Thomas Rechberger
2014-Mar-29 10:12 UTC
[asterisk-users] additional range parameter for sip peer
Many ITSP are using loadbalancers, so if somebody registers on a sip peer with specific dns host, an incoming call may be received from a different ip and the host value in peer section doesnt match, so it will go to default context. For example Telekom or 1&1, biggest providers in Germany are using too many different addresses that its not practical to define them all (up to 50 hosts and they still add!), as this will also generate too much traffic (especially with qualify and multiple registrations) and they may even lock you out as untrusted, which may even result in that they will block asterisk permanently for everybody. Thats not really desirable. I think its also not recommended in terms of security to use default context with allowguest=yes and sort the incoming calls by header, because this can be faked easily. From my understanding the permit/deny parameters are only used for incoming calls if host is set to dynamic and then there will be no outgoing registration to remote peer possible. permit/deny is used for access, not for matching. How about an additional parameter where an range of ip addresses can be defined in peer section, which will be used for matching calls? hostmatchrange=x.x.x.x/24
Thomas Rechberger
2014-Apr-07 14:35 UTC
[asterisk-users] additional range parameter for sip peer
Am 29.03.2014 11:12, schrieb Thomas Rechberger:> Many ITSP are using loadbalancers, so if somebody registers on a sip > peer with specific dns host, an incoming call may be received from a > different ip and the host value in peer section doesnt match, so it will > go to default context. > > For example Telekom or 1&1, biggest providers in Germany are using too > many different addresses that its not practical to define them all (up > to 50 hosts and they still add!), as this will also generate too much > traffic (especially with qualify and multiple registrations) and they > may even lock you out as untrusted, which may even result in that they > will block asterisk permanently for everybody. Thats not really desirable. > > I think its also not recommended in terms of security to use default > context with allowguest=yes and sort the incoming calls by header, > because this can be faked easily. > > From my understanding the permit/deny parameters are only used for > incoming calls if host is set to dynamic and then there will be no > outgoing registration to remote peer possible. permit/deny is used for > access, not for matching. > > How about an additional parameter where an range of ip addresses can be > defined in peer section, which will be used for matching calls? > > hostmatchrange=x.x.x.x/24 > >anyone here? What do you think about using permit/deny for host matching?