<html><head/><body><html><head></head><body>Because digest authentication is a far from self-evident or universal use-case for Kamailio.<br><br><div class="gmail_quote">Paul Belanger <paul.belanger@polybeacon.com> wrote:<blockquote class="gmail_quote" style="margin: 0pt 0pt 0pt 0.8ex; border-left: 1px solid rgb(204, 204, 204); padding-left: 1ex;">
<pre style="white-space: pre-wrap; word-wrap:break-word; font-family: sans-serif; margin-top: 0px">Greeting,<br /><br />Hopefully, I'm understanding the following default kamailio.cfg[1]<br />file. Over the weekend, I was attached by SipVicious. Following<br />along with the example Daniel[2] create with kamailio and asterisk, I<br />have almost the same setup. Rather then storing my SIP profiles in<br />Asterisk database, I have then in Kamailio.<br /><br />To my point, the attacker was actually able to by pass any sort of<br />authentication, but simply sending an INIVTE message:<br /><br />./<a href="http://svmap.py">svmap.py</a> -e 18885551234 <a href="http://kamailio.example.org">kamailio.example.org</a> -m INVITE<br /><br />Which kamailio, forwarded to Asterisk and because there is no<br />additional auth within asterisk, was able to hit the asterisk context<br />for getting processed (they did not get out to the real world).<br />However, my question is.... why do we not
authenticate INVITE<br />messages? If my understanding is correct, if would require something<br />like the following:<br /><br />if (is_method("INVITE")) {<br />if (!proxy_authorize("$fd", "subscriber")) {<br />proxy_challenge("$fd", "0");<br />exit;<br />}<br />}<br /><br />If so, why not also do it in the default configuration file?<br /><br />[1] <a href="http://git.sip-router.org/cgi-bin/gitweb.cgi?p=sip-router;a=blob_plain;f=etc/kamailio.cfg;hb=HEAD">http://git.sip-router.org/cgi-bin/gitweb.cgi?p=sip-router;a=blob_plain;f=etc/kamailio.cfg;hb=HEAD</a><br />[2] <a href="http://kb.asipto.com/asterisk:realtime:kamailio-3.3.x-asterisk-10.7.0-astdb">http://kb.asipto.com/asterisk:realtime:kamailio-3.3.x-asterisk-10.7.0-astdb</a></pre></blockquote></div><br>
--<br>
Sent from my Nexus 10, with all the figments of autocorrect that might imply.<br>
<br>
Alex Balashov - Principal<br>
Evariste Systems LLC<br>
235 E Ponce de Leon Ave<br>
Suite 106<br>
Decatur, GA 30030<br>
United States<br>
Tel: +1-678-954-0670<br>
Web: <a href="http://www.evaristesys.com">http://www.evaristesys.com</a>/, <a href="http://www.alexbalashov.com/">http://www.alexbalashov.com/</a></body></html></body></html>