[OpenSIPS-Users] Addressing Increased Security

Bogdan-Andrei Iancu bogdan at opensips.org
Tue Apr 9 19:28:36 CEST 2013 

Hello Nick,

You can say that the IP level info may be trusted (as it is provided by 
IP layer which is out of users control, so pretty safe).

About the content of the SIP package, without authentication, nothing is 
to be trusted. Doing digest authentication for SIP requests, you can 
trust the username+realm of the caller (username in auth hdr which 
usually matches the SIP FROM hdr). So that's the only information that 
you can say for 100% it is sure.

If you want to have more authenticated, take a look at SIP Identity 
support (http://www.opensips.org/html/docs/modules/1.9.x/identity.html), 
but you also need that support in the clients too.

Regards,

Bogdan-Andrei Iancu
OpenSIPS Founder and Developer
http://www.opensips-solutions.com


On 04/09/2013 06:43 PM, Nick Khamis wrote:
> Hello Everyone,
>
> When performing certain security tasks using script and database 
> queries, we would like
> to make sure that we are processing the more secure parts of the SIP 
> packet. As you know
> fu, fd, tu, and td can be manually set by any user, as we do here in 
> the SIP proxy world:
>
> From: "Mike Peer" <sip:5148390676 at 10.147.23.144 
> <mailto:sip%3A5148390676 at 10.147.23.144>>;tag=as15bc6a70.
> To: <sip:1000 at sip.example.com <mailto:sip%3A1000 at sip.example.com>>.
> Contact: <sip:5148392007 at 10.147.23.144 
> <mailto:sip%3A5148392007 at 10.147.23.144>>.
>
> And therefore not the most secure place to look when performing 
> security critical tasks.
> (i.e., who is attempting to make/place a call)
>
> Not sure what this part of the SIP packet is called:
>
> U 2013/04/09 11:27:33.449280 69.147.236.82:5060 
> <http://69.147.236.82:5060> -> 192.168.2.5:5060 <http://192.168.2.5:5060>
>
> But it seems like a safe place to look since it looks like it's 
> generated on our side. If so, what OpenSIPS variables return
>
> Source: 10.147.23.144:5060 <http://10.147.23.144:5060> and 
> Destination: 192.168.2.5:5060 <http://192.168.2.5:5060>
>
> Would src_ip and dst_ip be the best place to start? As for dst_ip it 
> will always be the address
> of the interface that receives the traffic however, what about 
> interfaces that are behind a nat (i.e., public/private ips).
>
> Maybe the Via info is safer to process in cases where the 
> caller/callee is going through
> a sexy little proxy like OpenSIPS? ;)
>
> Via: SIP/2.0/UDP 10.147.23.144:5060;branch=z9hG4bK5027614e;rport.
>
> Your Insights are greatly appreciated,
>
> Nick
>
>
> _______________________________________________
> Users mailing list
> Users at lists.opensips.org
> http://lists.opensips.org/cgi-bin/mailman/listinfo/users
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.opensips.org/pipermail/users/attachments/20130409/2ebcbe78/attachment.htm>

More information about the Users mailing list