[VoiceOps] Phone auth for incoming calls?
Alex Balashov
abalashov at evaristesys.com
Wed Aug 8 14:00:09 EDT 2018
I would have to agree with Calvin. Just use TCP.
On August 8, 2018 1:58:47 PM EDT, Calvin Ellison <calvin.ellison at voxox.com> wrote:
>Using TCP or TLS would avoid open NAT issue, and can cure some naughty
>SIP
>ALG issues as well, assuming you want to tolerate the overhead.
>
>For UDP, we've used both Digest and Source request validation with
>Polycom
>devices. Source validation is probably the easiest route, assuming the
>UA
>doesn't need to receive calls from anyone but its proxy or registrar.
>Digest (nonce challenge) is better if you want to accept calls from
>anyone
>who knows your password, but we had an issue with a softswitch that
>would
>properly handle auth channel to INVITE but choked when a BYE was
>challenged.
>
>
>
>
>Regards,
>
>*Calvin Ellison*
>Voice Operations Engineer
>calvin.ellison at voxox.com
>+1 (213) 285-0555
>
>-----------------------------------------------
>*voxox.com <http://www.voxox.com/> *
>5825 Oberlin Drive, Suite 5
>San Diego, CA 92121
>[image: Voxox]
>
>On Wed, Aug 8, 2018 at 10:43 AM, Carlos Alvarez <caalvarez at gmail.com>
>wrote:
>
>> Do most of you have the phones authenticate incoming calls? We
>haven't
>> been, but occasionally find a router that has unfiltered full cone
>NAT
>> (Cisco) or that puts one phone on 5060 with no filtering by IP. The
>result
>> is that the phone will start ringing at random as script kiddies hit
>the IP
>> and port 5060 trying to find servers to exploit. I don't see a
>downside to
>> changing to auth, but not having done it outside of a few tests of a
>small
>> number of phones, I figured I would ask.
>>
>>
>> _______________________________________________
>> VoiceOps mailing list
>> VoiceOps at voiceops.org
>> https://puck.nether.net/mailman/listinfo/voiceops
>>
>>
-- Alex
--
Sent via mobile, please forgive typos and brevity.
More information about the VoiceOps
mailing list