Curve ball suggestion:
Surely just authenticate all register requests with www-challenge. Hide your gateway and SER behind a firewall so your Gateway cannot be seen from the outside work (from a SIP Signalling perspective), and for PSTN calls from authenticated users do a rewritehost and forward to send the INVITEs on to the PSTN gateway?
Neill....;o)
-----Original Message----- From: users-bounces@lists.openser.org [mailto:users-bounces@lists.openser.org] On Behalf Of Juha Heinanen Sent: 14 December 2007 10:05 To: Iñaki Baz Castillo Cc: users@lists.openser.org Subject: Re: [OpenSER-Users] Security hole in REGISTER's Contact using domain
Iñaki Baz Castillo writes:
- buy pstn gws that accept no hostnames (just its own ip address) in
the hostpart of r-uri. example, cisco ios with later software releases.
So really isn't there solution just in OpenSer-Registrar side??
this is registrar solution. you use parmissions module and don;t accept registrations where ip address in hostpart of contact belongs to your gws.
- forget the hostpart check all together and instead check the userpart, where you have put something special that the gw then removes.
So you mean for example:
register.deny:
ALL : "^sip:.*secret_word_.*@"
And later, in any call to PSTN OpenSer should add:
$ru = "secret_word_" + $ru;
you can use lcr module to add the prefix.
so the uri arriving to the gw becomes:
sip:secret_word_01666555444@gw_ip_or_hostname
And the gw should just allow calls from OpenSer with urri username
beginning
with "secret_word_" and it should strip it.
that is correct, but the prefix does not need to be secret, just something that doesn't normally appear in userparts.
Is this what you mean? anyway, a little complex, isn't it? XDD
why do you think it is complex? one row in register.deny and one strip at the gateway.
-- juha
_______________________________________________ Users mailing list Users@lists.openser.org http://lists.openser.org/cgi-bin/mailman/listinfo/users