asterisk users - Oct 2010 - SIP authentication - Thoughts please

Hi,

We have a scenario where we need multiple discrete SIP trunks (peers)
from/to a single endpoint. Because the authentication system starts by
matching IP address, it only ever matches on one of the SIP peer
entries, and ignores the others. This is documented behaviour and as
such is "correct". I would like to propose an extension to how SIP
peers are authenticated in this case:

1) Initial INVITE arrives, scan the list of all matching peer IP addresses.
   If a peer with no password is found, proceed with that peer immediately.

2) ...otherwise, a password is required, so send 407 challenge

3) INVITE arrives with Basic-Auth.
   Scan for /all/ matching peers based on IP address. If one of the
matching peers has a section name matching the Basic-Auth username,
use it to proceed.

4) I am not sure whether it is worth dropping through and testing auth
against other peers if there is no username match. Can auth ever
succeed under those circumstances (password matches, but not
username?)

Thanks for any feedback.

Regards,
Steve

Am 07.10.10 10:52, schrieb Steve Davies:
> Hi,
> 
<snipped>

Hello,

i just want to say something about point 4 which comes to my mind about
security.
> 
> 4) I am not sure whether it is worth dropping through and testing auth
> against other peers if there is no username match. Can auth ever
> succeed under those circumstances (password matches, but not
> username?)
If you use UDP its very easy to fake the source ip of a call so do you
really want to open a door to an attacker by authenticate only by ip and
passwort which can match to any peer with the same ip adress? To
bruteforce this would be much easier than to bruteforce against sending
IP, right username and right password.

Have you tried to use different ports to register? i think this could help.

> Regards,
> Steve
> 
best regards

Stefan

On 7 October 2010 10:10, Stefan Schmidt <sst at sil.at>
wrote:
> Am 07.10.10 10:52, schrieb Steve Davies:
>> Hi,
>>
> <snipped>
>
> Hello,
>
> i just want to say something about point 4 which comes to my mind about
> security.
>
>>
>> 4) I am not sure whether it is worth dropping through and testing auth
>> against other peers if there is no username match. Can auth ever
>> succeed under those circumstances (password matches, but not
>> username?)
>
> If you use UDP its very easy to fake the source ip of a call so do you
> really want to open a door to an attacker by authenticate only by ip and
> passwort which can match to any peer with the same ip adress? To
> bruteforce this would be much easier than to bruteforce against sending
> IP, right username and right password.
I was not clear. By option 4) I intended that you test the password
against other peers with a matching IP address. I am not sure whether
the username is included in the SIP password hash, so do not know
whether there is even any point in doing so. As far as I can tell, in
the EXISTING sip stack, digest username is not used to determine which
peer to authenticate with, it just uses the first peer with a matching
IP.
> Have you tried to use different ports to register? i think this could help.
AFAIK, Asterisk will only operate on one port, and the remote end is a
major ITSP who will not be wanting to listen to me making odd requests
:)

Thanks for the feedback!

Regards,
Steve