[asterisk-users] AST-2009-006: IAX2 Call Number Resource Exhaustion
Gordon Henderson
gordon+asterisk at drogon.net
Fri Sep 4 17:03:09 CDT 2009
On Fri, 4 Sep 2009, Olle E. Johansson wrote:
>
> 4 sep 2009 kl. 08.05 skrev Gordon Henderson:
>
>> On Thu, 3 Sep 2009, Asterisk Security Team wrote:
>>
>>>
>>> +
>>> ------------------------------------------------------------------------+
>>> | Discussion | A lot of time was spent trying to come up with a
>>> way to |
>>> | | resolve this issue in a way that was completely
>>> backwards |
>>> | | compatible. However, the final resolution ended
>>> up |
>>> | | requiring a modification to the IAX2 protocol.
>>> This |
>>> | | modification is referred to as call token
>>> validation. |
>>> | | Call token validation is used as a handshake before
>>> call |
>>> | | numbers are assigned to IAX2
>>> connections. |
>>
>> Does this mean that if I upgrade one system, then I have to upgrade
>> all of
>> them because IAX will no-longer work between existing systems and
>> upgraded
>> ones?
>
> If you read the referenced document (the IAX2 security pdf) it says in
> the very first paragraph:
What, RTFM??? That would be cheating :)
> "This change affects how messages are exchanged and is not backwards
> compatible for an older client connecting to an updated server, so a
> number of options have been provided to disable call token validation
> as needed for compatibility purposes."
>
> This means that you will have to configure your server to support
> older IAX2 users/peers. New servers will by default use the new
> version of the protocol (IAX3 ? :-) ) and will have to be configured
> to support the old style clients.
So if I configure it to support old ones, doesn't that still leave it
vulnerable?
> "2.1.3.2. Partial Upgrade
> If only some IAX2 endpoints have been upgraded, or the status of an
> IAX2 endpoint is unknown, then call token validation must be disabled
> to ensure interoperability. To reduce the potential impact of
> disabling call token validation, it should only be disabled for a
> specific peer or user as needed. By using the auto option, call token
> validation will be changed to required as soon as we determine that
> the peer supports it.
>
> [friendA]
> requirecalltoken = auto
>
> Note that there are some cases where auto should not be used. For
> example, if multiple peers use the same authentication details, and
> they have not all upgraded to support call token validation, then
> the ones that do not support it will get locked out. Once an upgraded
> client successfully completes an authenticated call setup using call
> token validation, Asterisk will require it from then on. In that case,
> it would be better to set the requirecalltoken option to no."
*sigh*
I've been hanging out with IAX, thinking it's the "right thing", but more
and more I'm thinking of moving to SIP, and I think this will be the straw
that tips the balance as it were. I've a few 100 boxes out there which
would all eventually need upgrading, and for some, it's just not going to
be possible to upgrade the underlying asterisk, so it's going to be just
as easy to move to SIP which is what I'm going to do.
I don't yet know what I'm going to do with the handfull of clients who use
IAX and Zoiper though. Persuade them to move to SIP, I guess - at least
Zoiper supports SIP now, but that's also a hassle as I've quite a few
clients who use a SIP phone on their desk, then Zoiper and IAX on their
laptop with identical credentials when on the road/home. (I arrange the
PBX to Dial(SIP/123&IAX2/123)
And what about all those desk phones that support IAX? I almost bought a
pallet-load of them at one point - really glad I didn't now!
Gordon
More information about the asterisk-users
mailing list