6 Nov
2009
6 Nov
'09
10:11 p.m.
El Viernes, 6 de Noviembre de 2009, Andrei Pelinescu-Onciul escribió:
On Nov 06, 2009 at 14:39, I?aki Baz Castillo
<ibc(a)aliax.net> wrote:
IETF *always* proposes exotic solutions based on user provided information!
Really annoying.
El Viernes, 6 de Noviembre de 2009, Klaus
Darilion escribi?:
IIRC the original alias draft required to alias also the IP, so for
example a message from ip: 1.2.3.4 with src_port 1234 and having in via
5.6.7.8:5060 would set an alias on the proxy:
5.6.7.8:5060->1.2.3.4:1234 which is evidently a security problem (I can
use it to redirect someone else's traffic to me).
In ser/sr/kamailio the alias will work only for the port, so in the
above example the alias will be:
1.2.3.4:5060->1.2.3.4:1234 and IIRC a message might be logged. Hi Juha!
Personally I do not like the alias approach. IIRC correctly there were
some security issues with aliases (at least some time ago) and ser does
hand aliases a little bit different then described by IETF to avoid
this issues.
Could I know about those security issues? (just a brief description). Even using only the port for the alias there can still
be problems if
there are several UACs behind the same NAT that listen on the same port
(e.g. 5060). All of them would add 5060 in the via and on the proxy
there would be attempts to set multiple aliases for nat_ip:5060.
In this case one UAC will also get the requests intended for the others.
This can also be used on purpose, to intercept the messages of the
other users behind the same NAT or on the same machine.
I though that the "alias" behavior was different:
- UA adds "alias" in Via (with no value, just an empty parameter).
- Then the proxy does know that it can reuse the existing connection to route
new requests to this UA.
I don't understand why the user has provide address information. Perhaps I
read other draft XD
Regards.
--
Iñaki Baz Castillo <ibc(a)aliax.net>