[Asterisk-Users] Good explanation somewhere of SIP security?

James Moore banshee at banshee.com
Mon Jun 12 17:29:37 MST 2006 

I'm slightly confused about how SIP security and authorization works.

 

I've looked at the Wiki
(http://www.voip-info.org/wiki/view/Asterisk+SIP+user+vs+peer) , but it's,
um, flawed:

 

> As of Asterisk 1.2, there is no reason to actually use 'user' entries

> any more at all; you can use 'type=peer' for everything and the behavior

> will be much more consistent.

 

Seems to imply that you should never use "user" for type, and 100% of the
time type should be set to "peer."  Unfortunately, two paragraphs later
there's a description of when you might want to use "user."  Seems like this
paragraph should just be deleted?

 

> All configuration options supported under 'type=user' are also

> supported under 'type=peer'.

 

> The difference between friend and peer is the same as defining _both_ a

> user and peer, since that is what 'type=friend' does internally.

 

This is confusing; the first paragraph says that there's no reason to use
"user" entries.  Since "friend" == "user" + "peer", to me this reads like
"friend" is also obsolete and should never be used.  You'd never want to use
something that defines both a current, valid thingy ("user") and an obsolete
POS ("user"), right? 

 

> The only benefit of type=user is when you _want_ to match on username

> regardless of IP the calls originate from. If the peer is registering to

> you, you don't need it. If they are on a fixed IP, you don't need it.

> 'type=peer' is _never_ matched on username for incoming calls, only

> matched on IP address/port number (unless you use insecure=port or >
higher).

 

Here's where I'm confused.  Paragraph 1 says "user BAD!" and then this
paragraph says "user GOOD, occasionally"

 

Seems like there's a table that looks something vaguely like:

 

type=user | type=peer | type=friend | (interaction with "register") that
could be filled out with things like:

 

Matches against IP?

Matches against username?

Cares about insecure option?

Should use this combo in the following circumstances: XXX

Use this combination for bidirectional traffic:

Use this combination when you want to place calls, but not receive calls:

Use this combination when you want to receive calls, but not place them:

 

 - James

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.digium.com/pipermail/asterisk-users/attachments/20060612/4872d624/attachment.htm

More information about the asterisk-users mailing list