<html>
<body>
<div style="font-family: Verdana, Arial, Helvetica, Sans-Serif;">
<table bgcolor="#f9f3c9" width="100%" cellpadding="8" style="border: 1px #c9c399 solid;">
<tr>
<td>
This is an automatically generated e-mail. To reply, visit:
<a href="https://reviewboard.asterisk.org/r/4379/">https://reviewboard.asterisk.org/r/4379/</a>
</td>
</tr>
</table>
<br />
<blockquote style="margin-left: 1em; border-left: 2px solid #d0d0d0; padding-left: 10px;">
<p style="margin-top: 0;">On January 29th, 2015, 10:23 p.m. UTC, <b>Mark Michelson</b> wrote:</p>
<blockquote style="margin-left: 1em; border-left: 2px solid #d0d0d0; padding-left: 10px;">
<table width="100%" border="0" bgcolor="white" style="border: 1px solid #C0C0C0; border-collapse: collapse; margin: 2px padding: 2px;">
<thead>
<tr>
<th colspan="4" bgcolor="#F0F0F0" style="border-bottom: 1px solid #C0C0C0; font-size: 9pt; padding: 4px 8px; text-align: left;">
<a href="https://reviewboard.asterisk.org/r/4379/diff/1/?file=71114#file71114line41" style="color: black; font-weight: bold; text-decoration: underline;">/branches/13/configs/examples/super_awesome_company/pjsip.conf</a>
<span style="font-weight: normal;">
(Diff revision 1)
</span>
</th>
</tr>
</thead>
<tbody>
<tr>
<th bgcolor="#b1ebb0" style="border-right: 1px solid #C0C0C0;" align="right"><font size="2"></font></th>
<td bgcolor="#c5ffc4" width="50%"><pre style="font-size: 8pt; line-height: 140%; margin: 0; "></pre></td>
<th bgcolor="#b1ebb0" style="border-left: 1px solid #C0C0C0; border-right: 1px solid #C0C0C0;" align="right"><font size="2">41</font></th>
<td bgcolor="#c5ffc4" width="50%"><pre style="font-size: 8pt; line-height: 140%; margin: 0; ">[0019159BF771](endpoint-basic)</pre></td>
</tr>
</tbody>
</table>
<pre style="white-space: pre-wrap; white-space: -moz-pre-wrap; white-space: -pre-wrap; white-space: -o-pre-wrap; word-wrap: break-word;">I'm curious why you elected to use MAC addresses as the endpoint names.
I'd personally find things a lot easier to configure/maintain if the SIP endpoint/aor/auth name is the same as the voicemail box number is the same as the extension number, etc.
This also means that if Lindsey does some crazy extreme stunt that smashes her phone, then when she replaces it with a new one, you're going to have to change config values everywhere to have the new MAC address of the phone.</pre>
</blockquote>
<p>On January 29th, 2015, 10:45 p.m. UTC, <b>Matt Jordan</b> wrote:</p>
<blockquote style="margin-left: 1em; border-left: 2px solid #d0d0d0; padding-left: 10px;">
<pre style="white-space: pre-wrap; white-space: -moz-pre-wrap; white-space: -pre-wrap; white-space: -o-pre-wrap; word-wrap: break-word;">Hm. I think that's usually one of those "best practices". You generally don't want the auth user to be easily guessed.
Of course, we could split the concept of the endpoint name from the auth user, which would then allow the endpoints to be named 107 (for example) and the auth user to be her MAC address.</pre>
</blockquote>
<p>On January 30th, 2015, 1:07 p.m. UTC, <b>Joshua Colp</b> wrote:</p>
<blockquote style="margin-left: 1em; border-left: 2px solid #d0d0d0; padding-left: 10px;">
<pre style="white-space: pre-wrap; white-space: -moz-pre-wrap; white-space: -pre-wrap; white-space: -o-pre-wrap; word-wrap: break-word;">I think in practice this would just cause problems. Not all devices allow those two things to be separate. It's annoying.</pre>
</blockquote>
<p>On January 30th, 2015, 6:19 p.m. UTC, <b>Mark Michelson</b> wrote:</p>
<blockquote style="margin-left: 1em; border-left: 2px solid #d0d0d0; padding-left: 10px;">
<pre style="white-space: pre-wrap; white-space: -moz-pre-wrap; white-space: -pre-wrap; white-space: -o-pre-wrap; word-wrap: break-word;">SAC uses Digium phones, and Digium phones allow separate user and authuser to be specified.</pre>
</blockquote>
<p>On January 30th, 2015, 6:34 p.m. UTC, <b>Joshua Colp</b> wrote:</p>
<blockquote style="margin-left: 1em; border-left: 2px solid #d0d0d0; padding-left: 10px;">
<pre style="white-space: pre-wrap; white-space: -moz-pre-wrap; white-space: -pre-wrap; white-space: -o-pre-wrap; word-wrap: break-word;">Your statement is true but it would be nice if we could err on the side of not falling into a trap of doing fundamental stuff which isn't applicable to the wide world.</pre>
</blockquote>
<p>On February 6th, 2015, 1:54 a.m. UTC, <b>rnewton</b> wrote:</p>
<blockquote style="margin-left: 1em; border-left: 2px solid #d0d0d0; padding-left: 10px;">
<pre style="white-space: pre-wrap; white-space: -moz-pre-wrap; white-space: -pre-wrap; white-space: -o-pre-wrap; word-wrap: break-word;">I used MAC addresses as that is what we use as an example in our security best practices document: http://svnview.digium.com/svn/asterisk/trunk/README-SERIOUSLY.bestpractices.txt?view=markup
Perhaps this is a moot point. SAC's Asterisk system is behind NAT and firewall, so we could change the spec to specify that IT has locked down traffic between Asterisk and the public internet to only allow inbound traffic from the ITSP addresses.
Or, on Asterisk we can use ACL's to limit traffic allowed to the internal network and ITSP addresses.
With either of those approaches we should be able to use the less secure extension numbered auth users.
What would be the issues either of these approaches other than an attacker on the internal network?</pre>
</blockquote>
<p>On February 11th, 2015, 5:57 p.m. UTC, <b>Matt Jordan</b> wrote:</p>
<blockquote style="margin-left: 1em; border-left: 2px solid #d0d0d0; padding-left: 10px;">
<pre style="white-space: pre-wrap; white-space: -moz-pre-wrap; white-space: -pre-wrap; white-space: -o-pre-wrap; word-wrap: break-word;">I think we need to come to some concurrence here so that the diffs can get updated. I suspect there are going to be additional rounds of review.
The purpose of this set of example configs is to provide a base for a recommended deployment. Regardless of the scheme chosen, the example absolutely should use the best practices so that people have a secure system. If someone wants to use 'alice' and 'bob' for their names, that may be suitable for some examples, but not suitable for a recommended deployment.
I don't care if we use MAC address or something else that is suitably difficult to guess, but MAC address is what A:TDG recommends [1] as well as our README-SERIOUSLY [2], and that feels like a decent starting point.
[1] http://www.asteriskdocs.org/en/3rd_Edition/asterisk-book-html-chunk/DeviceConfig_id216341.html#DeviceConfig_id291081
[2] http://svn.asterisk.org/svn/asterisk/trunk/README-SERIOUSLY.bestpractices.txt</pre>
</blockquote>
</blockquote>
<pre style="margin-left: 1em; white-space: pre-wrap; white-space: -moz-pre-wrap; white-space: -pre-wrap; white-space: -o-pre-wrap; word-wrap: break-word;">Looks like the best compromise is splitting out the user ID and auth name. Therefore the endpoint,aor,auth objects will be the extension number and the auth usernames will be the MAC address. We still have security, things are easier to administrate and the only downside is the config won't work as well for some phones. That being said, even some cheap generic phones I had laying around were able to configure a separate user id/account and auth name.
This also makes other parts of the dialplan easier, hints and no crazy variable mapping for the endpoint names.</pre>
<br />
<p>- rnewton</p>
<br />
<p>On January 27th, 2015, 7:15 p.m. UTC, rnewton wrote:</p>
<table bgcolor="#fefadf" width="100%" cellspacing="0" cellpadding="8" style="background-image: url('https://reviewboard.asterisk.org/static/rb/images/review_request_box_top_bg.ab6f3b1072c9.png'); background-position: left top; background-repeat: repeat-x; border: 1px black solid;">
<tr>
<td>
<div>Review request for Asterisk Developers.</div>
<div>By rnewton.</div>
<p style="color: grey;"><i>Updated Jan. 27, 2015, 7:15 p.m.</i></p>
<div style="margin-top: 1.5em;">
<b style="color: #575012; font-size: 10pt;">Repository: </b>
Asterisk
</div>
<h1 style="color: #575012; font-size: 10pt; margin-top: 1.5em;">Description </h1>
<table width="100%" bgcolor="#ffffff" cellspacing="0" cellpadding="10" style="border: 1px solid #b8b5a0">
<tr>
<td>
<pre style="margin: 0; padding: 0; white-space: pre-wrap; white-space: -moz-pre-wrap; white-space: -pre-wrap; white-space: -o-pre-wrap; word-wrap: break-word;">One of things discussed at the last AstriDevCon was better documentation (for everything!), but in particular, we mentioned needing some example configurations that pertain to a real-world scenario. That is, as opposed to the current "sample" files which are sort of all over the place at this point.
This patch proposes a basic and minimal configuration of Asterisk to satisfy the requirements for the first phase of Super Awesome Company's implementation of Asterisk.
I will submit four separate patches for the first phase, so that we don't have to review the entire thing all at once. This review is for the first patch.
Who is Super Awesome Company? See https://wiki.asterisk.org/wiki/display/AST/Super+Awesome+Company
For the first patch, I am attempting to satisfy the below requirements. The patch does not include a new make target, as I believe Matt Jordan offered to handle that.
SAC requires:
* PJSIP connectivity for all employee desk phones.
* The ability for employees to call one another inside of the office.
* Voicemail boxes for each of the employees.
"Basic" configuration
We want SAC to have a clean system. That means:
* No 'autoload' in modules.conf. Explicitly load a basic configuration. If SAC doesn't need the module, don't load it.
* Every module loaded should have a configuration file that is appropriate for it. This includes all the 'core' things that need configuration.
pjsip.conf
* A PJSIP configuration for their desk phones. Assume every endpoint that is a phone has:
* A voicemail mailbox that they can subscribe to
* A hint for their device
* Note that the PJSIP configuration should adhere to best practices. That means MAC addresses for device names, etc.
extensions.conf
* A safe dialplan for intra-company communication. This should be templated out so that it is trivial to add additional devices (use pattern matching/pattern matching hints, etc.)
* Receiving a Busy/Unavailable should result in going to VoiceMail
* A user should be able to dial something and get to their VoiceMailMain without having to enter in their extension number
* Note that mapping of MAC address endpoints to extension numbers should be done in some fashion that is easily extensible.
voicemail.conf
* Set up mailboxes for every person in SAC. Assign 'default' pins. Create reasonable basic settings.
* Do not set up e-mail or pager addresses.
REVIEW?
Please, if possible look at this from a few angles:
* Use the configuration, configure a couple phones and call between them. Leave voicemails and retrieve them.
* Have I created any security issues?
* Is my dialplan easy to understand?
* Could anything be done more efficiently without making it over-complicated?
* Have I over-complicated anything?
* Are there any critical settings I'm missing from any of the files?
A couple, more specific questions:
* We have sample configs in /configs/samples; what directory do we want these configurations in? (I used /configs/examples for now, but I don't really like it)
* We have the make target "make samples" for the current samples; what do we want for these new configs?</pre>
</td>
</tr>
</table>
<h1 style="color: #575012; font-size: 10pt; margin-top: 1.5em;">Testing </h1>
<table width="100%" bgcolor="#ffffff" cellspacing="0" cellpadding="10" style="border: 1px solid #b8b5a0">
<tr>
<td>
<pre style="margin: 0; padding: 0; white-space: pre-wrap; white-space: -moz-pre-wrap; white-space: -pre-wrap; white-space: -o-pre-wrap; word-wrap: break-word;">Setup Asterisk with configuration, connected up three phones using the first three users. Made calls between them all, left voicemails and retrieved them with all users. Verified MWI working with all phones.</pre>
</td>
</tr>
</table>
<h1 style="color: #575012; font-size: 10pt; margin-top: 1.5em;">Diffs</b> </h1>
<ul style="margin-left: 3em; padding-left: 0;">
<li>/branches/13/configs/examples/super_awesome_company/voicemail.conf <span style="color: grey">(PRE-CREATION)</span></li>
<li>/branches/13/configs/examples/super_awesome_company/pjsip.conf <span style="color: grey">(PRE-CREATION)</span></li>
<li>/branches/13/configs/examples/super_awesome_company/musiconhold.conf <span style="color: grey">(PRE-CREATION)</span></li>
<li>/branches/13/configs/examples/super_awesome_company/modules.conf <span style="color: grey">(PRE-CREATION)</span></li>
<li>/branches/13/configs/examples/super_awesome_company/logger.conf <span style="color: grey">(PRE-CREATION)</span></li>
<li>/branches/13/configs/examples/super_awesome_company/indications.conf <span style="color: grey">(PRE-CREATION)</span></li>
<li>/branches/13/configs/examples/super_awesome_company/extensions.conf <span style="color: grey">(PRE-CREATION)</span></li>
<li>/branches/13/configs/examples/super_awesome_company/asterisk.conf <span style="color: grey">(PRE-CREATION)</span></li>
<li>/branches/13/configs/examples/super_awesome_company/README <span style="color: grey">(PRE-CREATION)</span></li>
</ul>
<p><a href="https://reviewboard.asterisk.org/r/4379/diff/" style="margin-left: 3em;">View Diff</a></p>
</td>
</tr>
</table>
</div>
</body>
</html>