AST-2009-006 (original) (raw)

A lot of time was spent trying to come up with a way to resolve this issue in a way that was completely backwards compatible. However, the final resolution ended up requiring a modification to the IAX2 protocol. This modification is referred to as call token validation. Call token validation is used as a handshake before call numbers are assigned to IAX2 connections.

Call token validation by itself does not resolve the issue. However, it does allow an IAX2 server to validate that the source of the messages has not been spoofed. In addition to call token validation, Asterisk now also has the ability to limit the amount of call numbers assigned to a given remote IP address.

The combination of call token validation and call number allocation limits is used to mitigate this denial of service issue.

An alternative approach to securing IAX2 would be to use a security layer on top of IAX2, such as DTLS [RFC4347] or IPsec [RFC4301].