)<span style="color:rgb(0,0,0);font-family:arial,helvetica,sans-serif">:</span></pre>
<pre class="" style="margin-top:0px;margin-bottom:0px"><font color="#000000" face="arial, helvetica, sans-serif"><br></font></pre><pre class="" style="margin-top:0px;margin-bottom:0px"><pre style="font-size:1em;margin-top:0px;margin-bottom:0px;color:rgb(0,0,0)">
<span class="" style="line-height:0pt;display:inline;font-size:1em;font-weight:bold"><h2 style="line-height:0pt;display:inline;font-size:1em"><a class="" name="section-4" href="http://tools.ietf.org/html/rfc2119#section-4" style="color:black;text-decoration:none">4</a>. SHOULD NOT </h2>
</span> This phrase, or the phrase "NOT RECOMMENDED" mean that
there may exist valid reasons in particular circumstances when the
particular behavior is acceptable or even useful, but the full
implications should be understood and the case carefully weighed
before implementing any behavior described with this label.</pre><pre style="font-size:1em;margin-top:0px;margin-bottom:0px;color:rgb(0,0,0)"><br></pre><pre style="margin-top:0px;margin-bottom:0px;color:rgb(0,0,0)"><font face="arial, helvetica, sans-serif">I'm saying all of this to point out that the implementation of chan_iax2 is not wrong, nor is it out of compliance with RFC 5456. It just has an option which is, quite frankly, a bad thing to use. You really shouldn't use it. But that does not mean that it is out of compliance with RFC 5456 by including it.</font></pre>
</pre><div> </div><div style>None of this is to say that it shouldn't be removed at some point, just that we shouldn't flame chan_iax2 too much :-)</div><div><br></div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left-width:1px;border-left-color:rgb(204,204,204);border-left-style:solid;padding-left:1ex">
<div dir="ltr"><div><p></p>
But plaintext auth is still supported by Asterisk implementation of IAX2.<br><br></div><div>I propose number of solutions, from more to less radical. Choose one:<br><br></div><div>1. Remove plaintext auth support completely (patch does this)<br>
</div><div>2. Accept, but never send plaintext passwords<br></div><div>3. Accept and send plaintext passwords, but never use plaintext auth by default (current defaults are MD5 first, plaintext second)<br></div><div>4. Declare plaintext auth deprecated, add warnings to logs and documentation<br>
</div><div><br></div><div>I will make a patch for any of these variants, based on what community decides.<br></div></div>
<br></blockquote><div><br></div><div style>Here's what I'd recommend:</div><div style><ul style><li style>In Asterisk 12, patch chan_iax2 to emit a WARNING if auth=plaintext is used. That WARNING should tell a user that the option is deprecated.<br>
</li><ul style><li style>Additionally, add a note in UPGRADE that the plaintext option has been deprecated.</li></ul><li style> In trunk (Asterisk 13), remove support for "plaintext". This means:</li><ul style><li style>
If a user specified "plaintext", emit an ERROR and reject loading chan_iax2. Users should not be allowed to load the channel driver with an invalid configuration, and you don't want to "help them" with their authentication options.</li>
<li style>Remove support for plaintext authentication in the code.</li><li style>Add a note in UPGRADE that support for plaintext has been removed.</li></ul></ul><div style>Matt</div><div style><br></div></div></div>-- <br>
<div dir="ltr"><div>Matthew Jordan<br></div><div>Digium, Inc. | Engineering Manager</div><div>445 Jan Davis Drive NW - Huntsville, AL 35806 - USA</div><div>Check us out at: <a href="http://digium.com" target="_blank">http://digium.com</a> & <a href="http://asterisk.org" target="_blank">http://asterisk.org</a></div>
</div>
</div></div>