[asterisk-users] AST-2009-006: IAX2 Call Number Resource Exhaustion
Olle E. Johansson
oej at edvina.net
Fri Sep 4 01:32:19 CDT 2009
4 sep 2009 kl. 08.05 skrev Gordon Henderson:
> On Thu, 3 Sep 2009, Asterisk Security Team wrote:
>
>>
>> +
>> ------------------------------------------------------------------------+
>> | Discussion | A lot of time was spent trying to come up with a
>> way to |
>> | | resolve this issue in a way that was completely
>> backwards |
>> | | compatible. However, the final resolution ended
>> up |
>> | | requiring a modification to the IAX2 protocol.
>> This |
>> | | modification is referred to as call token
>> validation. |
>> | | Call token validation is used as a handshake before
>> call |
>> | | numbers are assigned to IAX2
>> connections. |
>
> Does this mean that if I upgrade one system, then I have to upgrade
> all of
> them because IAX will no-longer work between existing systems and
> upgraded
> ones?
If you read the referenced document (the IAX2 security pdf) it says in
the very first paragraph:
"This change affects how messages are exchanged and is not backwards
compatible for an older client connecting to an updated server, so a
number of options have been provided to disable call token validation
as needed for compatibility purposes."
This means that you will have to configure your server to support
older IAX2 users/peers. New servers will by default use the new
version of the protocol (IAX3 ? :-) ) and will have to be configured
to support the old style clients.
------------
"2.1.3.2. Partial Upgrade
If only some IAX2 endpoints have been upgraded, or the status of an
IAX2 endpoint is unknown, then call token validation must be disabled
to ensure interoperability. To reduce the potential impact of
disabling call token validation, it should only be disabled for a
specific peer or user as needed. By using the auto option, call token
validation will be changed to required as soon as we determine that
the peer supports it.
[friendA]
requirecalltoken = auto
…
Note that there are some cases where auto should not be used. For
example, if multiple peers use the same authentication details, and
they have not all upgraded to support call token validation, then
the ones that do not support it will get locked out. Once an upgraded
client successfully completes an authenticated call setup using call
token validation, Asterisk will require it from then on. In that case,
it would be better to set the requirecalltoken option to no."
-----------
Thank you to the Digium team for a good documentation. I would kindly
suggest to make it available in text format too, so that it's readable
on consoles and in SSH sessions by confused admins that wonders what
happens with IAX2 sessions...
To the rest of you - please go read
http://svn.digium.com/svn/asterisk/branches/1.6.0/doc/IAX2-security.pdf
/O
---
oej at edvina.net - http://edvina.net
Open Unified Communication - building platforms with SIP and XMPP
From PBX to large scale implementations for carriers. Contact us today!
More information about the asterisk-users
mailing list