IAX2-security.txt 13 KB

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275276277278279280281282283284285286287288289290291292293294295296297298299300301302303304305306307308309310311312313314315316317318319320321322323324325326327328329330331332333334335336337338339340341342343344345346347348349350351352353354355356357358359360361362363364365366367368369370371372373374375376377378379380381382383384385386387388389390391392393394395396397398399400401402403404405406407408409410411412413414415416417418419420421422423424425426427428429430431432433434435436437438439440
  1. IAX2 Security
  2. Copyright (c) 2009 - Digium, Inc.
  3. All Rights Reserved.
  4. Document Version 1.0
  5. 09/03/09
  6. Asterisk Development Team <asteriskteam@digium.com>
  7. Table of Contents
  8. 1. Introduction 3
  9. 1.1. Overview 3
  10. 2. User Guide 3
  11. 2.1. Configuration 3
  12. 2.1.1. Quick Start 3
  13. 2.1.2. Controlled Networks 4
  14. 2.1.2.1. Full Upgrade 4
  15. 2.1.2.2. Partial Upgrade 4
  16. 2.1.3. Public Networks 4
  17. 2.1.3.1. Full Upgrade 4
  18. 2.1.3.2. Partial Upgrade 5
  19. 2.1.3.3. Guest Access 5
  20. 2.2. CLI Commands 6
  21. 2.2.1. iax2 show callnumber usage 6
  22. 2.2.2. iax2 show peer 6
  23. 3. Protocol Modification 6
  24. 3.1. Overview 6
  25. 3.2. Call Token Validation 7
  26. 3.3. Example Message Exchanges 8
  27. 3.3.1. Call Setup 8
  28. 3.3.2. Call Setup, client does not support CALLTOKEN 8
  29. 3.3.3. Call Setup, client supports CALLTOKEN, server does not 9
  30. 3.3.4. Call Setup from client that sends invalid token 9
  31. 4. Asterisk Implementation 9
  32. 4.1. CALLTOKEN IE Payload 9
  33. 1. Introduction
  34. 1.1. Overview
  35. A change has been made to the IAX2 protocol to help mitigate denial of
  36. service attacks. This change is referred to as call token validation. This
  37. change affects how messages are exchanged and is not backwards compatible
  38. for an older client connecting to an updated server, so a number of
  39. options have been provided to disable call token validation as needed for
  40. compatibility purposes.
  41. In addition to call token validation, Asterisk can now also limit the
  42. number of connections allowed per IP address to disallow one host from
  43. preventing other hosts from making successful connections. These options
  44. are referred to as call number limits.
  45. For additional details about the configuration options referenced in this
  46. document, see the sample configuration file, iax.conf.sample. For
  47. information regarding the details of the call token validation protocol
  48. modification, see section 3 (Protocol Modification) of this document.
  49. 2. User Guide
  50. 2.1. Configuration
  51. 2.1.1. Quick Start
  52. We strongly recommend that administrators leave the IAX2 security
  53. enhancements in place where possible. However, to bypass the security
  54. enhancements completely and have Asterisk work exactly as it did before,
  55. the following options can be specified in the [general] section of
  56. iax.conf:
  57. [general]
  58. ...
  59. calltokenoptional = 0.0.0.0/0.0.0.0
  60. maxcallnumbers = 16382
  61. ...
  62. 2.1.2. Controlled Networks
  63. This section discusses what needs to be done for an Asterisk server on a
  64. network where no unsolicited traffic will reach the IAX2 service.
  65. 2.1.2.1. Full Upgrade
  66. If all IAX2 endpoints have been upgraded, then no changes to configuration
  67. need to be made.
  68. 2.1.2.2. Partial Upgrade
  69. If only some of the IAX2 endpoints have been upgraded, then some
  70. configuration changes will need to be made for interoperability. Since
  71. this is for a controlled network, the easiest thing to do is to disable
  72. call token validation completely, as described in section 2.1.1.
  73. 2.1.3. Public Networks
  74. This section discusses the use of the IAX2 security functionality on
  75. public networks where it is possible to receive unsolicited IAX2 traffic.
  76. 2.1.3.1. Full Upgrade
  77. If all IAX2 endpoints have been upgraded to support call token validation,
  78. then no changes need to be made. However, for enhanced security, the
  79. administrator may adjust call number limits to further reduce the
  80. potential impact of malicious call number consumption. The following
  81. configuration will allow known peers to consume more call numbers than
  82. unknown source IP addresses:
  83. [general]
  84. ; By default, restrict call number usage to a low number.
  85. maxcallnumbers = 16
  86. ...
  87. [callnumberlimits]
  88. ; For peers with known IP addresses, call number limits can
  89. ; be set in this section. This limit is per IP address for
  90. ; addresses that fall in the specified range.
  91. ; <IP>/<mask> = <limit>
  92. 192.168.1.0/255.255.255.0 = 1024
  93. ...
  94. [peerA]
  95. ; Since we won't know the IP address of a dynamic peer until
  96. ; they register, a max call number limit can be set in a
  97. ; dynamic peer configuration section.
  98. Type = peer
  99. host = dynamic
  100. maxcallnumbers = 1024
  101. ...
  102. 2.1.3.2. Partial Upgrade
  103. If only some IAX2 endpoints have been upgraded, or the status of an IAX2
  104. endpoint is unknown, then call token validation must be disabled to ensure
  105. interoperability. To reduce the potential impact of disabling call token
  106. validation, it should only be disabled for a specific peer or user as
  107. needed. By using the auto option, call token validation will be changed to
  108. required as soon as we determine that the peer supports it.
  109. [friendA]
  110. requirecalltoken = auto
  111. ...
  112. Note that there are some cases where auto should not be used. For example,
  113. if multiple peers use the same authentication details, and they have not
  114. all upgraded to support call token validation, then the ones that do not
  115. support it will get locked out. Once an upgraded client successfully
  116. completes an authenticated call setup using call token validation,
  117. Asterisk will require it from then on. In that case, it would be better to
  118. set the requirecalltoken option to no.
  119. 2.1.3.3. Guest Access
  120. Guest access via IAX2 requires special attention. Given the number of
  121. existing IAX2 endpoints that do not support call token validation, most
  122. systems that allow guest access should do so without requiring call token
  123. validation.
  124. [guest]
  125. ; Note that the name "guest" is special here. When the code
  126. ; tries to determine if call token validation is required, it
  127. ; will look for a user by the username specified in the
  128. ; request. Guest calls can be sent without a username. In
  129. ; that case, we will look for a defined user called "guest" to
  130. ; determine if call token validation is required or not.
  131. type = user
  132. requirecalltoken = no
  133. ...
  134. Since disabling call token validation for the guest account allows a huge
  135. hole for malicious call number consumption, an option has been provided to
  136. segregate the call numbers consumed by connections not using call token
  137. validation from those that do. That way, there are resources dedicated to
  138. the more secure connections to ensure that service is not interrupted for
  139. them.
  140. [general]
  141. maxcallnumbers_nonvalidated = 2048
  142. 2.2. CLI Commands
  143. 2.2.1. iax2 show callnumber usage
  144. Usage: iax2 show callnumber usage [IP address]
  145. Show current IP addresses which are consuming IAX2 call numbers.
  146. 2.2.2. iax2 show peer
  147. This command will now also show the configured call number limit and
  148. whether or not call token validation is required for this peer.
  149. 3. Protocol Modification
  150. This section discusses the modification that has been made to the IAX2
  151. protocol. This information would be most useful to implementors of IAX2.
  152. 3.1. Overview
  153. The IAX2 protocol uses a call number to associate messages with which call
  154. they belong to. The available amount of call numbers is finite as defined
  155. by the protocol. Because of this, it is important to prevent attackers
  156. from maliciously consuming call numbers. To achieve this, an enhancement
  157. to the IAX2 protocol has been made which is referred to as call token
  158. validation.
  159. Call token validation ensures that an IAX2 connection is not coming from a
  160. spoofed IP address. In addition to using call token validation, Asterisk
  161. will also limit how many call numbers may be consumed by a given remote IP
  162. address. These limits have defaults that will usually not need to be
  163. changed, but can be modified for a specific need.
  164. The combination of call token validation and call number limits is used to
  165. mitigate a denial of service attack to consume all available IAX2 call
  166. numbers. An alternative approach to securing IAX2 would be to use a
  167. security layer on top of IAX2, such as DTLS [RFC4347] or IPsec [RFC4301].
  168. 3.2. Call Token Validation
  169. The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
  170. "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this
  171. document are to be interpreted as described in RFC 2119.
  172. For this section, when the word "request" is used, it is referring to the
  173. command that starts an IAX2 dialog.
  174. This modification adds a new IAX2 frame type, and a new information
  175. element be defined.
  176. Frame Type: CALLTOKEN --- 0x28 (40)
  177. IE: CALLTOKEN --- 0x36 (54)
  178. When a request is initially sent, it SHOULD include the CALLTOKEN IE with
  179. a zero-length payload to indicate that this client supports the CALLTOKEN
  180. exchange. When a server receives this request, it MUST respond with the
  181. IAX2 message CALLTOKEN. The CALLTOKEN message MUST be sent with a source
  182. call number of 0, as a call number will not yet be allocated for this
  183. call.
  184. For the sake of backwards compatibility with clients that do not support
  185. token validation, server implementations MAY process requests that do not
  186. indicate CALLTOKEN support in their initial request. However, this SHOULD
  187. NOT be the default behavior, as it gives up the security benefits gained
  188. by CALLTOKEN validation.
  189. After a client sends a request with an empty CALLTOKEN IE, it MUST be
  190. prepared to receive a CALLTOKEN response, or to receive a response that
  191. would be given in the case of a valid CALLTOKEN. This is how a client must
  192. behave to inter operate with IAX2 server implementations that do not yet
  193. support CALLTOKEN validation.
  194. When an IAX2 client receives a CALLTOKEN response, it MUST send its
  195. initial request again. This request MUST include the CALLTOKEN IE with a
  196. copy of the value of the CALLTOKEN IE received in the CALLTOKEN response.
  197. The IE value is an opaque value. Clients MUST be able to accept a
  198. CALLTOKEN payload of any length, up to the maximum length allowed in an
  199. IAX2 IE.
  200. The value of the payload in the CALLTOKEN IE is an implementation detail.
  201. It is left to the implementor to decide how sophisticated it should be.
  202. However, it MUST be enough such that when the CALLTOKEN IE is sent back,
  203. it can be used to verify that the source IP address and port number has
  204. not been spoofed.
  205. If a server receives a request with an invalid CALLTOKEN IE value, then it
  206. MUST drop it and not respond.
  207. 3.3. Example Message Exchanges
  208. 3.3.1. Call Setup
  209. Client Server
  210. -------- --------
  211. ------------- NEW ----------->
  212. (with empty CALLTOKEN IE)
  213. <---------- CALLTOKEN ------------
  214. (client must ignore
  215. source call number
  216. from this message)
  217. ------------- NEW ----------->
  218. (with received token)
  219. <---------- AUTHREQ ----------
  220. ... continue as normal ...
  221. 3.3.2. Call Setup, client does not support CALLTOKEN
  222. Client Server
  223. -------- --------
  224. ------------- NEW ----------->
  225. (with no CALLTOKEN IE)
  226. <----------- REJECT ----------
  227. (sent without allocating
  228. a call number)
  229. ------------- ACK ----------->
  230. 3.3.3. Call Setup, client supports CALLTOKEN, server does not
  231. Client Server
  232. -------- --------
  233. ------------- NEW ----------->
  234. (with empty CALLTOKEN IE)
  235. <----------- AUTHREQ ---------
  236. (sent without allocating
  237. a call number)
  238. ... continue as normal ...
  239. 3.3.4. Call Setup from client that sends invalid token
  240. Client Server
  241. -------- --------
  242. ------------- NEW ----------->
  243. (with invalid CALLTOKEN IE)
  244. ... dropped ...
  245. 4. Asterisk Implementation
  246. This section includes some additional details on the implementation of
  247. these changes in Asterisk.
  248. 4.1. CALLTOKEN IE Payload
  249. For Asterisk, we will encode the payload of the CALLTOKEN IE such that the
  250. server is able to validate a received token without having to store any
  251. information after transmitting the CALLTOKEN response. The CALLTOKEN IE
  252. payload will contain:
  253. * A timestamp (epoch based)
  254. * SHA1 hash of the remote IP address and port, the timestamp, as well
  255. some random data generated when Asterisk starts.
  256. When a CALLTOKEN IE is received, its validity will be determined by
  257. recalculating the SHA1 hash. If it is a valid token, the timestamp is
  258. checked to determine if the token is expired. The token timeout will be
  259. hard coded at 10 seconds for now. However, it may be made configurable at
  260. some point if it seems to be a useful addition. If the server determines
  261. that a received token is expired, it will treat it as an invalid token and
  262. not respond to the request.
  263. By using this method, we require no additional memory to be allocated for
  264. a dialog, other than what is on the stack for processing the initial
  265. request, until token validation is complete.
  266. However, one thing to note with this CALLTOKEN IE encoding is that a token
  267. would be considered valid by Asterisk every time a client sent it until we
  268. considered it an expired token. However, with use of the "maxcallnumbers"
  269. option, this is not actually a problem. It just means that an attacker
  270. could hit their call number limit a bit quicker since they would only have
  271. to acquire a single token per timeout period, instead of a token per
  272. request.
  273. 10 of 10