> Date: Mon, 11 Aug 2003 13:42:59 -0400 > From: Vance Shipley <vances@motivity.ca> > > > Folks, > > You should be aware that CLID is inherently insecure. > You are probably safe to use it as long as the risk > is not great. If the rewards become large enough > someone will abuse it. > > -Vance Can you elaborate? As you will see from my original post, I noted that CLID is configurable for any Endpoint, therefore we have combined CLID authentication with a required AliasAuth. Also, we have the Endpoint Alias being passed to the radius server in the Username field. So, the Endpoint MUST register from a given IP, the ARQ MUST come from that Endpoint for the Username to match in Radius, and the CLID MUST match a given Calling-Station-Id for that Username in radius. So effectively, we are using a combination of IP and h323Alias and CLID for authentication. Short of IP Spoofing to get around the AliasAuth, what other "inherently insecurities" for abuse can you see? Mark ------------------------------------------------------- This SF.Net email sponsored by: Free pre-built ASP.NET sites including Data Reports, E-commerce, Portals, and Forums are available now. Download today and enter to win an XBOX or Visual Studio .NET. http://aspnet.click-url.com/go/psa00100003ave/direct;at.aspnet_072303_01/01 _______________________________________________ List: Openh323gk-users@lists.sourceforge.net Archive: http://sourceforge.net/mailarchive/forum.php?forum_id=8549 Homepage: http://www.gnugk.org/
