> On Jan. 29, 2015, 4:23 p.m., Mark Michelson wrote: > > /branches/13/configs/examples/super_awesome_company/pjsip.conf, line 41 > > <https://reviewboard.asterisk.org/r/4379/diff/1/?file=71114#file71114line41> > > > > I'm curious why you elected to use MAC addresses as the endpoint names. > > > > I'd personally find things a lot easier to configure/maintain if the > > SIP endpoint/aor/auth name is the same as the voicemail box number is the > > same as the extension number, etc. > > > > This also means that if Lindsey does some crazy extreme stunt that > > smashes her phone, then when she replaces it with a new one, you're going > > to have to change config values everywhere to have the new MAC address of > > the phone. > > Matt Jordan wrote: > Hm. I think that's usually one of those "best practices". You generally > don't want the auth user to be easily guessed. > > Of course, we could split the concept of the endpoint name from the auth > user, which would then allow the endpoints to be named 107 (for example) and > the auth user to be her MAC address. > > Joshua Colp wrote: > I think in practice this would just cause problems. Not all devices allow > those two things to be separate. It's annoying. > > Mark Michelson wrote: > SAC uses Digium phones, and Digium phones allow separate user and > authuser to be specified. > > Joshua Colp wrote: > Your statement is true but it would be nice if we could err on the side > of not falling into a trap of doing fundamental stuff which isn't applicable > to the wide world. > > rnewton wrote: > I used MAC addresses as that is what we use as an example in our security > best practices document: > http://svnview.digium.com/svn/asterisk/trunk/README-SERIOUSLY.bestpractices.txt?view=markup > > Perhaps this is a moot point. SAC's Asterisk system is behind NAT and > firewall, so we could change the spec to specify that IT has locked down > traffic between Asterisk and the public internet to only allow inbound > traffic from the ITSP addresses. > > Or, on Asterisk we can use ACL's to limit traffic allowed to the internal > network and ITSP addresses. > > With either of those approaches we should be able to use the less secure > extension numbered auth users. > > What would be the issues either of these approaches other than an > attacker on the internal network?
I think we need to come to some concurrence here so that the diffs can get updated. I suspect there are going to be additional rounds of review. The purpose of this set of example configs is to provide a base for a recommended deployment. Regardless of the scheme chosen, the example absolutely should use the best practices so that people have a secure system. If someone wants to use 'alice' and 'bob' for their names, that may be suitable for some examples, but not suitable for a recommended deployment. I don't care if we use MAC address or something else that is suitably difficult to guess, but MAC address is what A:TDG recommends [1] as well as our README-SERIOUSLY [2], and that feels like a decent starting point. [1] http://www.asteriskdocs.org/en/3rd_Edition/asterisk-book-html-chunk/DeviceConfig_id216341.html#DeviceConfig_id291081 [2] http://svn.asterisk.org/svn/asterisk/trunk/README-SERIOUSLY.bestpractices.txt - Matt ----------------------------------------------------------- This is an automatically generated e-mail. To reply, visit: https://reviewboard.asterisk.org/r/4379/#review14377 ----------------------------------------------------------- On Jan. 27, 2015, 1:15 p.m., rnewton wrote: > > ----------------------------------------------------------- > This is an automatically generated e-mail. To reply, visit: > https://reviewboard.asterisk.org/r/4379/ > ----------------------------------------------------------- > > (Updated Jan. 27, 2015, 1:15 p.m.) > > > Review request for Asterisk Developers. > > > Repository: Asterisk > > > Description > ------- > > One of things discussed at the last AstriDevCon was better documentation (for > everything!), but in particular, we mentioned needing some example > configurations that pertain to a real-world scenario. That is, as opposed to > the current "sample" files which are sort of all over the place at this point. > > This patch proposes a basic and minimal configuration of Asterisk to satisfy > the requirements for the first phase of Super Awesome Company's > implementation of Asterisk. > > I will submit four separate patches for the first phase, so that we don't > have to review the entire thing all at once. This review is for the first > patch. > > Who is Super Awesome Company? See > https://wiki.asterisk.org/wiki/display/AST/Super+Awesome+Company > > For the first patch, I am attempting to satisfy the below requirements. The > patch does not include a new make target, as I believe Matt Jordan offered to > handle that. > > SAC requires: > > * PJSIP connectivity for all employee desk phones. > * The ability for employees to call one another inside of the office. > * Voicemail boxes for each of the employees. > > "Basic" configuration > > We want SAC to have a clean system. That means: > > * No 'autoload' in modules.conf. Explicitly load a basic configuration. > If SAC doesn't need the module, don't load it. > * Every module loaded should have a configuration file that is > appropriate for it. This includes all the 'core' things that need > configuration. > > pjsip.conf > > * A PJSIP configuration for their desk phones. Assume every endpoint that > is a phone has: > * A voicemail mailbox that they can subscribe to > * A hint for their device > * Note that the PJSIP configuration should adhere to best practices. > That means MAC addresses for device names, etc. > > extensions.conf > > * A safe dialplan for intra-company communication. This should be > templated out so that it is trivial to add additional devices (use pattern > matching/pattern matching hints, etc.) > * Receiving a Busy/Unavailable should result in going to VoiceMail > * A user should be able to dial something and get to their VoiceMailMain > without having to enter in their extension number > * Note that mapping of MAC address endpoints to extension numbers should > be done in some fashion that is easily extensible. > > voicemail.conf > > * Set up mailboxes for every person in SAC. Assign 'default' pins. Create > reasonable basic settings. > * Do not set up e-mail or pager addresses. > > > REVIEW? > > Please, if possible look at this from a few angles: > > * Use the configuration, configure a couple phones and call between them. > Leave voicemails and retrieve them. > * Have I created any security issues? > * Is my dialplan easy to understand? > * Could anything be done more efficiently without making it over-complicated? > * Have I over-complicated anything? > * Are there any critical settings I'm missing from any of the files? > > A couple, more specific questions: > > * We have sample configs in /configs/samples; what directory do we want > these configurations in? (I used /configs/examples for now, but I don't > really like it) > * We have the make target "make samples" for the current samples; what do we > want for these new configs? > > > Diffs > ----- > > /branches/13/configs/examples/super_awesome_company/voicemail.conf > PRE-CREATION > /branches/13/configs/examples/super_awesome_company/pjsip.conf PRE-CREATION > /branches/13/configs/examples/super_awesome_company/musiconhold.conf > PRE-CREATION > /branches/13/configs/examples/super_awesome_company/modules.conf > PRE-CREATION > /branches/13/configs/examples/super_awesome_company/logger.conf > PRE-CREATION > /branches/13/configs/examples/super_awesome_company/indications.conf > PRE-CREATION > /branches/13/configs/examples/super_awesome_company/extensions.conf > PRE-CREATION > /branches/13/configs/examples/super_awesome_company/asterisk.conf > PRE-CREATION > /branches/13/configs/examples/super_awesome_company/README PRE-CREATION > > Diff: https://reviewboard.asterisk.org/r/4379/diff/ > > > Testing > ------- > > Setup Asterisk with configuration, connected up three phones using the first > three users. Made calls between them all, left voicemails and retrieved them > with all users. Verified MWI working with all phones. > > > Thanks, > > rnewton > >
-- _____________________________________________________________________ -- Bandwidth and Colocation Provided by http://www.api-digital.com -- asterisk-dev mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-dev
