James Moore
2006-Jun-12 17:29 UTC
[Asterisk-Users] Good explanation somewhere of SIP security?
I'm slightly confused about how SIP security and authorization works. I've looked at the Wiki (http://www.voip-info.org/wiki/view/Asterisk+SIP+user+vs+peer) , but it's, um, flawed:> As of Asterisk 1.2, there is no reason to actually use 'user' entries> any more at all; you can use 'type=peer' for everything and the behavior> will be much more consistent.Seems to imply that you should never use "user" for type, and 100% of the time type should be set to "peer." Unfortunately, two paragraphs later there's a description of when you might want to use "user." Seems like this paragraph should just be deleted?> All configuration options supported under 'type=user' are also> supported under 'type=peer'.> The difference between friend and peer is the same as defining _both_ a> user and peer, since that is what 'type=friend' does internally.This is confusing; the first paragraph says that there's no reason to use "user" entries. Since "friend" == "user" + "peer", to me this reads like "friend" is also obsolete and should never be used. You'd never want to use something that defines both a current, valid thingy ("user") and an obsolete POS ("user"), right?> The only benefit of type=user is when you _want_ to match on username> regardless of IP the calls originate from. If the peer is registering to> you, you don't need it. If they are on a fixed IP, you don't need it.> 'type=peer' is _never_ matched on username for incoming calls, only> matched on IP address/port number (unless you use insecure=port or >higher). Here's where I'm confused. Paragraph 1 says "user BAD!" and then this paragraph says "user GOOD, occasionally" Seems like there's a table that looks something vaguely like: type=user | type=peer | type=friend | (interaction with "register") that could be filled out with things like: Matches against IP? Matches against username? Cares about insecure option? Should use this combo in the following circumstances: XXX Use this combination for bidirectional traffic: Use this combination when you want to place calls, but not receive calls: Use this combination when you want to receive calls, but not place them: - James -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.digium.com/pipermail/asterisk-users/attachments/20060612/4872d624/attachment.htm
Possibly Parallel Threads
- RFC: Lazy syntax for paragraphs, blockquotes and lists
- 7 commits - libswfdec/swfdec_text_field_movie.c libswfdec/swfdec_text_field_movie.h libswfdec/swfdec_text_field_movie_html.c
- R2HTML doesn't split paragraphs originating from \Sexpr[results=rd]
- Bidirectional printers, LPRng, and Samba...
- Need good explanation on contexts and extensions