After I specified a username and password for a dynamic endpoint in sip.conf, Asterisk will authenticate the endpoint when it tries to register. Later, when I make a call, Asterisk will go through the same authentication process again, but this time with the INVITE packets.
I was wondering: why does it go through the whole authentication process again? It seems redundant since Asterisk already authenticated the endpoint during registration.
See insecure=invite (often mis-specified by service providers as, the no longer supported, insecure=very, or its modern equivalent, insecure=port,invite).
Note that dynamic “users” don’t need to register, although they will not be able to receive calls.
[quote=“itsaniceday”]I was wondering: why does it go through the whole authentication process again? It seems redundant since Asterisk already authenticated the endpoint during registration.
[/quote]
you defined your endpoint as type=friend instead of type=peer. this is a fairly common mistake among asterisk users.
A common misconseption is that SIP registration process is primarly intended for peer authentication. But that is not the case. SIP registration process is primarly a mechanism through which an IP PBX (or any SIP server) receives information about a IP IP address of a SIP client (extension). Without that information, the IP PBX does not know where to send incomming calls.
Authentication part of the SIP register process is a good security mechanism that limits fraud options for an atacker. But even if a client successfully registers to a device, an attacket can still send a SIP Invite with a spoofed source IP address. The authentication process on SIP Invite messages is there just to avoid such an attack. If the mechanism is disabled, a SIP Invite with a spoofed source IP would be accepted by the SIP server. If a SIP server requires authentication on every SIP Invite, that limits the options for an atacker to take advantage of the VoIP system.