[VoiceOps] Phone auth for incoming calls?
Alex Balashov
abalashov at evaristesys.com
Wed Aug 8 14:11:20 EDT 2018
That has changed greatly since 2005.
On August 8, 2018 2:07:50 PM EDT, Carlos Alvarez <caalvarez at gmail.com> wrote:
>That's a change I've never investigated. Or more precisely, haven't
>investigated since the days when the advice for doing it was "good
>luck!!"
>
>
>On Wed, Aug 8, 2018 at 11:00 AM Alex Balashov
><abalashov at evaristesys.com>
>wrote:
>
>> I would have to agree with Calvin. Just use TCP.
>>
>> On August 8, 2018 1:58:47 PM EDT, Calvin Ellison
><calvin.ellison at voxox.com>
>> wrote:
>> >Using TCP or TLS would avoid open NAT issue, and can cure some
>naughty
>> >SIP
>> >ALG issues as well, assuming you want to tolerate the overhead.
>> >
>> >For UDP, we've used both Digest and Source request validation with
>> >Polycom
>> >devices. Source validation is probably the easiest route, assuming
>the
>> >UA
>> >doesn't need to receive calls from anyone but its proxy or
>registrar.
>> >Digest (nonce challenge) is better if you want to accept calls from
>> >anyone
>> >who knows your password, but we had an issue with a softswitch that
>> >would
>> >properly handle auth channel to INVITE but choked when a BYE was
>> >challenged.
>> >
>> >
>> >
>> >
>> >Regards,
>> >
>> >*Calvin Ellison*
>> >Voice Operations Engineer
>> >calvin.ellison at voxox.com
>> >+1 (213) 285-0555
>> >
>> >-----------------------------------------------
>> >*voxox.com <http://www.voxox.com/> *
>> >5825 Oberlin Drive, Suite 5
>> >San Diego, CA 92121
>> >[image: Voxox]
>> >
>> >On Wed, Aug 8, 2018 at 10:43 AM, Carlos Alvarez
><caalvarez at gmail.com>
>> >wrote:
>> >
>> >> Do most of you have the phones authenticate incoming calls? We
>> >haven't
>> >> been, but occasionally find a router that has unfiltered full cone
>> >NAT
>> >> (Cisco) or that puts one phone on 5060 with no filtering by IP.
>The
>> >result
>> >> is that the phone will start ringing at random as script kiddies
>hit
>> >the IP
>> >> and port 5060 trying to find servers to exploit. I don't see a
>> >downside to
>> >> changing to auth, but not having done it outside of a few tests of
>a
>> >small
>> >> number of phones, I figured I would ask.
>> >>
>> >>
>> >> _______________________________________________
>> >> VoiceOps mailing list
>> >> VoiceOps at voiceops.org
>> >> https://puck.nether.net/mailman/listinfo/voiceops
>> >>
>> >>
>>
>>
>> -- Alex
>>
>> --
>> Sent via mobile, please forgive typos and brevity.
>> _______________________________________________
>> VoiceOps mailing list
>> VoiceOps at voiceops.org
>> https://puck.nether.net/mailman/listinfo/voiceops
>>
-- Alex
--
Sent via mobile, please forgive typos and brevity.
More information about the VoiceOps
mailing list