mirror of
				https://github.com/asterisk/asterisk.git
				synced 2025-10-25 22:18:07 +00:00 
			
		
		
		
	
		
			
	
	
		
			441 lines
		
	
	
		
			13 KiB
		
	
	
	
		
			Plaintext
		
	
	
	
	
	
		
		
			
		
	
	
			441 lines
		
	
	
		
			13 KiB
		
	
	
	
		
			Plaintext
		
	
	
	
	
	
|   |                                  IAX2 Security | ||
|  | 
 | ||
|  |                        Copyright (c) 2009 - Digium, Inc. | ||
|  | 
 | ||
|  |                               All Rights Reserved. | ||
|  | 
 | ||
|  |                               Document Version 1.0 | ||
|  | 
 | ||
|  |                                     09/03/09 | ||
|  | 
 | ||
|  |               Asterisk Development Team <asteriskteam@digium.com> | ||
|  | 
 | ||
|  |    Table of Contents | ||
|  | 
 | ||
|  |    1. Introduction 3 | ||
|  | 
 | ||
|  |    1.1. Overview 3 | ||
|  | 
 | ||
|  |    2. User Guide 3 | ||
|  | 
 | ||
|  |    2.1. Configuration 3 | ||
|  | 
 | ||
|  |    2.1.1. Quick Start 3 | ||
|  | 
 | ||
|  |    2.1.2. Controlled Networks 4 | ||
|  | 
 | ||
|  |    2.1.2.1. Full Upgrade 4 | ||
|  | 
 | ||
|  |    2.1.2.2. Partial Upgrade 4 | ||
|  | 
 | ||
|  |    2.1.3. Public Networks 4 | ||
|  | 
 | ||
|  |    2.1.3.1. Full Upgrade 4 | ||
|  | 
 | ||
|  |    2.1.3.2. Partial Upgrade 5 | ||
|  | 
 | ||
|  |    2.1.3.3. Guest Access 5 | ||
|  | 
 | ||
|  |    2.2. CLI Commands 6 | ||
|  | 
 | ||
|  |    2.2.1. iax2 show callnumber usage 6 | ||
|  | 
 | ||
|  |    2.2.2. iax2 show peer 6 | ||
|  | 
 | ||
|  |    3. Protocol Modification 6 | ||
|  | 
 | ||
|  |    3.1. Overview 6 | ||
|  | 
 | ||
|  |    3.2. Call Token Validation 7 | ||
|  | 
 | ||
|  |    3.3. Example Message Exchanges 8 | ||
|  | 
 | ||
|  |    3.3.1. Call Setup 8 | ||
|  | 
 | ||
|  |    3.3.2. Call Setup, client does not support CALLTOKEN 8 | ||
|  | 
 | ||
|  |    3.3.3. Call Setup, client supports CALLTOKEN, server does not 9 | ||
|  | 
 | ||
|  |    3.3.4. Call Setup from client that sends invalid token 9 | ||
|  | 
 | ||
|  |    4. Asterisk Implementation 9 | ||
|  | 
 | ||
|  |    4.1. CALLTOKEN IE Payload 9 | ||
|  | 
 | ||
|  |                                 1. Introduction | ||
|  | 
 | ||
|  | 1.1. Overview | ||
|  | 
 | ||
|  |    A change has been made to the IAX2 protocol to help mitigate denial of | ||
|  |    service attacks. This change is referred to as call token validation. This | ||
|  |    change affects how messages are exchanged and is not backwards compatible | ||
|  |    for an older client connecting to an updated server, so a number of | ||
|  |    options have been provided to disable call token validation as needed for | ||
|  |    compatibility purposes. | ||
|  | 
 | ||
|  |    In addition to call token validation, Asterisk can now also limit the | ||
|  |    number of connections allowed per IP address to disallow one host from | ||
|  |    preventing other hosts from making successful connections. These options | ||
|  |    are referred to as call number limits. | ||
|  | 
 | ||
|  |    For additional details about the configuration options referenced in this | ||
|  |    document, see the sample configuration file, iax.conf.sample. For | ||
|  |    information regarding the details of the call token validation protocol | ||
|  |    modification, see section 3 (Protocol Modification) of this document. | ||
|  | 
 | ||
|  |                                  2. User Guide | ||
|  | 
 | ||
|  | 2.1. Configuration | ||
|  | 
 | ||
|  |   2.1.1. Quick Start | ||
|  | 
 | ||
|  |    We strongly recommend that administrators leave the IAX2 security | ||
|  |    enhancements in place where possible. However, to bypass the security | ||
|  |    enhancements completely and have Asterisk work exactly as it did before, | ||
|  |    the following options can be specified in the [general] section of | ||
|  |    iax.conf: | ||
|  | 
 | ||
|  |    [general] | ||
|  | 
 | ||
|  |    ... | ||
|  | 
 | ||
|  |    calltokenoptional = 0.0.0.0/0.0.0.0 | ||
|  | 
 | ||
|  |    maxcallnumbers = 16382 | ||
|  | 
 | ||
|  |    ... | ||
|  | 
 | ||
|  |   2.1.2. Controlled Networks | ||
|  | 
 | ||
|  |    This section discusses what needs to be done for an Asterisk server on a | ||
|  |    network where no unsolicited traffic will reach the IAX2 service. | ||
|  | 
 | ||
|  |     2.1.2.1. Full Upgrade | ||
|  | 
 | ||
|  |    If all IAX2 endpoints have been upgraded, then no changes to configuration | ||
|  |    need to be made. | ||
|  | 
 | ||
|  |     2.1.2.2. Partial Upgrade | ||
|  | 
 | ||
|  |    If only some of the IAX2 endpoints have been upgraded, then some | ||
|  |    configuration changes will need to be made for interoperability. Since | ||
|  |    this is for a controlled network, the easiest thing to do is to disable | ||
|  |    call token validation completely, as described in section 2.1.1. | ||
|  | 
 | ||
|  |   2.1.3. Public Networks | ||
|  | 
 | ||
|  |    This section discusses the use of the IAX2 security functionality on | ||
|  |    public networks where it is possible to receive unsolicited IAX2 traffic. | ||
|  | 
 | ||
|  |     2.1.3.1. Full Upgrade | ||
|  | 
 | ||
|  |    If all IAX2 endpoints have been upgraded to support call token validation, | ||
|  |    then no changes need to be made. However, for enhanced security, the | ||
|  |    administrator may adjust call number limits to further reduce the | ||
|  |    potential impact of malicious call number consumption. The following | ||
|  |    configuration will allow known peers to consume more call numbers than | ||
|  |    unknown source IP addresses: | ||
|  | 
 | ||
|  |    [general] | ||
|  | 
 | ||
|  |    ; By default, restrict call number usage to a low number. | ||
|  | 
 | ||
|  |    maxcallnumbers = 16 | ||
|  | 
 | ||
|  |    ... | ||
|  | 
 | ||
|  |    [callnumberlimits] | ||
|  | 
 | ||
|  |    ; For peers with known IP addresses, call number limits can | ||
|  | 
 | ||
|  |    ; be set in this section. This limit is per IP address for | ||
|  | 
 | ||
|  |    ; addresses that fall in the specified range. | ||
|  | 
 | ||
|  |    ; <IP>/<mask> = <limit> | ||
|  | 
 | ||
|  |    192.168.1.0/255.255.255.0 = 1024 | ||
|  | 
 | ||
|  |    ... | ||
|  | 
 | ||
|  |    [peerA] | ||
|  | 
 | ||
|  |    ; Since we won't know the IP address of a dynamic peer until | ||
|  | 
 | ||
|  |    ; they register, a max call number limit can be set in a | ||
|  | 
 | ||
|  |    ; dynamic peer configuration section. | ||
|  | 
 | ||
|  |    Type = peer | ||
|  | 
 | ||
|  |    host = dynamic | ||
|  | 
 | ||
|  |    maxcallnumbers = 1024 | ||
|  | 
 | ||
|  |    ... | ||
|  | 
 | ||
|  |     2.1.3.2. Partial Upgrade | ||
|  | 
 | ||
|  |    If only some IAX2 endpoints have been upgraded, or the status of an IAX2 | ||
|  |    endpoint is unknown, then call token validation must be disabled to ensure | ||
|  |    interoperability. To reduce the potential impact of disabling call token | ||
|  |    validation, it should only be disabled for a specific peer or user as | ||
|  |    needed. By using the auto option, call token validation will be changed to | ||
|  |    required as soon as we determine that the peer supports it. | ||
|  | 
 | ||
|  |    [friendA] | ||
|  | 
 | ||
|  |    requirecalltoken = auto | ||
|  | 
 | ||
|  |    ... | ||
|  | 
 | ||
|  |    Note that there are some cases where auto should not be used. For example, | ||
|  |    if multiple peers use the same authentication details, and they have not | ||
|  |    all upgraded to support call token validation, then the ones that do not | ||
|  |    support it will get locked out. Once an upgraded client successfully | ||
|  |    completes an authenticated call setup using call token validation, | ||
|  |    Asterisk will require it from then on. In that case, it would be better to | ||
|  |    set the requirecalltoken option to no. | ||
|  | 
 | ||
|  |     2.1.3.3. Guest Access | ||
|  | 
 | ||
|  |    Guest access via IAX2 requires special attention. Given the number of | ||
|  |    existing IAX2 endpoints that do not support call token validation, most | ||
|  |    systems that allow guest access should do so without requiring call token | ||
|  |    validation. | ||
|  | 
 | ||
|  |    [guest] | ||
|  | 
 | ||
|  |    ; Note that the name "guest" is special here. When the code | ||
|  | 
 | ||
|  |    ; tries to determine if call token validation is required, it | ||
|  | 
 | ||
|  |    ; will look for a user by the username specified in the | ||
|  | 
 | ||
|  |    ; request. Guest calls can be sent without a username. In | ||
|  | 
 | ||
|  |    ; that case, we will look for a defined user called "guest" to | ||
|  | 
 | ||
|  |    ; determine if call token validation is required or not. | ||
|  | 
 | ||
|  |    type = user | ||
|  | 
 | ||
|  |    requirecalltoken = no | ||
|  | 
 | ||
|  |    ... | ||
|  | 
 | ||
|  |    Since disabling call token validation for the guest account allows a huge | ||
|  |    hole for malicious call number consumption, an option has been provided to | ||
|  |    segregate the call numbers consumed by connections not using call token | ||
|  |    validation from those that do. That way, there are resources dedicated to | ||
|  |    the more secure connections to ensure that service is not interrupted for | ||
|  |    them. | ||
|  | 
 | ||
|  |    [general] | ||
|  | 
 | ||
|  |    maxcallnumbers_nonvalidated = 2048 | ||
|  | 
 | ||
|  | 2.2. CLI Commands | ||
|  | 
 | ||
|  |   2.2.1. iax2 show callnumber usage | ||
|  | 
 | ||
|  |    Usage: iax2 show callnumber usage [IP address] | ||
|  | 
 | ||
|  |    Show current IP addresses which are consuming IAX2 call numbers. | ||
|  | 
 | ||
|  |   2.2.2. iax2 show peer | ||
|  | 
 | ||
|  |    This command will now also show the configured call number limit and | ||
|  |    whether or not call token validation is required for this peer. | ||
|  | 
 | ||
|  |                             3. Protocol Modification | ||
|  | 
 | ||
|  |    This section discusses the modification that has been made to the IAX2 | ||
|  |    protocol. This information would be most useful to implementors of IAX2. | ||
|  | 
 | ||
|  | 3.1. Overview | ||
|  | 
 | ||
|  |    The IAX2 protocol uses a call number to associate messages with which call | ||
|  |    they belong to. The available amount of call numbers is finite as defined | ||
|  |    by the protocol. Because of this, it is important to prevent attackers | ||
|  |    from maliciously consuming call numbers. To achieve this, an enhancement | ||
|  |    to the IAX2 protocol has been made which is referred to as call token | ||
|  |    validation. | ||
|  | 
 | ||
|  |    Call token validation ensures that an IAX2 connection is not coming from a | ||
|  |    spoofed IP address. In addition to using call token validation, Asterisk | ||
|  |    will also limit how many call numbers may be consumed by a given remote IP | ||
|  |    address. These limits have defaults that will usually not need to be | ||
|  |    changed, but can be modified for a specific need. | ||
|  | 
 | ||
|  |    The combination of call token validation and call number limits is used to | ||
|  |    mitigate a denial of service attack to consume all available IAX2 call | ||
|  |    numbers. An alternative approach to securing IAX2 would be to use a | ||
|  |    security layer on top of IAX2, such as DTLS [RFC4347] or IPsec [RFC4301]. | ||
|  | 
 | ||
|  | 3.2. Call Token Validation | ||
|  | 
 | ||
|  |    The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", | ||
|  |    "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this | ||
|  |    document are to be interpreted as described in RFC 2119. | ||
|  | 
 | ||
|  |    For this section, when the word "request" is used, it is referring to the | ||
|  |    command that starts an IAX2 dialog. | ||
|  | 
 | ||
|  |    This modification adds a new IAX2 frame type, and a new information | ||
|  |    element be defined. | ||
|  | 
 | ||
|  |    Frame Type: CALLTOKEN --- 0x28 (40) | ||
|  | 
 | ||
|  |    IE: CALLTOKEN --- 0x36 (54) | ||
|  | 
 | ||
|  |    When a request is initially sent, it SHOULD include the CALLTOKEN IE with | ||
|  |    a zero-length payload to indicate that this client supports the CALLTOKEN | ||
|  |    exchange. When a server receives this request, it MUST respond with the | ||
|  |    IAX2 message CALLTOKEN. The CALLTOKEN message MUST be sent with a source | ||
|  |    call number of 0, as a call number will not yet be allocated for this | ||
|  |    call. | ||
|  | 
 | ||
|  |    For the sake of backwards compatibility with clients that do not support | ||
|  |    token validation, server implementations MAY process requests that do not | ||
|  |    indicate CALLTOKEN support in their initial request. However, this SHOULD | ||
|  |    NOT be the default behavior, as it gives up the security benefits gained | ||
|  |    by CALLTOKEN validation. | ||
|  | 
 | ||
|  |    After a client sends a request with an empty CALLTOKEN IE, it MUST be | ||
|  |    prepared to receive a CALLTOKEN response, or to receive a response that | ||
|  |    would be given in the case of a valid CALLTOKEN. This is how a client must | ||
|  |    behave to inter operate with IAX2 server implementations that do not yet | ||
|  |    support CALLTOKEN validation. | ||
|  | 
 | ||
|  |    When an IAX2 client receives a CALLTOKEN response, it MUST send its | ||
|  |    initial request again. This request MUST include the CALLTOKEN IE with a | ||
|  |    copy of the value of the CALLTOKEN IE received in the CALLTOKEN response. | ||
|  |    The IE value is an opaque value. Clients MUST be able to accept a | ||
|  |    CALLTOKEN payload of any length, up to the maximum length allowed in an | ||
|  |    IAX2 IE. | ||
|  | 
 | ||
|  |    The value of the payload in the CALLTOKEN IE is an implementation detail. | ||
|  |    It is left to the implementor to decide how sophisticated it should be. | ||
|  |    However, it MUST be enough such that when the CALLTOKEN IE is sent back, | ||
|  |    it can be used to verify that the source IP address and port number has | ||
|  |    not been spoofed. | ||
|  | 
 | ||
|  |    If a server receives a request with an invalid CALLTOKEN IE value, then it | ||
|  |    MUST drop it and not respond. | ||
|  | 
 | ||
|  | 3.3. Example Message Exchanges | ||
|  | 
 | ||
|  |   3.3.1. Call Setup | ||
|  | 
 | ||
|  |    Client Server | ||
|  | 
 | ||
|  |    -------- -------- | ||
|  | 
 | ||
|  |    ------------- NEW -----------> | ||
|  | 
 | ||
|  |    (with empty CALLTOKEN IE) | ||
|  | 
 | ||
|  |    <---------- CALLTOKEN ------------ | ||
|  | 
 | ||
|  |    (client must ignore | ||
|  | 
 | ||
|  |    source call number | ||
|  | 
 | ||
|  |    from this message) | ||
|  | 
 | ||
|  |    ------------- NEW -----------> | ||
|  | 
 | ||
|  |    (with received token) | ||
|  | 
 | ||
|  |    <---------- AUTHREQ ---------- | ||
|  | 
 | ||
|  |    ... continue as normal ... | ||
|  | 
 | ||
|  |   3.3.2. Call Setup, client does not support CALLTOKEN | ||
|  | 
 | ||
|  |    Client Server | ||
|  | 
 | ||
|  |    -------- -------- | ||
|  | 
 | ||
|  |    ------------- NEW -----------> | ||
|  | 
 | ||
|  |    (with no CALLTOKEN IE) | ||
|  | 
 | ||
|  |    <----------- REJECT ---------- | ||
|  | 
 | ||
|  |    (sent without allocating | ||
|  | 
 | ||
|  |    a call number) | ||
|  | 
 | ||
|  |    ------------- ACK -----------> | ||
|  | 
 | ||
|  |   3.3.3. Call Setup, client supports CALLTOKEN, server does not | ||
|  | 
 | ||
|  |    Client Server | ||
|  | 
 | ||
|  |    -------- -------- | ||
|  | 
 | ||
|  |    ------------- NEW -----------> | ||
|  | 
 | ||
|  |    (with empty CALLTOKEN IE) | ||
|  | 
 | ||
|  |    <----------- AUTHREQ --------- | ||
|  | 
 | ||
|  |    (sent without allocating | ||
|  | 
 | ||
|  |    a call number) | ||
|  | 
 | ||
|  |    ... continue as normal ... | ||
|  | 
 | ||
|  |   3.3.4. Call Setup from client that sends invalid token | ||
|  | 
 | ||
|  |    Client Server | ||
|  | 
 | ||
|  |    -------- -------- | ||
|  | 
 | ||
|  |    ------------- NEW -----------> | ||
|  | 
 | ||
|  |    (with invalid CALLTOKEN IE) | ||
|  | 
 | ||
|  |    ... dropped ... | ||
|  | 
 | ||
|  |                            4. Asterisk Implementation | ||
|  | 
 | ||
|  |    This section includes some additional details on the implementation of | ||
|  |    these changes in Asterisk. | ||
|  | 
 | ||
|  | 4.1. CALLTOKEN IE Payload | ||
|  | 
 | ||
|  |    For Asterisk, we will encode the payload of the CALLTOKEN IE such that the | ||
|  |    server is able to validate a received token without having to store any | ||
|  |    information after transmitting the CALLTOKEN response. The CALLTOKEN IE | ||
|  |    payload will contain: | ||
|  | 
 | ||
|  |      * A timestamp (epoch based) | ||
|  | 
 | ||
|  |      * SHA1 hash of the remote IP address and port, the timestamp, as well | ||
|  |        some random data generated when Asterisk starts. | ||
|  | 
 | ||
|  |    When a CALLTOKEN IE is received, its validity will be determined by | ||
|  |    recalculating the SHA1 hash. If it is a valid token, the timestamp is | ||
|  |    checked to determine if the token is expired. The token timeout will be | ||
|  |    hard coded at 10 seconds for now. However, it may be made configurable at | ||
|  |    some point if it seems to be a useful addition. If the server determines | ||
|  |    that a received token is expired, it will treat it as an invalid token and | ||
|  |    not respond to the request. | ||
|  | 
 | ||
|  |    By using this method, we require no additional memory to be allocated for | ||
|  |    a dialog, other than what is on the stack for processing the initial | ||
|  |    request, until token validation is complete. | ||
|  | 
 | ||
|  |    However, one thing to note with this CALLTOKEN IE encoding is that a token | ||
|  |    would be considered valid by Asterisk every time a client sent it until we | ||
|  |    considered it an expired token. However, with use of the "maxcallnumbers" | ||
|  |    option, this is not actually a problem. It just means that an attacker | ||
|  |    could hit their call number limit a bit quicker since they would only have | ||
|  |    to acquire a single token per timeout period, instead of a token per | ||
|  |    request. | ||
|  | 
 | ||
|  |                                     10 of 10 |