| Summary: | ASTERISK-21433: Add analogous support for 'alwaysauthreject' to chan_gulp and top level security settings | ||||
| Reporter: | Matt Jordan (mjordan) | Labels: | Asterisk12 NewSIP | ||
| Date Opened: | 2013-04-15 16:20:38 | Date Closed: | 2013-07-02 12:09:06 | ||
| Priority: | Major | Regression? | No | ||
| Status: | Closed/Complete | Components: | Channels/chan_pjsip | ||
| Versions: | Frequency of Occurrence | ||||
| Related Issues: |
| ||||
| Environment: | Attachments: | ||||
| Description: | One of the more highly used (and frequently accused) features in {{chan_sip}} is the {{alwaysauthreject}} feature, which helps to prevent attackers from enumerating possible endpoints in Asterisk. The formula should go as follows:
# Inbound malicious request hits Asterisk # Asterisk challenges the inbound request # Inbound malicious request hits Asterisk with challenge response # Asterisk determines that this request doesn't match a valid endpoint and returns a "403", regardless of the actual reason it would reject the request We need an analogous feature in {{chan_gulp}}. This will require the following: * A new "global security" object for sorcery. This should include both alwaysauthreject, as well as an ACL object (currently provided by res_sip_acl). Note that ACLs should be definable both at a 'global level', as well as for endpoints. * Creation of a new SIP module that provides security support for the SIP stack (say, {{res_sip_security}}). This should parse the global security options out and enable them. * Apply the global ACLs to all inbound requests. This can occur either in {{res_sip_security}} or in a separate module that builds on a framework that module provides. * When {{alwaysauthreject}} is enabled, create a 'bogus' endpoint that will match all unmatched request attempts. This should have a password that can never be matched (see chan_sip in 11.3.0+) and will always cause inbound requests to fail. This can occur either in {{res_sip_security}} or in a separate module that builds on a framework that module provides. Note that items such as the SIP Security Framework will have to also be ported over to chan_gulp, so having a security module that provides security services is probably needed. | ||||
| Comments: | |||||