[asterisk-users] ip source aware Authentication

Alex Balashov abalashov at evaristesys.com
Sun Nov 15 15:12:24 CST 2009 

Are you referring to the source address of the SIP REGISTER request 
itself?  If so, you can constrain that, but it would be fairly useless 
to spoof it in the general sort of way in which all IP spoofing is 
fairly pointless except in a few very particular scenarios, because 
the reply will not be routed back correctly to the real initiator.

A more serious problem is the IP address in the Contact binding of the 
user, which is the actual SIP URI to which incoming calls to a 
registrant are directed.  Without constraining this value, a user can, 
in principle, submit any Contact URI, including a Contact URI that 
contains a third-party destination, or, even worse, your own PSTN 
gateways (which process all calls from trusted IPs, let's say).  Now 
they call their DID and the call is routed back out to the PSTN 
through your own platform while bypassing any billing mechanisms; 
huge toll fraud hole.

As far as I know, Asterisk has no way to restrict the content of the 
domain portion of the Contact URI.  However, most commercial SBCs 
should have a way to filter this, and it is highly recommended that 
you do so.

gergis.rasmy wrote:

> Is there a way to ensure that the source IP address from witch the SIP 
> user register is not tampred with , is there a feild in the SIP register 
> message  header can be used to achive this security ?
>  
> i have an asterisk server in witch SIP users register through an 
> SBC(session border controller) , i wanna make sure that those users are 
> really registering from the IP they are claimming they are registering 
> from and that the source IP not changed in the middle of the path
>  
>                                                                                    
> |SIP client|-----------|internet|-----------|SBC|----------|asterisk|
>                                                                                    
> 
> 
> 
> ------------------------------------------------------------------------
> 
> _______________________________________________
> -- Bandwidth and Colocation Provided by http://www.api-digital.com --
> 
> asterisk-users mailing list
> To UNSUBSCRIBE or update options visit:
>    http://lists.digium.com/mailman/listinfo/asterisk-users


-- 
Alex Balashov - Principal
Evariste Systems
Web     : http://www.evaristesys.com/
Tel     : (+1) (678) 954-0670
Direct  : (+1) (678) 954-0671

More information about the asterisk-users mailing list