[Asterisk-Users] IAX2 authentication confusion

[Kevin P. Fleming]

We spent some time yesterday trying to understand how IAX2 
authentication works, and now I'm confused...

Let's say that the receiving end has this entry in their iax.conf file:

[remote-site]
type=user
secret=foo
auth=md5
context=incoming
host=dynamic

The way I see it, there are two ways to initiate an outbound IAX2 
connection to this system:

1) Use Dial, as in:

Dial(IAX2/remote-site:foo at local-site.domain.com/extension)

In this mode, the IAX2 setup message contains a USERNAME 
("remote-site"), and the receiving system compares it to the entity name 
in iax.conf, before comparing the secret. This is fine.

2) Use Dial and iax.conf, as in:

Dial(IAX2/local-site/extension)

and in remote-site's iax.conf:

[local-site]
type=peer
secret=foo
auth=md5
host=local-site.domain.com

In this mode, the IAX2 setup message _does not_ contain a USERNAME, and 
the receiving system somehow manages to find the proper entry and 
authenticate the connection.

However, the only way that I could see that this would be possible is 
that the receiving system is comparing the supplied "secret" against all 
secrets in it's iax.conf file to try to find a match. I don't know how 
that is possible using md5 authentication, but even if it is, I don't 
particularly like it. That means someone can connect to my Asterisk 
server over IAX if they can guess _any_ secret that happens to be in my 
iax.conf file.

I really would prefer to not embed the username/password information in 
my Dial commands (that way it doesn't have to be duplicated in multiple 
contexts, and it's more logically stored in iax.conf anyway), but unless 
I do that Asterisk does not send a USERNAME to the receiving server and 
thus the authentication is not very secure.

Is there a reason why Asterisk allows incoming IAX2 calls without 
USERNAME specified at all?