Bruno Hertz
2004-Dec-21 11:00 UTC
[Asterisk-Users] Call routing based on remote ip address.
While setting up my first dial plan, I find that notions like remote ip, network, or incoming network interface seem to be totally lacking regarding calling parties, where * still seems to fully rely on the easily spoofable caller id. Especially, allowing only certain ips or networks to enter a specific context in the dial plan is apparently not possible, at least in the h323 world. Don't know yet about sip or aix, but I guess it's the same since the extension syntax xyz => extension/somevariable limits routing decisions to built in variables, where ip related info is simply missing, at least as far as I can see (you are wholeheartedly invited to prove me wrong). Question hence: did anybody tackle those issues anyway, maybe on code level (patch/extra module)? Are plans underway to fix that stuff? I just can't believe that, if my above statements were right, anyone would expose an * server to the internet and still feel secure, especially if that server allows connections to billable services (like even bandwidth usually is) ... Any info highly appreciated. Thanks, Bruno.
Kevin P. Fleming
2004-Dec-21 11:23 UTC
[Asterisk-Users] Call routing based on remote ip address.
Bruno Hertz wrote:> Especially, allowing only certain ips or networks to enter a specific > context in the dial plan is apparently not possible, at least in the > h323 world. Don't know yet about sip or aix, but I guess it's the same > since the extension syntax xyz => extension/somevariable limits > routing decisions to built in variables, where ip related info is > simply missing, at least as far as I can see (you are wholeheartedly > invited to prove me wrong).I don't know about chan_h323 because I don't use it, but certainly the other IP channel drivers allow you to control access to your "type=user" entries via many means: IP, password, RSA key, etc. There is no way for any user to get to the _dialplan_ if they can't authenticate as a user, so there is no need for this level of access control in the dialplan itself.