[OpenSER-Users] best response seems wrong.
Klaus Darilion
klaus.mailinglists at pernau.at
Thu Jan 17 09:14:35 CET 2008
Aymeric Moizard schrieb:
>
>
> On Wed, 16 Jan 2008, Klaus Darilion wrote:
>
>> Bogdan-Andrei Iancu wrote:
>>> Yes, you can use branch_route to individually inspect each branch.
>>> Also you can drop them via "drop" statement.
>>
>> Or in first place avoid the bad location entry in subscriber table -
>> e.g. screen the contact URI before save().
>
> Would be nice to provide some more clue on this.
Hi Aymeric!
SIP is by design buggy: The SIP protocol tells us to save the contact
during REGISTER and to use this contact for incoming calls to the
respective user. But the contact is user provided - and user provided
data should never be trusted without validation (like everybody does
with HTTP forms).
A simple example:
REGISTER sip.antisip.com
To: sip:klaus3000 at sip.antisip.com
Contact: sip:0043123456 at ipaddress.ofthe.pstngatewayof.antisip
Now, incoming calls to klaus3000 will be forwarded to the pstngateway
which usually trusts the proxy and establishes the call.
Thus, the proxy should screen the contact. This can be done 2 times:
Either during registration (before save()) or while call-routing (after
lookup().
IMO it is best to both methods. Checking for illegal destinations (like
direct addressing of the PSTN gateway or other internal SIP components)
can be done using openser's blacklist feature. Define blacklists which
will be activated except the proxy really wants to route the call to the
PSTN gateway.
Further, I also screen the contact during registration (actually with
openser's blacklist feature this is not really needed anymore - but
often you have system with older openser versions and you might not
update) using the permissions module and forbid IP addresses of internal
components, the proxy itself and optional also domains.
Recently there was a similar thread which is IMO worth reading:
http://www.openser.org/pipermail/users/2007-December/014853.html and
long explanation from me:
http://www.openser.org/pipermail/users/2007-December/014867.html
regards
Klaus
More information about the Users
mailing list