Open Source Telephony Journal

This past week Digium rolled out new versions of asterisk for all currently supported branches (1.2.x, 1.4.x, & 1.6.x), with a security addition to combat IAX's denial of service (DOS) vulnerabilities that arise from the protocols use of a single port.  The new release (and all going forward) introduce token authentication for IAX devices and trunks, and have methods to put a limit on the number of unauthenticated IAX connections.  Disclosure of the new security methods and how to use them can be found here, http://downloads.asterisk.org/pub/security/IAX2-security.html.

For users of Asterisk, IAX single port method offers NAT friendly setup, usually not requiring any ports be opened to the server.  Token authentication is a welcome improvement and helps mitigate the number one weakness of IAX when compared to it's more popular cousin SIP- denial of service attack vulnerability.  While IAX providers are a little thin when compared with the number of SIP providers, I've come to love it for it's simplicity, security, and reliability.  With IAX and no ports opened at the firewall, brute force extension attacks don't occur.  With the IAX port opened, the new token validation method eliminates unauthenticated connection attempts to the server. Other IAX benefits are better DTMF handling, and the annoying trait of Asterisk unregistering internal extensions when connectivity to SIP providers is lost, don't happen when using IAX.

What to know.  On an upgraded server, token authentication is enabled by default.  If all your IAX devices and providers support it, then congratulations, you're all set.  If not, expect some trouble since existing providers or IAX devices (end points) that don't support it won't be allowed to register with your server.  When I upgraded to 1.4.26.2, my IAX providers (voip.ms, vitelity, fonica) and IAX extensions quit registering with the server.  At this time (as far as I know), no IAX providers or IAX devices support token authentication.  This should change as providers incorporate the new measure, but will understandably take some time.  Getting actual IAX devices to support this will likely be the most problematic, there are very few IAX IP phones or softphones out there.  The bottom line is this will break connections for servers that use IAX.

The workarounds.  These instructions are for Asterisk based installs that use FreePBX, and will get you going agian.  It can be easily modified to fit straight Asterisk installs, and I highly recommend reading Digium's link above describing how to use the new security methods for more information.  As stated, installing these new Asterisk versions will enable token authentication by default.  If you have IAX providers and IAX extensions, you will (unless/until token auth is supported) have to make some adjustments.

If you want to turn token authentication off completely (and I don't recommend you do), add these lines to the iax_custom.conf file:

calltokenoptional = 0.0.0.0/0.0.0.0

maxcallnumbers = 16382

A better way is to keep token authentication in place on your server and selectively allow your IAX providers and IAX devices that don't support it through. 

First for the IAX providers: 

Using FreePBX, go to the providers trunk and in the PEER-DETAILS box of the Outgoing Settings, add this line:

requirecalltoken=auto

The use of the 'auto' statement will allow an unvalidated state until the provider sends a signal that it supports supports token authentication, at which time your server will then require it.  If this will be problematic, 'requirecalltoken=no' should be used.  You should find that your unsupported IAX trunks are now able to register with the server.

For devices (or endpoints), modification of the iax_custom.conf file will be necessary.  I have a ticket open with FreePBX to add 'requirecalltoken' in the IAX extension device options, but until this happens, adding lines to the iax_custom.conf file will be necessary.  Using FreePBX, you can modify this file under Tools->Config Edit.  First however, it will be necessary to get the code that you will copy for each extension from the iax.conf file.  This requires using SSH, so start an SSH session with your server and use nano or other editor to examine the iax.conf file and copy the specific code for each IAX extension you have and paste it into iax_custom.conf file.  It's easiest when you have both SSH and FreePBX running to you can cut and paste from one to the other.  The code for each extension will look something like this:

[101]

deny=0.0.0.0/0.0.0.0

secret=yoursecret

transfer=no

context=from-internal

host=dynamic

type=friend

port=4569

qualify=yes

dial=IAX2/101

accountcode=

mailbox=101@device

permit=0.0.0.0/0.0.0.0

callerid=device <101>

requirecalltoken=auto

Once you have the IAX extension(s) code pasted into the iax_custom.conf file using FreePBX, add the line 'requirecalltoken=auto' or 'requirecalltoken=no' at the end, save the changes and reload asterisk.  The same behaviors for 'auto' apply here as they did to the providers trunk section, so use of 'no' may be more appropriate. Your IAX devices will then be able to register with the server and all should be good.