Hi,
After I specified a username and password for a dynamic endpoint in sip.conf, Asterisk will authenticate the endpoint when it tries to register. Later, when I make a call, Asterisk will go through the same authentication process again, but this time with the INVITE packets.
I was wondering: why does it go through the whole authentication process again? It seems redundant since Asterisk already authenticated the endpoint during registration.
Thanks!
See insecure=invite (often mis-specified by service providers as, the no longer supported, insecure=very, or its modern equivalent, insecure=port,invite).
Note that dynamic “users” don’t need to register, although they will not be able to receive calls.
Thanks David, for the reply.
I knew that insecure=invite turns off the INVITE authentication, but what I’m interested in is this:
Is there a special reason that Asterisk goes through that whole process of authenticating INVITEs with already registered endpoints?
It seems redundant for Asterisk to authenticate an endpoint that Asterisk already knows is authenticated.
Oddly, this one actually belongs in Asterisk General, when the normal problem is ones there that belong in Asterisk Support!
For a user or friend, it must authenticate, to remain secure. For a peer, I guess a prediction attack might be difficult.
[quote=“itsaniceday”]I was wondering: why does it go through the whole authentication process again? It seems redundant since Asterisk already authenticated the endpoint during registration.
[/quote]
you defined your endpoint as type=friend instead of type=peer. this is a fairly common mistake among asterisk users.
A common misconseption is that SIP registration process is primarly intended for peer authentication. But that is not the case. SIP registration process is primarly a mechanism through which an IP PBX (or any SIP server) receives information about a IP IP address of a SIP client (extension). Without that information, the IP PBX does not know where to send incomming calls.
Authentication part of the SIP register process is a good security mechanism that limits fraud options for an atacker. But even if a client successfully registers to a device, an attacket can still send a SIP Invite with a spoofed source IP address. The authentication process on SIP Invite messages is there just to avoid such an attack. If the mechanism is disabled, a SIP Invite with a spoofed source IP would be accepted by the SIP server. If a SIP server requires authentication on every SIP Invite, that limits the options for an atacker to take advantage of the VoIP system.