[SR-Users] INVITE messages not authenticated (default configuration)?

Paul Belanger paul.belanger at polybeacon.com
Thu Mar 7 23:28:28 CET 2013


On Thu, Mar 7, 2013 at 5:24 PM, Alex Balashov <abalashov at evaristesys.com> wrote:
> Because digest authentication is a far from self-evident or universal
> use-case for Kamailio.
>
>
> Paul Belanger <paul.belanger at polybeacon.com> wrote:
>>
>> Greeting,
>>
>> Hopefully, I'm understanding the following default kamailio.cfg[1]
>> file.  Over the weekend, I was attached by SipVicious.  Following
>> along with the example Daniel[2] create with kamailio and asterisk, I
>> have almost the same setup.  Rather then storing my SIP profiles in
>> Asterisk database, I have then in Kamailio.
>>
>> To my point, the attacker was actually able to by pass any sort of
>> authentication, but simply sending an INIVTE message:
>>
>> ./svmap.py -e 18885551234 kamailio.example.org -m INVITE
>>
>> Which kamailio, forwarded to Asterisk and because there is no
>> additional auth within asterisk, was able to hit the asterisk context
>> for getting processed (they did not get out to the real world).
>> However, my question is.... why do we not
>> authenticate INVITE
>> messages?  If my understanding is correct, if would require something
>> like the following:
>>
>> if (is_method("INVITE")) {
>> if (!proxy_authorize("$fd", "subscriber")) {
>> proxy_challenge("$fd", "0");
>> exit;
>> }
>> }
>>
>> If so, why not also do it in the default configuration file?
>>
>> [1]
>> http://git.sip-router.org/cgi-bin/gitweb.cgi?p=sip-router;a=blob_plain;f=etc/kamailio.cfg;hb=HEAD
>> [2]
>> http://kb.asipto.com/asterisk:realtime:kamailio-3.3.x-asterisk-10.7.0-astdb
>
So that is what confuses me.  Why do we authenticate only when the
user requests it?

-- 
Paul Belanger | PolyBeacon, Inc.
Jabber: paul.belanger at polybeacon.com | IRC: pabelanger (Freenode)
Github: https://github.com/pabelanger | Twitter: https://twitter.com/pabelanger



More information about the sr-users mailing list