Security pjsip - trunk with registration

Asterisk Asterisk SIP
1

Hello I have a situation with PJSIP.

  1. I created a TRUNK with provider for make and receive calls

If I put “auth=auth_XXXX” in section of endpoint the trunk dont receive call, the asterisk send 401.

[Log of 401]
<— Received SIP request (943 bytes) from UDP:IP_NOT_REAL:5060 —>
INVITE sip:0001@IP_NO_REAL_2:5060;line=xisfcoj SIP/2.0
Via: SIP/2.0/UDP IP_NOT_REAL:5060;rport;branch=z9hG4bKPj61616e24-affa-4599-9bd1-8348eb4cc471
From: sip:0001@10.158.0.2;tag=514eef8c-305b-495a-b579-da27c0c2d3db
To: sip:0001@IP_NO_REAL_2;line=xisfcoj
Contact: sip:0001@IP_NOT_REAL:5060
Call-ID: a7605642-57b6-4eda-86d1-0bea1afc4cca
CSeq: 6101 INVITE
Allow: OPTIONS, REGISTER, SUBSCRIBE, NOTIFY, PUBLISH, INVITE, ACK, BYE, CANCEL, UPDATE, MESSAGE, REFER
Supported: timer, replaces, norefersub
Session-Expires: 1800
Min-SE: 90
Alert-Info: interno
Max-Forwards: 70
User-Agent: asterisk
Content-Type: application/sdp
Content-Length: 272

v=0
o=- 1447647912 1447647912 IN IP4 IP_NOT_REAL
s=asterisk
c=IN IP4 IP_NOT_REAL
t=0 0
m=audio 11098 RTP/AVP 8 0 101
a=rtpmap:8 PCMA/8000
a=rtpmap:0 PCMU/8000
a=rtpmap:101 telephone-event/8000
a=fmtp:101 0-16
a=ptime:20
a=maxptime:150
a=sendrecv

<— Transmitting SIP response (569 bytes) to UDP:IP_NOT_REAL:5060 —>
SIP/2.0 401 Unauthorized
Via: SIP/2.0/UDP IP_NOT_REAL:5060;rport=5060;received=IP_NOT_REAL;branch=z9hG4bKPj61616e24-affa-4599-9bd1-8348eb4cc471
Call-ID: a7605642-57b6-4eda-86d1-0bea1afc4cca
From: sip:0001@10.158.0.2;tag=514eef8c-305b-495a-b579-da27c0c2d3db
To: sip:0001@IP_NO_REAL_2;line=xisfcoj;tag=z9hG4bKPj61616e24-affa-4599-9bd1-8348eb4cc471
CSeq: 6101 INVITE
WWW-Authenticate: Digest realm=“asterisk”,nonce=“1587298335/73188e1f114143da7b020ee0721df6fe”,opaque=“5a4affa4671c8648”,algorithm=md5,qop=“auth”
Server: asterisk
Content-Length: 0

<— Received SIP request (440 bytes) from UDP:IP_NOT_REAL:5060 —>
ACK sip:0001@IP_NOT_REAL:5060;line=xisfcoj SIP/2.0
Via: SIP/2.0/UDP IP_NOT_REAL:5060;rport;branch=z9hG4bKPj61616e24-affa-4599-9bd1-8348eb4cc471
From: sip:0001@10.158.0.2;tag=514eef8c-305b-495a-b579-da27c0c2d3db
To: sip:0001@IP_NO_REAL_2;line=xisfcoj;tag=z9hG4bKPj61616e24-affa-4599-9bd1-8348eb4cc471
Call-ID: a7605642-57b6-4eda-86d1-0bea1afc4cca
CSeq: 6101 ACK
Max-Forwards: 70
User-Agent: asterisk
Content-Length: 0

END LOG.

but if dont put this the trunk work perfectly but we can send register from other ip phone with username of trunk but with any password and asterisk accept, is very insecure

Block of endpoint TRUNK provider
[0001]
type=endpoint
context=geral
disallow=all
allow=ulaw
outbound_auth=auth_0001
aors=0001
from_user=0001
;;;;;auth=auth_0001

I read all documentaion about trunk with registration, and only found rules with ACL for turn security, but we have a dynamic ips.

2

Providers normally don’t authenticate. Take this up with your provider, but don’t expect them to start authenticating. (This is why it has become the standard recipe to put insecure=invite in trunk configurations for chan_sip.)

Given they won’t change, you will need to make sure you are verifying the IP address, and that the calls land in a context that can’t do anything chargeable.

3

Yes, they do. Either by IP or user/pass or a combo of them. Nothing authorizing means anyone can get through them. That is a hot mess waiting to happen.

4

Is very complicated it. The Asterisk maybe could change this in future. Normally you have one trunk with provider and this trunk is for outgoing and incoming calls.
The providers dont will change configurations

If one hacker discovery name of your trunk , he can register

5

I’m not sure what you are referring to when you say Asterisk has to change something in the future. SIP Registration is a basic of SIP not Asterisk. So can you please clarify what you are trying to say here?

6

Providers authenticate the customer; they don’t authenticate themselves to the customer. As I read the question, the OP is expecting two way authentication, presumably with the same secret used both ways.

As I said, the reason that cook book solutions always have insecure=inivite, is that secret= invokes two way authentication, but the providers only do one way authentication. Unfortunately, because people just use it as a cook book solution, they end up using it in contexts where two way authentication would be possible, typically were the user owns both ends. (They also tend t have insecure=port, which is not normally needed.)

What the OP describes is the provider being asked to authenticate, by sending 401, and them not replying, because they are not set up to authenticate themselves.

7

Yeah, the OP is a bit confusing in what they are saying. However, they are using Chan_PJSIP not Chan_SIP so insecure= isn’t going to do anything for them.

There are three things you need in the Chan_PJSIP config to do a trunk with outbound registration to the provider. 1) Endpoint section 2) AOR section and 3) Identify section. The third is what allows calls to be accepted from the provider as you set the match= fields with the IPs calls will originate from.

It’s sounding like that section is missing and needs to be created.

8

The library of sip is PJSIP ok, but the method for searching endpoints pass for asterisk. maybe asterisk could increase the functions for it.

Increase functions for authenticate with “Digest Auth”

9

Yes the 3 Identify Section, I have. but you can’t put “auth” parameter in section “endpoint”. Because the asterisk will requisit user and password and the SIP invite “incomming” will response 401

10

What are you wanting to do exactly? The “auth” section fundamentally is for challenging the remote side for authentication, as many ITSPs don’t do that you can’t change or improve that.

11

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.