Hello,

the Kamailio approach in the default configuration file is to not trust any pre-loaded Route headers, so it removes all of them via remove_hf("Route").

Practically, it is like: you sent it to me, it is my job now to route it where I want. Preloaded Route headers can be a bit dangerous, especially when having to interconnect with old gateways that trust traffic by ip, without checking other headers/domains.

For example, one type of tricks used in the early days it to put 2 Route headers in the initial INVITE (first proxy, the second the pstn gateway) with R-URI a foreign domain. After loose routing, the target is the pst gateway but the INVITE has a foreign domain not matching myself which can end up being sent directly out via route[SIPOUT] without any additional ACL checks, because the system thought is going to be sent to an external sip provider. Obviously, additional checks or rules can be added in Kamailio config, even catch it with loose_route() return codes, but what I wanted to highlight is that Route headers in initial request must be treated with care and long time ago we decided just to remove them in default config, instead of trying to identify case-specific needs of handling Route headers for initial requests.

If people feel the use cases has changed and there is a need for update, typically before major releases we run a round of asking what should get in the default config.

Cheers,
Daniel

On 04.01.21 15:46, Duarte Rocha wrote:
Greetings,

I'm doing a migration from a opensips system to kamailio one and i'm trying to replicate its functionalities.

The system is a Registrar with a pstn gateway. I noticed that on the opensips version, loose_route() is called on initial requests and it seems to be used to protect against preloaded routes.

However, on the default Kamailio configuration file loose_route() is only called on requests in-dialog and the verification mentioned above is not used.

Why doesn't Kamailio includes this verification? Is there are any security concerns not using it? 

Best Regards,

_______________________________________________
Kamailio (SER) - Users Mailing List
sr-users@lists.kamailio.org
https://lists.kamailio.org/cgi-bin/mailman/listinfo/sr-users
-- 
Daniel-Constantin Mierla -- www.asipto.com
www.twitter.com/miconda -- www.linkedin.com/in/miconda
Funding: https://www.paypal.me/dcmierla