trixter aka Bret McDanel wrote:
On Sun, 2006-05-28 at 23:41 -0400, Steve Totaro wrote:
Henry J. Cobb wrote:
to increase the security for remote extensions I would like to limit a
sip-peer to a specific MAC address. Is it possible to "hook into" the
authentication mechanism in asterisk and allow/deny incoming
registrations?
This would be only mildly useful on the same subnet and completely useless
over the internet.
-HJC
I think it would work just fine over the internet using a bridged VPN.
even on a local network this can be forged. If you cant control the
device that sends this information it is user supplied data, even over a
vpn (which uses a virtual interface not the physical one). It has the
same value as any user supplied data - other than perhaps its additional
data which makes guessing slightly harder.
TLS might be a better way to go since it would require a certificate
that you can control the issuance of, but that certificate can be stolen
and the remote end point would need to support the same scheme that you
use (fortunately there are standards that make this easier with some
devices but most dont implement this).
A vpn would provide security in that it would make it harder for someone
to eavesdrop on the auth and attempt to derrive the password, however
there is overhead associated with that. At least 1 IP packet per real
packet (sometimes more) on the network side, and the crypto parts on the
cpu side. For the server you would want to have a hardware based crypto
card to deal with the VPN connections...
I have had great luck with OpenVPN, any reason why you like hardware? I
find OpenVPN to be just as reliable and stable as any hardware VPN such
as Cisco. VPN will also make it very difficult to sniff or snoop on RTP
streams if eavsdropping is a concern. I even have OpenVPN running on a
Linksys running OpenWRT and have rock solid connectivity unless there is
a carrier issue out of my control.
Forging a MAC address is trivial on most devices. Forge a MAC address
on a LAN (or bridged VPN) and you will quickly find that the conflict
will cripple or cutoff your connectivity since switches will become
confused where to send the packets and have funky arp entries.
Thanks,
Steve Totaro
_______________________________________________
--Bandwidth and Colocation provided by Easynews.com --
Asterisk-Users mailing list
To UNSUBSCRIBE or update options visit:
http://lists.digium.com/mailman/listinfo/asterisk-users
