Hi,
Some people have suggested maintaining black lists and white lists to avoid spammers and allow legitimate callers into the network. However, the problem with this method is that the spammer's IP address might change due to DHCP. Today a spammer might get aaa.bbb.ccc.ddd and lets say that I put this address in my blacklist. To my annoyance, tomorrow a legitimate caller might get aaa.bbb.ccc.ddd and the spammer might get a different IP address. In the end, I end up blocking the legitimate caller also. Any ideas or thoughts to on this problem is appreciated.
Thanks, Tom
I've read the rest of this thread about PKI, shared certs, etc. but I think that an important middle step is being missed by everyone.
I believe strongly in the concept of end-to-end connectivity as the "optimal" method to ensure authentication and authorization between two user agents (web, voip, email, whatever.) However, it is often difficult to build such mechanisms that are easily used by the "end user." Most end users will happily hand over the responsibility for protection against "spam" in any form to a central administrator, and I think that as a first step it is appropriate to move the smart stuff to a central server instead of to every user's desktop (though eventually there should be smart stuff on the desktop.)
To this end: why is it _mandatory_ that all VOIP endpoints accept calls from other endpoints? Of course, you could filter based on some type of kludge-y network filters, but that is ugly and does not scale. SIP (and possibly IAX; I haven't looked at it much) have the ability to demand credentials from the remote host. Why don't we use these features?
Here is my ideal world: When a SIP INVITE (or NOTIFY, or whatever) hits my desk SIP phone, it should refuse the message with a "401 Unauthorized" message. Without correct credentials, messages simply aren't allowed past the threshhold of the SIP UA. This should be a configurable option on my SIP UA - maybe I have some reasons to allow all messages from all hosts at some time. However, most of the time I would want my SIP server (Asterisk, SER, whatever) to be in the path, and that "smart" gateway could do my blacklisting, authentication (PKI, etc.) and other tasks which would require more brains and more central administration.
No SIP device that I've ever seen has the option to deny SIP messages from all but authenticated hosts. Why is that? Seems pretty obvious. It's always the other way around - SIP proxies allow or disallow messages according to authentication credentials (shared secret.) Since I've never seen this in place, perhaps it is the case that I am mis-understanding how authentication can possibly work with SIP between a UA and a proxy?
JT _______________________________________________ Asterisk-Users mailing list [EMAIL PROTECTED] http://lists.digium.com/mailman/listinfo/asterisk-users To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users
