Incoming SIP URI Calls

Forums › VoIP › Incoming SIP URI Calls

ajobbins

Awesome
4813 posts

Uber Geek
+1 received by user: 1062

Trusted

Subscriber

Topic # 120956 19-Jun-2013 16:29

Hoping someone here with more VoIP knowledge than me can help me out.

I understand that incoming calls on SIP URI's is a security problem and leads to annoying no voice calls because there is no verification. I've been trying to Google and find some more info on the extent of the problem, or possible solutions - but I can't seem to find much at all (Suggesting it's maybe not as big an issue as I was thinking?)

Does anyone have any good info you can share?

I really like the idea of using an email address like format user@service kind of thing as an eventual phone number replacement - and SIP can do this now as we know. But is there a solution that solves the issue of rogue incoming calls?

Twitter: ajobbins

ubergeeknz

3344 posts

Uber Geek
+1 received by user: 1089

Trusted

Vocus

Reply # 839638 19-Jun-2013 17:16

The best way is to firewall off everything except for your provider's SIP proxy/proxies from contacting your device on whatever port it's using for SIP. That should do the trick.

De-centralised SIP sounds great in theory, but the way that it's replaced telephony means that people are just used to dialling numbers. Also as you say, there's just no security inherent in the protocol (and no way for providers to bill...)

ajobbins

Awesome
4813 posts

Uber Geek
+1 received by user: 1062

Trusted

Subscriber

Reply # 839658 19-Jun-2013 17:34

Yeah but restricting to only a SIP provider kind of defeats the point, especially as most of them only allow incoming SIP URL dialling.

Providers wouldn't have a right to bill because the calls would be P2P and a SIP provider wouldn't be used.

What I'm struggling with is, is finding any info online about URI dialling security. When I Google things like 'how secure is SIP URI dialling', 'SIP URI dialling security', 'risks SIP URI' etc. etc. I get plenty of hits of guides for making it work, getting the DNS setup, Asterisk configured etc. but basically nothing talking about issues or risks of doing it.

It's like the problem doesn't exist (when we know it does).

Twitter: ajobbins

chevrolux

3673 posts

Uber Geek
+1 received by user: 1384

Subscriber

Reply # 839698 19-Jun-2013 18:27

If you open up your SIP device to the net it is only a matter of time until a botnet will find it and start flooding it with INVITE's which will lead to the device being crippled.
As mentioned above, it is a nice idea but just not practical.

It is a very real risk. Google SIP attacks or something like that.

ubergeeknz

3344 posts

Uber Geek
+1 received by user: 1089

Trusted

Vocus

Reply # 839705 19-Jun-2013 18:38

ajobbins: Yeah but restricting to only a SIP provider kind of defeats the point, especially as most of them only allow incoming SIP URL dialling.

Providers wouldn't have a right to bill because the calls would be P2P and a SIP provider wouldn't be used.

What I'm struggling with is, is finding any info online about URI dialling security. When I Google things like 'how secure is SIP URI dialling', 'SIP URI dialling security', 'risks SIP URI' etc. etc. I get plenty of hits of guides for making it work, getting the DNS setup, Asterisk configured etc. but basically nothing talking about issues or risks of doing it.

It's like the problem doesn't exist (when we know it does).

It's the same way that email has no security as far as who can email who. They are based on the same principles of "trust everyone implicitly".

The thing is, we have SBCs to control security. So SIP endpoints, PABXs etc generally speaking, just accept whatever they're fed. Most have the ability to have an ACL of which proxies they will listen to but that's the limit of it. And they should in most cases only respond to calls to configured users.

There's no concept in SIP of authorization in a peer-to-peer environment. Much like any other protocol.

This is why we have SIP providers, SIP proxies, SIP registrars, SBCs and the like :)

ajobbins

Awesome
4813 posts

Uber Geek
+1 received by user: 1062

Trusted

Subscriber

Reply # 839706 19-Jun-2013 18:38

I guess it's similar to email servers and spam. SIP URI needs a solution to verify that the calling (sending) party is who they say they are and are authorised to make the call.

Twitter: ajobbins

coffeebaron

5288 posts

Uber Geek
+1 received by user: 2314

Trusted

Lifetime subscriber

Reply # 839719 19-Jun-2013 18:54

Skype pretty much does what you are trying to do to a certain extent.

Chorus has spent $1.4 billion on making their xDSL broadband network faster. If your still stuck on ADSL or VDSL, why not spend from $150 on a master filter install to make sure you are getting the most out of your connection?
I install - Naked DSL, DSL Master Splitters, VoIP, data cabling and general computer support for home and small business.
Rural Broadband RBI installer for Ultimate Broadband and Full Flavour

Need help in Auckland, Waikato or BoP? Click my email button, or email me direct: [my user name] at geekzonemail dot com

ubergeeknz

3344 posts

Uber Geek
+1 received by user: 1089

Trusted

Vocus

Reply # 839720 19-Jun-2013 18:57

ajobbins: I guess it's similar to email servers and spam. SIP URI needs a solution to verify that the calling (sending) party is who they say they are and are authorised to make the call.

SIP Softswitches do this, at least for their subscribers. We still have to somewhat "trust" other providers though.

For direct calling, it is possible to share a secret and use that for authorization.

I can't see why some variant of SPF or DKIM couldn't be applied, but to my knowledge nothing like that is widely implemented in SIP UAs.