23 Feb
2011
23 Feb
'11
12:26 p.m.
Hi, by reading auth_identity module documentation I get some doubts:
- The doc examples use things like:
if (@identity) {
t_reply("403", "Invalid Identity header");
drop;
}
What is @identity ??
- When acting as verifier, the proxy must get the certificate via HTTP
from the URL given in the Identity-Info header of the request. The
module doesn't include TCP/HTTP timeouts so, what would happen if an
attacker set a non-responding domain in such header? would the
kamailio/ser process block when trying to retrieve the certificate
until the kernel returns error for the TCP establishment? (it could
take even minutes!!!).
- The doc says:
1.6.2. auth_add_identity()
[...]
Note: this function needs the final outgoing message for
authorization, so no
module may modify any digest string related headers (From, To,
Call-ID, CSeq,
Date, Contact) and body after auth_add_identity()'s been called
So we must be careful and don't use fix_contact(), force_rtpproxy() or
whatever function modifying From/To/Contact/body. This means that this
won't work in most of the cases (who doesn't deal with NATted
clients?). The only solution seems to be calling msg_apply_changes(),
but this doesn't seem to be very good. Am I wrong? So, is this module
really usable in real environments? somebody using it?
Thanks.
--
Iñaki Baz Castillo
<ibc(a)aliax.net>
23 Feb
23 Feb
12:52 p.m.
Am 23.02.2011 11:26, schrieb Iñaki Baz Castillo:
Hi, by reading auth_identity module documentation I
get some doubts:
- The doc examples use things like:
if (@identity) {
t_reply("403", "Invalid Identity header");
drop;
}
What is @identity ??
@xxx is a 'select', see ser's select framework:
http://sip-router.org/docbook/sip-router/branch/master/select_list/select_l…
http://sip-router.org/wiki/ref_manual/selects
IMO the example looks a bit weird.
- When acting as verifier, the proxy must get the
certificate via HTTP
from the URL given in the Identity-Info header of the request. The
module doesn't include TCP/HTTP timeouts so, what would happen if an
attacker set a non-responding domain in such header? would the
kamailio/ser process block when trying to retrieve the certificate
until the kernel returns error for the TCP establishment? (it could
take even minutes!!!).
Try it. ;-)
- The doc says:
1.6.2. auth_add_identity()
[...]
Note: this function needs the final outgoing message for
authorization, so no
module may modify any digest string related headers (From, To,
Call-ID, CSeq,
Date, Contact) and body after auth_add_identity()'s been called
So we must be careful and don't use fix_contact(), force_rtpproxy() or
whatever function modifying From/To/Contact/body. This means that this
won't work in most of the cases (who doesn't deal with NATted
clients?). The only solution seems to be calling msg_apply_changes(),
but this doesn't seem to be very good. Am I wrong? So, is this module
really usable in real environments? somebody using it?
You can do any modifications before auth_add_identity(), but not after
auth_add_identity(). auth_add_identity() internally calls
msg_apply_changes functionality.
regards
klaus
2:20 p.m.
2011/2/23 Klaus Darilion <klaus.mailinglists(a)pernau.at>at>:
Thanks, I missed them.
I plan to try the module soon, but cannot do it now, please tell me :)
NOTE: I mean the case in which the HTTP server has a DROP rule in its
firewall, so the TCP connection would take long time to return error.
I know that curl uses a configurable timer for the HTTP/TCP connection
operation, but even 1-2 seconds could be enough to leave a proxy
unusable (imagine 100 calls at the same time containing Indentity-Info
pointing to 100 different domains with DROP rule).
Good to know, thanks. IMHO it should be clearly documented.
--
Iñaki Baz Castillo
<ibc(a)aliax.net>
What is
@identity ??
@xxx is a 'select', see ser's select framework:
http://sip-router.org/docbook/sip-router/branch/master/select_list/select_l…
http://sip-router.org/wiki/ref_manual/selects - When acting
as verifier, the proxy must get the certificate via HTTP
from the URL given in the Identity-Info header of the request. The
module doesn't include TCP/HTTP timeouts so, what would happen if an
attacker set a non-responding domain in such header? would the
kamailio/ser process block when trying to retrieve the certificate
until the kernel returns error for the TCP establishment? (it could
take even minutes!!!).
Try it. ;-) So we must be
careful and don't use fix_contact(), force_rtpproxy() or
whatever function modifying From/To/Contact/body. This means that this
won't work in most of the cases (who doesn't deal with NATted
clients?). The only solution seems to be calling msg_apply_changes(),
but this doesn't seem to be very good. Am I wrong? So, is this module
really usable in real environments? somebody using it?
You can do any modifications before auth_add_identity(), but not after
auth_add_identity(). auth_add_identity() internally calls
msg_apply_changes functionality.
8:05 p.m.
Am 23.02.2011 13:20, schrieb Iñaki Baz Castillo:
Short: I do not know :-)
I never tested it. The timeout could also happen before, e.g. lame DNS
delegation.
regards
Klaus
Try it. ;-)
I plan to try the module soon, but cannot do it now, please tell me :)
NOTE: I mean the case in which the HTTP server has a DROP rule in its
firewall, so the TCP connection would take long time to return error.
I know that curl uses a configurable timer for the HTTP/TCP connection
operation, but even 1-2 seconds could be enough to leave a proxy
unusable (imagine 100 calls at the same time containing Indentity-Info
pointing to 100 different domains with DROP rule). 
11:46 p.m.
On 2/23/11 11:52 AM, Klaus Darilion wrote:
Am 23.02.2011 11:26, schrieb Iñaki Baz Castillo:
To add here:
- the selects can be accessed via pseudo-variables framework, like:
$sel(xxx) instead of @xxx
Cheers,
Daniel
Hi, by reading auth_identity module documentation
I get some doubts:
- The doc examples use things like:
if (@identity) {
t_reply("403", "Invalid Identity header");
drop;
}
What is @identity ??
@xxx is a 'select', see ser's select framework:
http://sip-router.org/docbook/sip-router/branch/master/select_list/select_l…
http://sip-router.org/wiki/ref_manual/selects
IMO the example looks a bit weird.
--
Daniel-Constantin Mierla
http://www.asipto.com
- When acting as verifier, the proxy must get the
certificate via HTTP
from the URL given in the Identity-Info header of the request. The
module doesn't include TCP/HTTP timeouts so, what would happen if an
attacker set a non-responding domain in such header? would the
kamailio/ser process block when trying to retrieve the certificate
until the kernel returns error for the TCP establishment? (it could
take even minutes!!!).
Try it. ;-)
- The doc says:
1.6.2. auth_add_identity()
[...]
Note: this function needs the final outgoing message for
authorization, so no
module may modify any digest string related headers (From, To,
Call-ID, CSeq,
Date, Contact) and body after auth_add_identity()'s been called
So we must be careful and don't use fix_contact(), force_rtpproxy() or
whatever function modifying From/To/Contact/body. This means that this
won't work in most of the cases (who doesn't deal with NATted
clients?). The only solution seems to be calling msg_apply_changes(),
but this doesn't seem to be very good. Am I wrong? So, is this module
really usable in real environments? somebody using it?
You can do any
modifications before auth_add_identity(), but not after
auth_add_identity(). auth_add_identity() internally calls
msg_apply_changes functionality.
regards
klaus
_______________________________________________
sr-dev mailing list
sr-dev(a)lists.sip-router.org
http://lists.sip-router.org/cgi-bin/mailman/listinfo/sr-dev
24 Feb
24 Feb
1:12 a.m.
Daniel-Constantin Mierla wrote:
On 2/23/11 11:52 AM, Klaus Darilion wrote:
Is there a benefit? Until now I didn't had any issues with @xxx
regards
Klaus
Am 23.02.2011 11:26, schrieb Iñaki Baz Castillo:
To add here:
- the selects can be accessed via pseudo-variables framework, like:
$sel(xxx) instead of @xxx Hi, by reading auth_identity module documentation
I get some doubts:
- The doc examples use things like:
if (@identity) {
t_reply("403", "Invalid Identity header");
drop;
}
What is @identity ??
@xxx is a 'select', see ser's select framework:
5021
days inactive
5021
days old
5 comments
3 participants
participants (3)
-
Daniel-Constantin Mierla -
Iñaki Baz Castillo -
Klaus Darilion