<html>
<head>
<meta http-equiv=Content-Type content="text/html; charset=us-ascii">
<meta name=Generator content="Microsoft Word 11 (filtered)">
<style>
<!--
/* Font Definitions */
@font-face
{font-family:Tahoma;
panose-1:2 11 6 4 3 5 4 4 2 4;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0in;
margin-bottom:.0001pt;
font-size:12.0pt;
font-family:"Times New Roman";}
a:link, span.MsoHyperlink
{color:blue;
text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
{color:blue;
text-decoration:underline;}
span.EmailStyle18
{font-family:Arial;
color:navy;}
@page Section1
{size:8.5in 11.0in;
margin:1.0in 1.25in 1.0in 1.25in;}
div.Section1
{page:Section1;}
-->
</style>
</head>
<body lang=EN-US link=blue vlink=blue>
<div class=Section1>
<p class=MsoNormal><font size=2 color=navy face=Arial><span style='font-size:
10.0pt;font-family:Arial;color:navy'>How is this insecure? Most large business
and wholesale providers use only IP authentication, relying on a session border
controller to do the authentication work resulting in great scalability on the
softswitch (since it does not have to act as a proxy as well).</span></font></p>
<p class=MsoNormal><font size=2 color=navy face=Arial><span style='font-size:
10.0pt;font-family:Arial;color:navy'> </span></font></p>
<p class=MsoNormal><font size=2 color=navy face=Arial><span style='font-size:
10.0pt;font-family:Arial;color:navy'>If they know your IP, and you know their
IP, the only risk is that your IP address can somehow be hijacked.</span></font></p>
<p class=MsoNormal><font size=2 color=navy face=Arial><span style='font-size:
10.0pt;font-family:Arial;color:navy'> </span></font></p>
<p class=MsoNormal><font size=2 color=navy face=Arial><span style='font-size:
10.0pt;font-family:Arial;color:navy'>IP authentication is actually better when
done with a SBC or firewall because it hides the SIP registration port from the
hackers in the less than honest parts of the country/world. I do not think
host= in asterisk has the same affect. It still listens and responds on 5060. If
they do not know its there they can’t try to hack it.</span></font></p>
<p class=MsoNormal><font size=2 color=navy face=Arial><span style='font-size:
10.0pt;font-family:Arial;color:navy'> </span></font></p>
<p class=MsoNormal><font size=2 color=navy face=Arial><span style='font-size:
10.0pt;font-family:Arial;color:navy'>I do agree that BOTH digest and IP authentication
would be nice, but that is not the reality these days, my providers trust my
IPs an I trust theirs, no need for auth as long as the routers in between
remain secure. If someone hijacks my routes or theirs it is only a matter of seconds
before we know it. If someone hijacks my auth credentials it may be a billing
cycle or 2 before I figure it out.</span></font></p>
<p class=MsoNormal><font size=2 color=navy face=Arial><span style='font-size:
10.0pt;font-family:Arial;color:navy'> </span></font></p>
<div style='border:none;border-left:solid blue 1.5pt;padding:0in 0in 0in 4.0pt'>
<div>
<div class=MsoNormal align=center style='text-align:center'><font size=3
face="Times New Roman"><span style='font-size:12.0pt'>
<hr size=2 width="100%" align=center tabindex=-1>
</span></font></div>
<p class=MsoNormal><b><font size=2 face=Tahoma><span style='font-size:10.0pt;
font-family:Tahoma;font-weight:bold'>From:</span></font></b><font size=2
face=Tahoma><span style='font-size:10.0pt;font-family:Tahoma'>
asterisk-users-bounces@lists.digium.com
[mailto:asterisk-users-bounces@lists.digium.com] <b><span style='font-weight:
bold'>On Behalf Of </span></b>BJ Weschke<br>
<b><span style='font-weight:bold'>Sent:</span></b> Wednesday, September 14,
2005 12:50 AM<br>
<b><span style='font-weight:bold'>To:</span></b> C. Savinovich; Asterisk Users Mailing List - Non-Commercial Discussion<br>
<b><span style='font-weight:bold'>Subject:</span></b> Re: [Asterisk-Users]
Anyone knows how to receive a SIP call withoutregistering gateway?</span></font></p>
</div>
<p class=MsoNormal><font size=3 face="Times New Roman"><span style='font-size:
12.0pt'> </span></font></p>
<div>
<p class=MsoNormal><font size=3 face="Times New Roman"><span style='font-size:
12.0pt'> What they're asking you to do is quite insecure to be doing over
public IP. At the very least, you should confirm that there is a static IP that
these calls will be coming from and only accept calls from that IP, but that's
still not quite as secure as digest authentication that would be available via
registration. </span></font></p>
</div>
<div>
<p class=MsoNormal><font size=3 face="Times New Roman"><span style='font-size:
12.0pt'> </span></font></p>
</div>
<div>
<p class=MsoNormal><font size=3 face="Times New Roman"><span style='font-size:
12.0pt'> If you know what IP the calls are coming from, you simply insert
a host=XX.XX.XX.XX instead of host=dynamic in your sip.conf for that peer and
calls should then come in as they did before without them having to register.
If they are pre-pending digits on to the front of what you're interpreting as
the dialed number/extension, you may choose to lop them off in extensions.conf,
but aside from that this is fairly straight forward.<br>
<br>
</span></font></p>
</div>
<div>
<p class=MsoNormal><span class=gmailquote><font size=3 face="Times New Roman"><span
style='font-size:12.0pt'>On 9/14/05, <b><span style='font-weight:bold'>C.
Savinovich</span></b> <<a href="mailto:c.savinovich@earthlink.net">c.savinovich@earthlink.net</a>>
wrote:</span></font></span> </p>
<p class=MsoNormal><font size=3 face="Times New Roman"><span style='font-size:
12.0pt'><br>
Hello everyone, I am pulling my hair here because a carrier threw
me curve early today.<br>
<br>
They want to send calls to my asterisk server using
SIP. Then they said that their gateways don't have to register with
my server, that all they have to do is send a prefix for
validation. Whereas I can think of several ways to authenticate
their incoming number string, I am only used to the orthodox SIP way which is:
client registers to my proxy. Guess what, I can't find any samples
on this!!, Can anyone please help?, I will probably need a sample
sip.conf. and then, to make a test call, I can use another asterisk
box and try asterisk to asterisk sip calls (without register) via the cli
prompt. But I have no idea.... and I am intrigued.<br>
<br>
Thanks<br>
CS<br>
<br>
<br>
_______________________________________________<br>
--Bandwidth and Colocation sponsored by <a href="http://Easynews.com">Easynews.com</a>
--<br>
<br>
Asterisk-Users mailing list<br>
<a href="mailto:Asterisk-Users@lists.digium.com">Asterisk-Users@lists.digium.com</a><br>
<a href="http://lists.digium.com/mailman/listinfo/asterisk-users">http://lists.digium.com/mailman/listinfo/asterisk-users</a><br>
To UNSUBSCRIBE or update options visit:<br>
<a href="http://lists.digium.com/mailman/listinfo/asterisk-users">
http://lists.digium.com/mailman/listinfo/asterisk-users</a></span></font></p>
</div>
<p class=MsoNormal><font size=3 face="Times New Roman"><span style='font-size:
12.0pt'> </span></font></p>
</div>
</div>
</body>
</html>