Re: [asterisk-users] pjsip: don't require authentication from remote i register to
On Fri, Mar 1, 2019, at 5:09 PM, Brian J. Murrell wrote: > On Fri, 2019-03-01 at 15:54 -0500, Joshua C. Colp wrote: > > > > That's correct. You'd either need to retrieve the line parameter from > > the outbound registration or forge the source IP address, > > Can I eliminate the identify by IP address then, given that my ITSP is > supporting the line parameter? Or make even better, require them both > to be identified? Identification is one or the other. You can eliminate the IP address based if you wish. > > > and as you stated the scope of what they can do is limited. > > I guess this is just a risk that everyone lives with. As a limited > scope risk, anyway. Yes, it even impacts phones. Depending on configuration some don't even care, so you can get rogue calls. -- Joshua C. Colp Digium - A Sangoma Company | Senior Software Developer 445 Jan Davis Drive NW - Huntsville, AL 35806 - US Check us out at: www.digium.com & www.asterisk.org -- _ -- Bandwidth and Colocation Provided by http://www.api-digital.com -- Check out the new Asterisk community forum at: https://community.asterisk.org/ New to Asterisk? Start here: https://wiki.asterisk.org/wiki/display/AST/Getting+Started asterisk-users mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users
Re: [asterisk-users] pjsip: don't require authentication from remote i register to
On Fri, 2019-03-01 at 15:54 -0500, Joshua C. Colp wrote: > > That's correct. You'd either need to retrieve the line parameter from > the outbound registration or forge the source IP address, Can I eliminate the identify by IP address then, given that my ITSP is supporting the line parameter? Or make even better, require them both to be identified? > and as you stated the scope of what they can do is limited. I guess this is just a risk that everyone lives with. As a limited scope risk, anyway. Cheers, b. signature.asc Description: This is a digitally signed message part -- _ -- Bandwidth and Colocation Provided by http://www.api-digital.com -- Check out the new Asterisk community forum at: https://community.asterisk.org/ New to Asterisk? Start here: https://wiki.asterisk.org/wiki/display/AST/Getting+Started asterisk-users mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users
Re: [asterisk-users] pjsip: don't require authentication from remote i register to
On Fri, Mar 1, 2019, at 4:51 PM, Brian J. Murrell wrote: > On Fri, 2019-03-01 at 15:41 -0500, Joshua C. Colp wrote: > > > > I don't understand what you mean. Your ITSP has stated that they > > don't want you to do authentication with them, so you can't. > > They are implying, as I am understanding them, that somehow SIP packets > they send me shouldn't need to be authenticated because they are > associated (i.e. "identify"ed in pjsip nomenclature) with my > registration to them. It all sounds suspect to me but that's what I am > understanding them to be saying. > > Ultimately, if I have this endpoint and it's unauthenticated, does it > create a security risk? > > I suppose anyone could forge a UDP packet as coming from their IP > address, and as it's "identify"ed by IP on my side and I would accept > it without authentication being necessary. > > But then I suppose they are only getting access to being able to > connect into an incoming dialplan context, so ringing extensions here, > but not being able to launch in and outbound (money costing) phone > call, at least without there being dialplan support to make outgoing > calls when calling in (i.e. like a calling card application or > somesuch, which should have it's own authentication anyway). That's correct. You'd either need to retrieve the line parameter from the outbound registration or forge the source IP address, and as you stated the scope of what they can do is limited. -- Joshua C. Colp Digium - A Sangoma Company | Senior Software Developer 445 Jan Davis Drive NW - Huntsville, AL 35806 - US Check us out at: www.digium.com & www.asterisk.org -- _ -- Bandwidth and Colocation Provided by http://www.api-digital.com -- Check out the new Asterisk community forum at: https://community.asterisk.org/ New to Asterisk? Start here: https://wiki.asterisk.org/wiki/display/AST/Getting+Started asterisk-users mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users
Re: [asterisk-users] pjsip: don't require authentication from remote i register to
On Fri, 2019-03-01 at 15:41 -0500, Joshua C. Colp wrote: > > I don't understand what you mean. Your ITSP has stated that they > don't want you to do authentication with them, so you can't. They are implying, as I am understanding them, that somehow SIP packets they send me shouldn't need to be authenticated because they are associated (i.e. "identify"ed in pjsip nomenclature) with my registration to them. It all sounds suspect to me but that's what I am understanding them to be saying. Ultimately, if I have this endpoint and it's unauthenticated, does it create a security risk? I suppose anyone could forge a UDP packet as coming from their IP address, and as it's "identify"ed by IP on my side and I would accept it without authentication being necessary. But then I suppose they are only getting access to being able to connect into an incoming dialplan context, so ringing extensions here, but not being able to launch in and outbound (money costing) phone call, at least without there being dialplan support to make outgoing calls when calling in (i.e. like a calling card application or somesuch, which should have it's own authentication anyway). > If you are referring to the template - it's a template so by itself > does not create an endpoint. Yes, completely understood. b. signature.asc Description: This is a digitally signed message part -- _ -- Bandwidth and Colocation Provided by http://www.api-digital.com -- Check out the new Asterisk community forum at: https://community.asterisk.org/ New to Asterisk? Start here: https://wiki.asterisk.org/wiki/display/AST/Getting+Started asterisk-users mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users
Re: [asterisk-users] pjsip: don't require authentication from remote i register to
On Fri, Mar 1, 2019, at 4:33 PM, Brian J. Murrell wrote: > On Fri, 2019-03-01 at 14:15 -0500, Joshua C. Colp wrote: > > you can try line functionality on the outbound registration which > > may or may not work[2] (requires the upstream to adhere to the RFC, > > which not all do). > > My provider seems to implement this. > > However even with the line=... in the: > > SIP to address: sip:551212@:5060;line=dpnlyiu > > res_pjsip is still sending a 401 challenge. > > Removing the: > > auth=itsp-auth > > from my endpoint [template]: > > [itsp-endpoint](!) > > Has stopped pjsip from sending a 401 when my ITSP sends a SIP MESSAGE, > but do I really want to have that endpoint without authentication? I don't understand what you mean. Your ITSP has stated that they don't want you to do authentication with them, so you can't. If you are referring to the template - it's a template so by itself does not create an endpoint. -- Joshua C. Colp Digium - A Sangoma Company | Senior Software Developer 445 Jan Davis Drive NW - Huntsville, AL 35806 - US Check us out at: www.digium.com & www.asterisk.org -- _ -- Bandwidth and Colocation Provided by http://www.api-digital.com -- Check out the new Asterisk community forum at: https://community.asterisk.org/ New to Asterisk? Start here: https://wiki.asterisk.org/wiki/display/AST/Getting+Started asterisk-users mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users
Re: [asterisk-users] pjsip: don't require authentication from remote i register to
On Fri, 2019-03-01 at 14:15 -0500, Joshua C. Colp wrote: > you can try line functionality on the outbound registration which > may or may not work[2] (requires the upstream to adhere to the RFC, > which not all do). My provider seems to implement this. However even with the line=... in the: SIP to address: sip:551212@:5060;line=dpnlyiu res_pjsip is still sending a 401 challenge. Removing the: auth=itsp-auth from my endpoint [template]: [itsp-endpoint](!) Has stopped pjsip from sending a 401 when my ITSP sends a SIP MESSAGE, but do I really want to have that endpoint without authentication? Cheers, b. signature.asc Description: This is a digitally signed message part -- _ -- Bandwidth and Colocation Provided by http://www.api-digital.com -- Check out the new Asterisk community forum at: https://community.asterisk.org/ New to Asterisk? Start here: https://wiki.asterisk.org/wiki/display/AST/Getting+Started asterisk-users mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users
Re: [asterisk-users] pjsip: don't require authentication from remote i register to
On Fri, Mar 1, 2019, at 3:56 PM, Brian J. Murrell wrote: > On Fri, 2019-03-01 at 14:15 -0500, Joshua C. Colp wrote: > > [itsp-endpoint](!) > type=endpoint > transport=transport-udp > context=from-itsp > message_context=messages > disallow=all > allow=ulaw > from_user=XXX > outbound_auth=itsp-auth > auth=itsp-auth > send_pai=yes Setting the "auth" option configures inbound authentication and challenges for it. If you don't want to authenticate on inbound then you need to remove it. -- Joshua C. Colp Digium - A Sangoma Company | Senior Software Developer 445 Jan Davis Drive NW - Huntsville, AL 35806 - US Check us out at: www.digium.com & www.asterisk.org -- _ -- Bandwidth and Colocation Provided by http://www.api-digital.com -- Check out the new Asterisk community forum at: https://community.asterisk.org/ New to Asterisk? Start here: https://wiki.asterisk.org/wiki/display/AST/Getting+Started asterisk-users mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users
Re: [asterisk-users] pjsip: don't require authentication from remote i register to
On Fri, 2019-03-01 at 14:15 -0500, Joshua C. Colp wrote: > > You either configure IP based matching using an identify section[1] That's what I did: [itsp] type=registration transport=transport-udp outbound_auth=itsp-auth server_uri=sip:pop1.itsp.example.com client_uri=sip:x...@pop1.itsp.example.com [itsp-auth] type=auth auth_type=userpass password=XXX username=XXX [itsp-endpoint](!) type=endpoint transport=transport-udp context=from-itsp message_context=messages disallow=all allow=ulaw from_user=XXX outbound_auth=itsp-auth auth=itsp-auth send_pai=yes [itsp-aor](!) type=aor qualify_frequency=15 [itsp-pop1](itsp-endpoint) aors=itsp-pop1 [itsp-pop1](itsp-aor) contact=sip:x...@pop1.itsp.example.com:5060 [itsp-pop1] type=identify endpoint=itsp-pop1 ;match=pop1.itsp.example.com match=192.168.5.6 but SIP INVITE and SIP MESSAGE packets coming from 192.168.5.6 are still being challenged with 401 and not even printing any errors/warnings in the console about not being able to find an endpoint. > or you can try line functionality on the outbound registration which > may or may not work[2] (requires the upstream to adhere to the RFC, > which not all do). I'll read up on that and try in the meanwhile. Cheers, b. signature.asc Description: This is a digitally signed message part -- _ -- Bandwidth and Colocation Provided by http://www.api-digital.com -- Check out the new Asterisk community forum at: https://community.asterisk.org/ New to Asterisk? Start here: https://wiki.asterisk.org/wiki/display/AST/Getting+Started asterisk-users mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users
Re: [asterisk-users] pjsip: don't require authentication from remote i register to
On Fri, Mar 1, 2019, at 3:05 PM, Brian J. Murrell wrote: > I'm being told by my ITSP that my Asterisk shouldn't be challenging > their system to authenticate (i.e. a 401 response) when they send me a > SIP MESSAGE (or I suppose a SIP INVITE for that matter). > > But I'm not sure what a pjsip.conf configuration for that looks like. > > How does one associate an incoming call/message with an existing > authenticated outgoing registration so that Asterisk doesn't return a > 401 requiring authentication? You either configure IP based matching using an identify section[1] or you can try line functionality on the outbound registration which may or may not work[2] (requires the upstream to adhere to the RFC, which not all do). [1] https://wiki.asterisk.org/wiki/display/AST/res_pjsip+Configuration+Examples [2] https://blogs.asterisk.org/2016/01/27/the-pjsip-outbound-registration-line-option/ -- Joshua C. Colp Digium - A Sangoma Company | Senior Software Developer 445 Jan Davis Drive NW - Huntsville, AL 35806 - US Check us out at: www.digium.com & www.asterisk.org -- _ -- Bandwidth and Colocation Provided by http://www.api-digital.com -- Check out the new Asterisk community forum at: https://community.asterisk.org/ New to Asterisk? Start here: https://wiki.asterisk.org/wiki/display/AST/Getting+Started asterisk-users mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users
[asterisk-users] pjsip: don't require authentication from remote i register to
I'm being told by my ITSP that my Asterisk shouldn't be challenging their system to authenticate (i.e. a 401 response) when they send me a SIP MESSAGE (or I suppose a SIP INVITE for that matter). But I'm not sure what a pjsip.conf configuration for that looks like. How does one associate an incoming call/message with an existing authenticated outgoing registration so that Asterisk doesn't return a 401 requiring authentication? Cheers, b. signature.asc Description: This is a digitally signed message part -- _ -- Bandwidth and Colocation Provided by http://www.api-digital.com -- Check out the new Asterisk community forum at: https://community.asterisk.org/ New to Asterisk? Start here: https://wiki.asterisk.org/wiki/display/AST/Getting+Started asterisk-users mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users