<div dir="ltr">That's a change I've never investigated. Or more precisely, haven't investigated since the days when the advice for doing it was "good luck!!"<div><br><br><div class="gmail_quote"><div dir="ltr">On Wed, Aug 8, 2018 at 11:00 AM Alex Balashov <<a href="mailto:abalashov@evaristesys.com">abalashov@evaristesys.com</a>> wrote:<br></div><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">I would have to agree with Calvin. Just use TCP. <br>
<br>
On August 8, 2018 1:58:47 PM EDT, Calvin Ellison <<a href="mailto:calvin.ellison@voxox.com" target="_blank">calvin.ellison@voxox.com</a>> wrote:<br>
>Using TCP or TLS would avoid open NAT issue, and can cure some naughty<br>
>SIP<br>
>ALG issues as well, assuming you want to tolerate the overhead.<br>
><br>
>For UDP, we've used both Digest and Source request validation with<br>
>Polycom<br>
>devices. Source validation is probably the easiest route, assuming the<br>
>UA<br>
>doesn't need to receive calls from anyone but its proxy or registrar.<br>
>Digest (nonce challenge) is better if you want to accept calls from<br>
>anyone<br>
>who knows your password, but we had an issue with a softswitch that<br>
>would<br>
>properly handle auth channel to INVITE but choked when a BYE was<br>
>challenged.<br>
><br>
><br>
><br>
><br>
>Regards,<br>
><br>
>*Calvin Ellison*<br>
>Voice Operations Engineer<br>
><a href="mailto:calvin.ellison@voxox.com" target="_blank">calvin.ellison@voxox.com</a><br>
>+1 (213) 285-0555<br>
><br>
>-----------------------------------------------<br>
>*<a href="http://voxox.com" rel="noreferrer" target="_blank">voxox.com</a> <<a href="http://www.voxox.com/" rel="noreferrer" target="_blank">http://www.voxox.com/</a>> *<br>
>5825 Oberlin Drive, Suite 5<br>
>San Diego, CA 92121<br>
>[image: Voxox]<br>
><br>
>On Wed, Aug 8, 2018 at 10:43 AM, Carlos Alvarez <<a href="mailto:caalvarez@gmail.com" target="_blank">caalvarez@gmail.com</a>><br>
>wrote:<br>
><br>
>> Do most of you have the phones authenticate incoming calls? We<br>
>haven't<br>
>> been, but occasionally find a router that has unfiltered full cone<br>
>NAT<br>
>> (Cisco) or that puts one phone on 5060 with no filtering by IP. The<br>
>result<br>
>> is that the phone will start ringing at random as script kiddies hit<br>
>the IP<br>
>> and port 5060 trying to find servers to exploit. I don't see a<br>
>downside to<br>
>> changing to auth, but not having done it outside of a few tests of a<br>
>small<br>
>> number of phones, I figured I would ask.<br>
>><br>
>><br>
>> _______________________________________________<br>
>> VoiceOps mailing list<br>
>> <a href="mailto:VoiceOps@voiceops.org" target="_blank">VoiceOps@voiceops.org</a><br>
>> <a href="https://puck.nether.net/mailman/listinfo/voiceops" rel="noreferrer" target="_blank">https://puck.nether.net/mailman/listinfo/voiceops</a><br>
>><br>
>><br>
<br>
<br>
-- Alex<br>
<br>
--<br>
Sent via mobile, please forgive typos and brevity. <br>
_______________________________________________<br>
VoiceOps mailing list<br>
<a href="mailto:VoiceOps@voiceops.org" target="_blank">VoiceOps@voiceops.org</a><br>
<a href="https://puck.nether.net/mailman/listinfo/voiceops" rel="noreferrer" target="_blank">https://puck.nether.net/mailman/listinfo/voiceops</a><br>
</blockquote></div></div></div>