[SR-Users] INVITE messages not authenticated (default configuration)?

Alex Balashov abalashov at evaristesys.com
Thu Mar 7 23:30:49 CET 2013 

What gives you that idea? Most likely, they spoofed an IP.

Paul Belanger <paul.belanger at polybeacon.com> wrote:

>On Thu, Mar 7, 2013 at 5:24 PM, Alex Balashov
><abalashov at evaristesys.com> wrote:
>> Because digest authentication is a far from self-evident or universal
>> use-case for Kamailio.
>>
>>
>> Paul Belanger <paul.belanger at polybeacon.com> wrote:
>>>
>>> Greeting,
>>>
>>> Hopefully, I'm understanding the following default kamailio.cfg[1]
>>> file.  Over the weekend, I was attached by SipVicious.  Following
>>> along with the example Daniel[2] create with kamailio and asterisk,
>I
>>> have almost the same setup.  Rather then storing my SIP profiles in
>>> Asterisk database, I have then in Kamailio.
>>>
>>> To my point, the attacker was actually able to by pass any sort of
>>> authentication, but simply sending an INIVTE message:
>>>
>>> ./svmap.py -e 18885551234 kamailio.example.org -m INVITE
>>>
>>> Which kamailio, forwarded to Asterisk and because there is no
>>> additional auth within asterisk, was able to hit the asterisk
>context
>>> for getting processed (they did not get out to the real world).
>>> However, my question is.... why do we not
>>> authenticate INVITE
>>> messages?  If my understanding is correct, if would require
>something
>>> like the following:
>>>
>>> if (is_method("INVITE")) {
>>> if (!proxy_authorize("$fd", "subscriber")) {
>>> proxy_challenge("$fd", "0");
>>> exit;
>>> }
>>> }
>>>
>>> If so, why not also do it in the default configuration file?
>>>
>>> [1]
>>>
>http://git.sip-router.org/cgi-bin/gitweb.cgi?p=sip-router;a=blob_plain;f=etc/kamailio.cfg;hb=HEAD
>>> [2]
>>>
>http://kb.asipto.com/asterisk:realtime:kamailio-3.3.x-asterisk-10.7.0-astdb
>>
>So that is what confuses me.  Why do we authenticate only when the
>user requests it?
>
>-- 
>Paul Belanger | PolyBeacon, Inc.
>Jabber: paul.belanger at polybeacon.com | IRC: pabelanger (Freenode)
>Github: https://github.com/pabelanger | Twitter:
>https://twitter.com/pabelanger
>
>_______________________________________________
>SIP Express Router (SER) and Kamailio (OpenSER) - sr-users mailing list
>sr-users at lists.sip-router.org
>http://lists.sip-router.org/cgi-bin/mailman/listinfo/sr-users

--
Sent from my Nexus 10, with all the figments of autocorrect that might imply.

Alex Balashov - Principal
Evariste Systems LLC
235 E Ponce de Leon Ave
Suite 106
Decatur, GA 30030
United States
Tel: +1-678-954-0670
Web: http://www.evaristesys.com/, http://www.alexbalashov.com/
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.sip-router.org/pipermail/sr-users/attachments/20130307/3497f1db/attachment.htm>

More information about the sr-users mailing list