Hi Eric!
Am 11.04.2011 02:09, schrieb Eric Hiller:
As I look and play with loose_route functionality it seems that by simply placing a route: proxyip;lr header in my invite I can bypass any and all security otherwise built into the configuration.
True!
Is this the way everyone has it?
Hopefully not!
I have been unable to find any configuration examples online that show how to secure/restrict access to loose_route?
The default configuration of Kamailio 3.1 is save. (I think the default configurations of older Openser releases were unsafe)
The basic principle is: allow loose routing only for in-dialog requests and make sure that the UAS (the node where Kamailio forwards the request) rejects in-dilaog requests to unknown dialog (if you use Asterisk make sure to have pendantic=yes).
Thus: Check for to-tag. This is how you can differ out-of-dialog requests from in-dialog requests. Only if the to-tag is present, call loose_route(). If the to-tag is not present, then do not call loose_route and reject the request or handle it according the local routing policies.
regards Klaus