MAC in sip config

How do I configure sip client MAC address along with username and password in sip configuration file.

There is no MAC address in the SIP configuration file, it isn’t used.

If you are referring to the security advice, you put it as the section name.

Security section name?


What I was suggesting you were thinking about was this file:

which is the only place where the use of MAC is suggested, and any other string that is equally, or more, difficult for an attacker to guess, could be used.

Hi and thanks for quick response.

I need the solution of the following:

MAC address verification is required before the SIP Registrar can accept login and password from a SIP client.
The registrar will reject the login and password if the MAC address is not confirmed.

Where is this specification coming from? It is written in the passive voice; what entity is required to do the verification?

If the machine on which Asterisk is running is required to do this, please note that this isn’t even theoretically possible beyond the nearest router, as the only MAC address that will be visible is that on the Asterisk side of the router.

Even within a single broadcast area, you would either have to use low level networking APIs that no normal networking application would ever use and which, on investigation, may require root level privileges, or you are going to have to read the kernel’s ARP table, but the latter probably won’t be adequate, as it only guarantees the MAC for outbound traffic, not that the the MAC matches the IP address for inbound traffic. In any case, the sender can use a false MAC without breaking the IP and UDP levels, so you an never completely trust it inbound.

My feeling is that you are trying to implement some sort of security requirement that neither you, nor the specifier, properly understands.

Also note that login and password are not standard terminology, and, if you have verified the MAC address, there is little point in having a registrar in the first place.

Also, if this is being driven by a security consultant, I’m not sure they would accept the use of chan_sip, at all, given that the date for its last ever security fix has, effectively been announced, albeit there a few years to go.

The use of these terms also suggests that there may be a misunderstanding that registration is required before you can make an outbound call, which is not true, in general, and certainly not true for Asterisk.

username and password. I want to bind MAC address with username and password.

username and password. I want to bind MAC address with username and password

As I tried to explain, MAC is not something that an ordinary networking application would have access to, is useless beyond the first router, and of limited value even within the broadcast area.

This seems like a classic case of concentrating on a hypothetical solution, rather than the real goal, and/or a security adviser who just tries to list as many things as possible, without really doing a cost benefit analysis.

Without using MAC, username, shared secret, or their synonyms, what is the real world problem you are trying to address, e.g the nature of the security threat? Also, what is the topology of your network (especially given that MACs are only visible within a single broadcast area)?

Perhaps you’re referring to provisioning, as opposed to registration?

It’s very common to provision SIP credentials based on the MAC address, using some kind of MTLS scheme. SIP credentials are securely handed out to devices this way, so in practice you can tie registrations to MAC addresses this way. This is separate, however, from Asterisk - you’d need to setup a web server and application to do this using HTTPS.

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.