Summary:ASTERISK-21433: Add analogous support for 'alwaysauthreject' to chan_gulp and top level security settings
Reporter:Matt Jordan (mjordan)Labels:Asterisk12 NewSIP
Date Opened:2013-04-15 16:20:38Date Closed:2013-07-02 12:09:06
Versions:Frequency of
is related toASTERISK-21434 Add anonymous access support to chan_gulp
Description:One of the more highly used (and frequently accused) features in {{chan_sip}} is the {{alwaysauthreject}} feature, which helps to prevent attackers from enumerating possible endpoints in Asterisk. The formula should go as follows:

# Inbound malicious request hits Asterisk
# Asterisk challenges the inbound request
# Inbound malicious request hits Asterisk with challenge response
# Asterisk determines that this request doesn't match a valid endpoint and returns a "403", regardless of the actual reason it would reject the request

We need an analogous feature in {{chan_gulp}}. This will require the following:

* A new "global security" object for sorcery. This should include both alwaysauthreject, as well as an ACL object (currently provided by res_sip_acl). Note that ACLs should be definable both at a 'global level', as well as for endpoints.
* Creation of a new SIP module that provides security support for the SIP stack (say, {{res_sip_security}}). This should parse the global security options out and enable them.
* Apply the global ACLs to all inbound requests. This can occur either in {{res_sip_security}} or in a separate module that builds on a framework that module provides.
* When {{alwaysauthreject}} is enabled, create a 'bogus' endpoint that will match all unmatched request attempts. This should have a password that can never be matched (see chan_sip in 11.3.0+) and will always cause inbound requests to fail. This can occur either in {{res_sip_security}} or in a separate module that builds on a framework that module provides.

Note that items such as the SIP Security Framework will have to also be ported over to chan_gulp, so having a security module that provides security services is probably needed.