14 Dec
2007
14 Dec
'07
12:35 p.m.
El Friday 14 December 2007 11:21:09 Neill Wilkinson escribió:
Curve ball suggestion:
Surely just authenticate all register requests with www-challenge. Hide
your gateway and SER behind a firewall so your Gateway cannot be seen from
the outside work (from a SIP Signalling perspective), and for PSTN calls
from authenticated users do a rewritehost and forward to send the INVITEs
on to the PSTN gateway?
Sorry, but that is not enough, that is the reason I opened this thread.
Of course I do all you say there, but the problem exists if a user sends a
malicious REGISTER indicating in the "Contact" a domain pointing to the gw IP
with a username as PSTN number.
Later if other user calls the previous one, the proxy will do "lookup" and get
this RURI:
sip:PSTN_number@gw_domain
The proxy then will send there the INVITE (to its gateway). Of course, no
www-challenge auth is done from proxy to gw, so gw will accept this call (it
comes from proxy IP !!!).
Solutions for this has been given by Juha in previous replies.
Regards.
--
Iñaki Baz Castillo
ibc(a)in.ilimit.es