Re: [Kamailio-Users] SIP Digest Access Authentication RELAY survey

What should I do to get 1.5? Is there a 1.5 branch or should I get trunk?

Thanks Luciano On Thu, Jan 15, 2009 at 12:21 PM, Daniel-Constantin Mierla <miconda(a)gmail.com> wrote: > Hello, > > thanks Klaus and Victor for details. > > With kamailio 1.5 this can be solved in another way, pretty easy -- > allow users to call only from registered devices. > > Check here the example 2: > http://openser.blogspot.com/2008/10/registrar-enhancements.html > > The condition can be extended so that you match the received(source > ip)/contact in invite with the contact in location record. > > So guys, start testing 1.5, it does have lot of cool new features: > http://www.kamailio.org/dokuwiki/doku.php/features:new-in-1.5.x > > Cheers, > Daniel > > On 01/15/2009 12:00 PM, Klaus Darilion wrote: >> Hi! >> >> For those who are interested in this attack - I have attached the >> relevant slides from my SIP security lectures. >> >> regards >> Klaus >> >> PS: an exploit based on sipp scenario files is available too on >> request (for educational purposes :-) >> >> >> >> Klaus Darilion schrieb: >>> IIRC to solve this issue completely the UAC should never send >>> credentials to unknown parties - only to its SIP proxy (some clients >>> have a "force outbound proxy" feature which does the same). Then the >>> SIP proxy can remove credentials before forwarding to other parties. >>> >>> As soon as a client send messages (with credentials) directly to >>> other parties there is nothing you can do on the proxy side. >>> >>> regards >>> klaus >>> >>> Victor Pascual Ávila schrieb: >>>> Hi, >>>> excuse me if this message is not directly related to Kamailio. >>>> >>>> I'm just wondering if folks could share with me if (and how) they have >>>> prevented the "SIP Digest Access Authentication RELAY" in their >>>> networks (and what worked for them or not). >>>> NAT boxes reduce dramatically the scenarios for a successful attack. >>>> Otherwise, some might be mitigating the attack by means of forcing UAs >>>> to use outbound proxies while others might be reducing the attack >>>> incentives by means of message integrity. >>>> >>>> Any comment would be appreciated, >>> _______________________________________________ >>> Kamailio (OpenSER) - Users mailing list >>> Users(a)lists.kamailio.org >>> http://lists.kamailio.org/cgi-bin/mailman/listinfo/users >>> http://lists.openser-project.org/cgi-bin/mailman/listinfo/users >> ------------------------------------------------------------------------ >> >> _______________________________________________ >> Kamailio (OpenSER) - Users mailing list >> Users(a)lists.kamailio.org >> http://lists.kamailio.org/cgi-bin/mailman/listinfo/users >> http://lists.openser-project.org/cgi-bin/mailman/listinfo/users > -- > Daniel-Constantin Mierla > http://www.asipto.com > > > _______________________________________________ > Kamailio (OpenSER) - Users mailing list > Users(a)lists.kamailio.org > http://lists.kamailio.org/cgi-bin/mailman/listinfo/users > http://lists.openser-project.org/cgi-bin/mailman/listinfo/users