SIP Trunk Authentication, who needs it?

Judging from my recent experience, at least one North American SIP trunk provider has not understood the importance of SIP authentication.

While working on a customer’s VoIP system, I noticed that SIP messages sent from their PBX to their SIP trunk provider were triggering an immediate response, without the usual authentication challenge.   

This meant that the trunk was not bothering to authenticate call requests, leaving the system open to a toll fraud and other attacks.

The SIP standard specifies a challenge/response authentication mechanism.  A well regulated SIP trunk should implement this. 

When a device such as PBX attempts to make a call, the trunk should refuse the initial request and challenge the PBX to re-try with the appropriate authentication credentials. When the requesting device receives this challenge, it uses information stored in its configuration database to respond.

The North American trunk provider (who will remain nameless) had issued authentication credentials for the SIP trunk circuits, and the customer had diligently added this information to the PBX’s configuration database. 

Article continues after advert

Unfortunately, for a reason that still remains unclear, the provider seemed unable to configure their own systems properly, so both registration requests and call requests went completely unchallenged. This problem has two very serious consequences.