I know that in a typical endpoint scenario one can use IP authorizations or Username and Password (dynamic) Authorizations.
I also know that one can use allow/deny to block or allow IP address ranges (which can be complex)
Here is a scenario…
Location A has 5 VoIP phones
Location B has 5 Voip Phones
Asterisk accessible over the internet (spare me the security lecture as that is precisely why I am writing this)
Location A has hypathetical Dynamic DNS of a.dyndns.com
Location B has Hypathetical Dynamic DNS of b.dyndns.com
I can register the phones normally to asterisk, however this is not very secure in the day and age of sip password brute forcing. (even when taking the available measures)
Now if I go to an extension registered at Location A and I change it from Dynamic to IP auth. I have just authorized ALL of the phones there and asterisk no longer expects nor responds to registration attempts. It is a pure IP auth (I may as well disable all other extensions at location A as the one IP auth is now valid for all of them (but more complex inbound calls specified only by port.)
Half a step further lets say we could use a dynamic hostname (it appears we can not presently) in said auth and have the same result as the IP auth.
Now another half step further if we could use an IP auth or Dynamic hostname auth AND a registration, we could keep all phones registered to receive calls separately. This would give us an additional layer of security, as asterisk would allow a registration ONLY from the IP that corresponds to a.dyndns.com
It seems silly that this is a “staring me in the face” kind of solution and far easier than allow/deny when factoring in ISPs various IP ranges.
To look at this another way …
Allow an IP auth AND a registration (dual auth) for an extension.
Step two would be to expand the IP auth to include dynamic hostname support
I must ask why is there no such “Dual Authentication”?
Is it already possible?