Quoting the spec: | Spoofing | | In order to limit spoofing, the server will return a token for all | accepted requests to a server. Any subsequent requests to that resource | must present the token in the request. If a subsequent request fails to | provide the token, the request is rejected. Tokens expire after 48 | hours, at which point, a request does not have to provide a token. If a | request does provide a token that is expired - and no token is required | at that point - the request should be accepted and a new token granted. | Once a request is made without a token (and no token is expected), a new | token is issued for subsequent requests. | | So long as Asterisk's transmission of data occurs faster than once every | 48 hours, a malicious entity will not be able to spoof a resource. If a | system is down then a remote system can 'take over' a system, and the | legitimate system's attempts will be rejected. If that occurs... oh | well. It is anonymous data.
I'm not sure I understand the need for the token. The Debian popularity-contest (popcon, [1]) only identifies systems by a single random token (MY_HOSTID in /etc/popularity-contest.conf). It supports sending information by mail as well (thus: completely non-interactively). I don't see what the extra temporary token buys here. Just send a report that includes the (random) server ID. Nobody should be able to copy those (as they are only sent encrypted over the internet). And in any event, why would anybody want to spoof that (as opposed to merely add records to skew the stats, which is possible either way just as easily). What am I missing here? [1] https://packages.debian.org/sid/popularity-contest -- Tzafrir Cohen icq#16849755 jabber:tzafrir.co...@xorcom.com +972-50-7952406 mailto:tzafrir.co...@xorcom.com http://www.xorcom.com -- _____________________________________________________________________ -- Bandwidth and Colocation Provided by http://www.api-digital.com -- asterisk-dev mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-dev
