On 01/07/2009 10:54 AM, IƱaki Baz Castillo wrote:
2009/1/7 Jiri Kuthan jiri@iptel.org:
there are way too many ways how routing logic can be confused to bypass admission control. poisoning user loc, having a DNS name or ENUM entry to point to a gateway (scripting fails to see it as PSTN target and may skip PSTN ACLs), etc. a good thing to do is to use onsend_route and check if someone is trying to use a gateway whilst a call is not being recognized as to a gateway.
True. I implemented it with OpenSer address blacklists (containing the gateways IP's). I just dissable this blacklist when a call goes to a PSTN (I decide it by examinating the RURI). In case a user is registered with a spoofed Contact like: Contact: sip:+12345678@FACKED_DOMAIN_POINTING_TO_GW then a call to this user will be rejected since the resolved destination IP would match the blacklist.
this is falling in the same race as reliability (how many 9es?!?!). Questions like how secure is the service and how accurate is the accounting are answered with same phrase: how much do you want to invest in?
Probably you will never think of all cases that can occur. Very important is to account everything goes on your platform and be able to recover when local accounting records does not match with what you get from your PSTN termination providers. Then you can correlate CDRs and bill properly the user.
Cheers, Daniel