MAC in sip config

makhdoom.naeem · August 10, 2022, 5:53pm

How do I configure sip client MAC address along with username and password in sip configuration file.

jcolp · August 10, 2022, 6:25pm

There is no MAC address in the SIP configuration file, it isn’t used.

david551 · August 10, 2022, 6:29pm

If you are referring to the security advice, you put it as the section name.

makhdoom.naeem · August 11, 2022, 5:24pm

Security section name?

david551 · August 11, 2022, 5:34pm

???

What I was suggesting you were thinking about was this file:

github.com

asterisk/asterisk/blob/master/README-SERIOUSLY.bestpractices.md#L220


      
          secret=1000
          ```
          
          
As implied by the context, we've permitted a device named 1000 with a password
          of 1000 to place calls internationally. If your PBX system is accessible via
          the internet, then your system will be vulnerable to expensive international
          calls. Even if your system is not accessible via the internet, people within
          your organization could get access to dialing rules you'd prefer to reserve only
          for certain people.
          
          
A more secure example for the device would be to use something like the MAC
          address of the device, along with a strong password (see the section Secure
          Passwords). The following example would be more secure:
          
          
```INI
          [0004f2040001]
          type=friend
          context=international_dialing
          secret=aE3%B8*$jk^G
          ```

which is the only place where the use of MAC is suggested, and any other string that is equally, or more, difficult for an attacker to guess, could be used.

makhdoom.naeem · August 14, 2022, 1:30pm

Hi and thanks for quick response.

I need the solution of the following:

MAC address verification is required before the SIP Registrar can accept login and password from a SIP client.
The registrar will reject the login and password if the MAC address is not confirmed.

david551 · August 14, 2022, 1:55pm

Where is this specification coming from? It is written in the passive voice; what entity is required to do the verification?

If the machine on which Asterisk is running is required to do this, please note that this isn’t even theoretically possible beyond the nearest router, as the only MAC address that will be visible is that on the Asterisk side of the router.

Even within a single broadcast area, you would either have to use low level networking APIs that no normal networking application would ever use and which, on investigation, may require root level privileges, or you are going to have to read the kernel’s ARP table, but the latter probably won’t be adequate, as it only guarantees the MAC for outbound traffic, not that the the MAC matches the IP address for inbound traffic. In any case, the sender can use a false MAC without breaking the IP and UDP levels, so you an never completely trust it inbound.

My feeling is that you are trying to implement some sort of security requirement that neither you, nor the specifier, properly understands.

Also note that login and password are not standard terminology, and, if you have verified the MAC address, there is little point in having a registrar in the first place.

david551 · August 14, 2022, 2:29pm

Also, if this is being driven by a security consultant, I’m not sure they would accept the use of chan_sip, at all, given that the date for its last ever security fix has, effectively been announced, albeit there a few years to go.

david551 · August 14, 2022, 3:57pm

The use of these terms also suggests that there may be a misunderstanding that registration is required before you can make an outbound call, which is not true, in general, and certainly not true for Asterisk.

makhdoom.naeem · August 14, 2022, 6:05pm

username and password. I want to bind MAC address with username and password.

makhdoom.naeem · August 14, 2022, 6:17pm

username and password. I want to bind MAC address with username and password

david551 · August 14, 2022, 7:14pm

As I tried to explain, MAC is not something that an ordinary networking application would have access to, is useless beyond the first router, and of limited value even within the broadcast area.

This seems like a classic case of concentrating on a hypothetical solution, rather than the real goal, and/or a security adviser who just tries to list as many things as possible, without really doing a cost benefit analysis.

Without using MAC, username, shared secret, or their synonyms, what is the real world problem you are trying to address, e.g the nature of the security threat? Also, what is the topology of your network (especially given that MACs are only visible within a single broadcast area)?

InterLinked · August 15, 2022, 12:22pm

Perhaps you’re referring to provisioning, as opposed to registration?

It’s very common to provision SIP credentials based on the MAC address, using some kind of MTLS scheme. SIP credentials are securely handed out to devices this way, so in practice you can tie registrations to MAC addresses this way. This is separate, however, from Asterisk - you’d need to setup a web server and application to do this using HTTPS.

system · September 14, 2022, 12:22pm

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.