asterisk users - Sep 2017 - Asterisk bugs make a right mess of RTP

http:/www.theregister.co.uk/2017/09/01/asterisk_admin_patch/

-- 
Dave Topping
e: info at dntopping.uk
t: 03445 888 888
-------------- next part --------------
An HTML attachment was scrubbed...
URL:
<http://lists.digium.com/pipermail/asterisk-users/attachments/20170901/ae060564/attachment.html>

On Fri, Sep 1, 2017, at 09:01 AM, Dave Topping wrote:
> http:/www.theregister.co.uk/2017/09/01/asterisk_admin_patch/
This specific issue exists in a lot of different implementations and
devices. Unfortunately there's nothing within SDP that guarantees or
provides what the source of media should be for most things. You can
guess that where you are sending (what you are told in the SDP) is the
correct source, but in the case of NAT that isn't true. Using SRTP is
one way to work around this as mentioned on the disclosure[1] from the
reporter. I'm sure the strict RTP implementation will evolve even
further, but we also have to ensure that we don't just start blocking
all RTP so people can't actually place calls. It's certainly a
challenge.

This is one of the things that WebRTC got right - information is
conveyed that allows you to verify that the sender of media is who you
expect.

[1]
https://github.com/EnableSecurity/advisories/tree/master/ES2017-04-asterisk-rtp-bleed

-- 
Joshua Colp
Digium, Inc. | Senior Software Developer
445 Jan Davis Drive NW - Huntsville, AL 35806 - US
Check us out at: www.digium.com & www.asterisk.org

On Fri, Sep 1, 2017 at 9:13 AM, Joshua Colp <jcolp at digium.com> wrote:
> On Fri, Sep 1, 2017, at 09:01 AM, Dave Topping wrote:
> > http:/www.theregister.co.uk/2017/09/01/asterisk_admin_patch/
>
> This specific issue exists in a lot of different implementations and
> devices. Unfortunately there's nothing within SDP that guarantees or
> provides what the source of media should be for most things. You can
> guess that where you are sending (what you are told in the SDP) is the
> correct source, but in the case of NAT that isn't true. Using SRTP is
> one way to work around this as mentioned on the disclosure[1] from the
> reporter. I'm sure the strict RTP implementation will evolve even
> further, but we also have to ensure that we don't just start blocking
> all RTP so people can't actually place calls. It's certainly a
> challenge.
>
> This is one of the things that WebRTC got right - information is
> conveyed that allows you to verify that the sender of media is who you
> expect.
>
> [1]
> https://github.com/EnableSecurity/advisories/tree/master/ES2017-04-
> asterisk-rtp-bleed

As Josh mentioned this is an issue with RTP and the SDP and when customers
use NAT you need a way to figure out what their external RTP IP is. One
option is to use IPv6 so the IP in the SDP is the one and only IP the media
should be coming from. Another option is to increase the range of RTP ports
in use. By default asterisk uses ports 10,000 to 20,000. You can change
that to say use 20,000 to 30,0000 or better yet use 10,000 to 20,0000
widening the range of ports being used.

Another point to keep in mind is they have to hit the same ports that you
are using. Say for instance you have 1000 calls on a box that's 1000 UDP
ports being used. If you use a spread of 20,000 ports (and they know this)
they have a 1 in 20 chances of hitting a port that you want. Also if you
are using strictrtp=yes that means they need to hit the box at the exact
moment that the call is being set up. Even if they used say G711 that's
roughly 64kbit per second (let's forget about the bits for the IP's,
timing
etc.)) Now if they spray 5000 ports at once (since they need to hit every
call as it is being set up) thats an extra 333 mbits per second of added
your traffic. Your monitoring tool (if you don't have one, get one) should
pick up on it. One you see the ports being hit you can easily tweak your
configs. IMHO It's not different then needing to tweak your fw configs when
getting hit with a DDOS attack.
-------------- next part --------------
An HTML attachment was scrubbed...
URL:
<http://lists.digium.com/pipermail/asterisk-users/attachments/20170901/eb8899ff/attachment.html>

It might sound stupid and a kind of "noobish", but I have serious
trouble with
registering one of my ITSP to Asterisk 13, running on a FreeBSD 12-CURRENT box.

The following is seen in the log and anything seems somehow "normal",
my PBX tries to
REGISTER, receives 401, and then .... nothing more!

I can't see why the REGISTER attempt dies that early (reason?). The only
hint is:

SIP/2.0 401 Unauthorized 1103003032F

Can someone shed some light/help onto this?

Thanks in advance,

Oliver

[...]
[Sep 1 17:32:06] VERBOSE[100189] res_pjsip_logger.c: <--- Transmitting SIP
request (829
bytes) to UDP:213.20.127.47:5060 ---> REGISTER sip:sip.alice-voip.de SIP/2.0
Via: SIP/2.0/UDP
XXX.XXX.XXX.XXX:5060;rport;branch=XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX From:
<sip:491234567890 at
sip.alice-voip.de>;tag=XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX To:
<sip:491234567890 at sip.alice-voip.de> Call-ID:
yxyxyxyxyxyxyxyxyxyxyxyxyxyxy
CSeq: 15095 REGISTER
Contact: <sip:491234567890 at XXX.XXX.XXX.XXX:5060>
Expires: 1800
Allow: OPTIONS, SUBSCRIBE, NOTIFY, PUBLISH, INVITE, ACK, BYE, CANCEL, UPDATE,
PRACK,
REGISTER, REFER, MESSAGE Max-Forwards: 70
User-Agent: Asterisk13
Authorization: Digest username="491234567890",
realm="ims.telefonica.de",
nonce="xxxxxxxxxxxxxxxxxxxxxxxxxxx",
uri="sip:sip.alice-voip.de",
response="186x11yd22424424EDQb11133315b44ff1", algorithm=MD5,
cnonce="BasjdasKFHKbfhhfkjhfjkSGHF", qop=auth, nc=00000001
Content-Length: 0


[Sep 1 17:32:06] VERBOSE[100188] res_pjsip_logger.c: <--- Received SIP
response (589
bytes) from UDP:213.20.127.47:5060 ---> SIP/2.0 401 Unauthorized 1103003032F
Via: SIP/2.0/UDP
XXX.XXX.XXX.XXX:5060;received=XXX.XXX.XXX.XXX;rport=5060;branch=xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
To: <sip:491234567890 at
sip.alice-voip.de>;tag=xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
From: <sip:491234567890 at
sip.alice-voip.de>;tag=yyyyyyyyyyyyyyyyyyyyyyyyyyyyy Call-ID:
yxyxyxyxyxyxyxyxyxyxyxyxyxyxy CSeq: 15095 REGISTER
Service-Route: <sip:213.20.127.47:5060;transport=udp;lr>
WWW-Authenticate: Digest
realm="ims.telefonica.de",nonce="xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx",algorithm=MD5,qop="auth"
Content-Length: 0

[Sep 1 17:32:06] WARNING[100189] res_pjsip_outbound_registration.c: Temporal
response
'401' received from 'sip:sip.alice-voip.de' on registration
attempt to
'sip:491234567890 at sip.alice-voip.de', retrying in '30'

[...] 

-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 313 bytes
Desc: OpenPGP digital signature
URL:
<http://lists.digium.com/pipermail/asterisk-users/attachments/20170902/ca7471c9/attachment.pgp>

Am Sat, 2 Sep 2017 09:58:09 +0200
"O. Hartmann" <ohartmann at walstatt.org> schrieb:

Is this question to "blunt" for this forum? The background is, that I
have two ITSP
providing VoIP. One works with Asterisk 13 like a charme, but the other one not.
This
specific ITSP claims that they've provided me with all the necessary
informations -
comprised from registrar, username, password and SIP server. nothing more. The
working
one did the same, and it worked.

Now I need to figure out what is wrong. I suspect the password, but before
pressing
charges, I need to know some more proof ...

So far thanks.

oh
> It might sound stupid and a kind of "noobish", but I have serious
trouble with
> registering one of my ITSP to Asterisk 13, running on a FreeBSD 12-CURRENT
box.
> 
> The following is seen in the log and anything seems somehow
"normal", my PBX tries to
> REGISTER, receives 401, and then .... nothing more!
> 
> I can't see why the REGISTER attempt dies that early (reason?). The
only hint is:
> 
> SIP/2.0 401 Unauthorized 1103003032F
> 
> Can someone shed some light/help onto this?
> 
> Thanks in advance,
> 
> Oliver
> 
> [...]
> [Sep 1 17:32:06] VERBOSE[100189] res_pjsip_logger.c: <--- Transmitting
SIP request (829
> bytes) to UDP:213.20.127.47:5060 ---> REGISTER sip:sip.alice-voip.de
SIP/2.0
> Via: SIP/2.0/UDP
> XXX.XXX.XXX.XXX:5060;rport;branch=XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
From:
> <sip:491234567890 at
sip.alice-voip.de>;tag=XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX To:
> <sip:491234567890 at sip.alice-voip.de> Call-ID:
yxyxyxyxyxyxyxyxyxyxyxyxyxyxy
> CSeq: 15095 REGISTER
> Contact: <sip:491234567890 at XXX.XXX.XXX.XXX:5060>
> Expires: 1800
> Allow: OPTIONS, SUBSCRIBE, NOTIFY, PUBLISH, INVITE, ACK, BYE, CANCEL,
UPDATE, PRACK,
> REGISTER, REFER, MESSAGE Max-Forwards: 70
> User-Agent: Asterisk13
> Authorization: Digest username="491234567890",
realm="ims.telefonica.de",
> nonce="xxxxxxxxxxxxxxxxxxxxxxxxxxx",
uri="sip:sip.alice-voip.de",
> response="186x11yd22424424EDQb11133315b44ff1", algorithm=MD5,
> cnonce="BasjdasKFHKbfhhfkjhfjkSGHF", qop=auth, nc=00000001
Content-Length: 0
> 
> 
> [Sep 1 17:32:06] VERBOSE[100188] res_pjsip_logger.c: <--- Received SIP
response (589
> bytes) from UDP:213.20.127.47:5060 ---> SIP/2.0 401 Unauthorized
1103003032F
> Via: SIP/2.0/UDP
>
XXX.XXX.XXX.XXX:5060;received=XXX.XXX.XXX.XXX;rport=5060;branch=xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
> To: <sip:491234567890 at
sip.alice-voip.de>;tag=xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
> From: <sip:491234567890 at
sip.alice-voip.de>;tag=yyyyyyyyyyyyyyyyyyyyyyyyyyyyy Call-ID:
> yxyxyxyxyxyxyxyxyxyxyxyxyxyxy CSeq: 15095 REGISTER
> Service-Route: <sip:213.20.127.47:5060;transport=udp;lr>
> WWW-Authenticate: Digest
>
realm="ims.telefonica.de",nonce="xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx",algorithm=MD5,qop="auth"
> Content-Length: 0
> 
> [Sep 1 17:32:06] WARNING[100189] res_pjsip_outbound_registration.c:
Temporal response
> '401' received from 'sip:sip.alice-voip.de' on registration
attempt to
> 'sip:491234567890 at sip.alice-voip.de', retrying in '30'
> 
> [...] 
> 
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 313 bytes
Desc: OpenPGP digital signature
URL:
<http://lists.digium.com/pipermail/asterisk-users/attachments/20170903/9dff3336/attachment.pgp>

Possibly the realm?

Thanks,
Steve

On Sat, Sep 2, 2017 at 3:58 AM, O. Hartmann <ohartmann at walstatt.org>
wrote:
>
> It might sound stupid and a kind of "noobish", but I have serious
trouble
> with
> registering one of my ITSP to Asterisk 13, running on a FreeBSD 12-CURRENT
> box.
>
> The following is seen in the log and anything seems somehow
"normal", my
> PBX tries to
> REGISTER, receives 401, and then .... nothing more!
>
> I can't see why the REGISTER attempt dies that early (reason?). The
only
> hint is:
>
> SIP/2.0 401 Unauthorized 1103003032F
>
> Can someone shed some light/help onto this?
>
> Thanks in advance,
>
> Oliver
>
> [...]
> [Sep 1 17:32:06] VERBOSE[100189] res_pjsip_logger.c: <--- Transmitting
SIP
> request (829
> bytes) to UDP:213.20.127.47:5060 ---> REGISTER sip:sip.alice-voip.de
> SIP/2.0
> Via: SIP/2.0/UDP
> XXX.XXX.XXX.XXX:5060;rport;branch=XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
> From:
> <sip:491234567890 at
sip.alice-voip.de>;tag=XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
> To:
> <sip:491234567890 at sip.alice-voip.de> Call-ID:
> yxyxyxyxyxyxyxyxyxyxyxyxyxyxy
> CSeq: 15095 REGISTER
> Contact: <sip:491234567890 at XXX.XXX.XXX.XXX:5060>
> Expires: 1800
> Allow: OPTIONS, SUBSCRIBE, NOTIFY, PUBLISH, INVITE, ACK, BYE, CANCEL,
> UPDATE, PRACK,
> REGISTER, REFER, MESSAGE Max-Forwards: 70
> User-Agent: Asterisk13
> Authorization: Digest username="491234567890",
realm="ims.telefonica.de",
> nonce="xxxxxxxxxxxxxxxxxxxxxxxxxxx",
uri="sip:sip.alice-voip.de",
> response="186x11yd22424424EDQb11133315b44ff1", algorithm=MD5,
> cnonce="BasjdasKFHKbfhhfkjhfjkSGHF", qop=auth, nc=00000001
> Content-Length: 0
>
>
> [Sep 1 17:32:06] VERBOSE[100188] res_pjsip_logger.c: <--- Received SIP
> response (589
> bytes) from UDP:213.20.127.47:5060 ---> SIP/2.0 401 Unauthorized
> 1103003032F
> Via: SIP/2.0/UDP
> XXX.XXX.XXX.XXX:5060;received=XXX.XXX.XXX.XXX;rport=5060;branch>
xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
> To: <sip:491234567890 at sip.alice-voip.de>;tag>
xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
> From: <sip:491234567890 at
sip.alice-voip.de>;tag=yyyyyyyyyyyyyyyyyyyyyyyyyyyyy
> Call-ID:
> yxyxyxyxyxyxyxyxyxyxyxyxyxyxy CSeq: 15095 REGISTER
> Service-Route: <sip:213.20.127.47:5060;transport=udp;lr>
> WWW-Authenticate: Digest
>
realm="ims.telefonica.de",nonce="xxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
> xxxx",algorithm=MD5,qop="auth"
> Content-Length: 0
>
> [Sep 1 17:32:06] WARNING[100189] res_pjsip_outbound_registration.c:
> Temporal response
> '401' received from 'sip:sip.alice-voip.de' on registration
attempt to
> 'sip:491234567890 at sip.alice-voip.de', retrying in '30'
>
> [...]
>
>
> --
> _____________________________________________________________________
> -- Bandwidth and Colocation Provided by http://www.api-digital.com --
>
> Check out the new Asterisk community forum at: https://community.asterisk.
> org/
>
> New to Asterisk? Start here:
>       https://wiki.asterisk.org/wiki/display/AST/Getting+Started
>
> asterisk-users mailing list
> To UNSUBSCRIBE or update options visit:
>    http://lists.digium.com/mailman/listinfo/asterisk-users
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL:
<http://lists.digium.com/pipermail/asterisk-users/attachments/20170902/bb241c7a/attachment.html>