[Asterisk-Users] IAX2 authentication confusion (bug 1928)

[Rich Adamson]

> Andres wrote:
> 
> > I just tried this myself and it behaves as you have described it.  No 
> > need to use a  username.  When the call comes in on the remote Asterisk, 
> > the iax.conf simply tries to match the password to any entry.  The first 
> > entry with a matching password gets used.   I suggest you open a bug to 
> > at least get this documented.
> 
> Done, as bug 1928, although the notes for 1458 imply that Mark is aware 
> of this issue and the code is not faulty... he wants it work this way. 
> Personally I cannot see the value in allowing completely anonymous IAX 
> connections, especially since they can connect as _any_ user you may 
> have specified in your iax.conf file by just guessing the password.
> 
> Granted, if your IAX users are on fixed IP addresses you can use 
> IP-based access control, and if you can use keys then that also solves 
> the problem even for users with dynamic IPs. However, I'd like to see 
> some explanation of why anonymous connections are allowed to iax.conf 
> user entries with secrets specified; at best, I would think that 
> anonymous connections should only be allowed to user entries with _no_ 
> secret specified.

Reading way between the lines and taking an educated guess, I'd suggest
the reasoning behind Mark's architectual thoughts are likely to relate
to providing peer-to-peer call completion capabilities, as opposed to
forcing all * systems to pass through some service-provider's-voip-
switch. If implemented correctly, you control how anonymous calls are
handled/allowed via contexts, and not through simple password schemes.
In all liklihood, the code is probably not totally implemented as yet
to achieve the objective.