[VoiceOps] Phone auth for incoming calls?

Aviv Shaham aviv at ironsip.com
Wed Aug 8 15:33:37 EDT 2018 

TCP is definitely the way to go nowadays. We use TCP on Grandstreams all
the time, especially on their ATAs. Speaking of which, switching from
UDP to  TCP will reduce your customers' support calls dramatically.
I don't know the current status over there, but 2 years ago RingCentral
moved to TCP as well:
https://netstorage.ringcentral.com/documents/sip.pdf
Aviv


On Wed, Aug 8, 2018, at 12:21 PM, Carlos Alvarez wrote:
> It has, but it wasn't that long ago that people were still having
> challenges.  Our preferred phone vendor, Grandstream, still generally
> advises against it.> 
> So...who else on the list uses TCP and has any comments about it?
> 
> 
> On Wed, Aug 8, 2018 at 11:12 AM Alex Balashov
> <abalashov at evaristesys.com> wrote:>> That has changed greatly since 2005.
>> 
>>  On August 8, 2018 2:07:50 PM EDT, Carlos Alvarez
>>  <caalvarez at gmail.com> wrote:>>  >That's a change I've never investigated.  Or more precisely,
>>  >haven't>>  >investigated since the days when the advice for doing it was "good>>  >luck!!"
>>  >
>>  >
>>  >On Wed, Aug 8, 2018 at 11:00 AM Alex Balashov
>>  ><abalashov at evaristesys.com>
>>  >wrote:
>>  >
>>  >> I would have to agree with Calvin. Just use TCP.
>>  >>
>>  >> On August 8, 2018 1:58:47 PM EDT, Calvin Ellison
>>  ><calvin.ellison at voxox.com>
>>  >> wrote:
>>  >> >Using TCP or TLS would avoid open NAT issue, and can cure some
>>  >naughty
>>  >> >SIP
>>  >> >ALG issues as well, assuming you want to tolerate the overhead.>>  >> >
>>  >> >For UDP, we've used both Digest and Source request validation
>>  >> >with>>  >> >Polycom
>>  >> >devices. Source validation is probably the easiest route,
>>  >> >assuming>>  >the
>>  >> >UA
>>  >> >doesn't need to receive calls from anyone but its proxy or
>>  >registrar.
>>  >> >Digest (nonce challenge) is better if you want to accept calls
>>  >> >from>>  >> >anyone
>>  >> >who knows your password, but we had an issue with a softswitch
>>  >> >that>>  >> >would
>>  >> >properly handle auth channel to INVITE but choked when a BYE was>>  >> >challenged.
>>  >> >
>>  >> >
>>  >> >
>>  >> >
>>  >> >Regards,
>>  >> >
>>  >> >*Calvin Ellison*
>>  >> >Voice Operations Engineer
>>  >> >calvin.ellison at voxox.com
>>  >> >+1 (213) 285-0555
>>  >> >
>>  >> >-----------------------------------------------
>>  >> >*voxox.com <http://www.voxox.com/> *
>>  >> >5825 Oberlin Drive, Suite 5
>>  >> >San Diego, CA 92121
>>  >> >[image: Voxox]
>>  >> >
>>  >> >On Wed, Aug 8, 2018 at 10:43 AM, Carlos Alvarez
>>  ><caalvarez at gmail.com>
>>  >> >wrote:
>>  >> >
>>  >> >> Do most of you have the phones authenticate incoming calls?
>>  >> >> We>>  >> >haven't
>>  >> >> been, but occasionally find a router that has unfiltered full
>>  >> >> cone>>  >> >NAT
>>  >> >> (Cisco) or that puts one phone on 5060 with no filtering by
>>  >> >> IP.>>  >The
>>  >> >result
>>  >> >> is that the phone will start ringing at random as script
>>  >> >> kiddies>>  >hit
>>  >> >the IP
>>  >> >> and port 5060 trying to find servers to exploit.  I don't see
>>  >> >> a>>  >> >downside to
>>  >> >> changing to auth, but not having done it outside of a few
>>  >> >> tests of>>  >a
>>  >> >small
>>  >> >> number of phones, I figured I would ask.
>>  >> >>
>>  >> >>
>>  >> >> _______________________________________________
>>  >> >> VoiceOps mailing list
>>  >> >> VoiceOps at voiceops.org
>>  >> >> https://puck.nether.net/mailman/listinfo/voiceops
>>  >> >>
>>  >> >>
>>  >>
>>  >>
>>  >> -- Alex
>>  >>
>>  >> --
>>  >> Sent via mobile, please forgive typos and brevity.
>>  >> _______________________________________________
>>  >> VoiceOps mailing list
>>  >> VoiceOps at voiceops.org
>>  >> https://puck.nether.net/mailman/listinfo/voiceops
>>  >>
>> 
>> 
>>  -- Alex
>> 
>>  --
>>  Sent via mobile, please forgive typos and brevity. 
>>  _______________________________________________
>>  VoiceOps mailing list
>> VoiceOps at voiceops.org
>> https://puck.nether.net/mailman/listinfo/voiceops
> _________________________________________________
> VoiceOps mailing list
> VoiceOps at voiceops.org
> https://puck.nether.net/mailman/listinfo/voiceops

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://puck.nether.net/pipermail/voiceops/attachments/20180808/4ad0c7f9/attachment-0001.html>

More information about the VoiceOps mailing list