5 Mar
2008
5 Mar
'08
1:07 a.m.
Max Bowsher schrieb:
I've been looking at the possibility of using
OpenSER as an
ingress/egress gateway, mediating access between the internet at large,
and a private network containing amongst other things SIP servers
through which a call may be routed to provide services such as IVR and
call archiving, but which should otherwise be hidden from the outside world.
I'm finding two interlinked problems:
(1) The internal layout of the network is revealed in Via headers - OK,
so this is somewhat intrinsic in SIP, and not really OpenSER's fault,
but....
For topology hiding you need a B2BUa (back to back user agent)
(2) ... If an inbound SIP request has Route headers,
loose_route()
pretty much sends it whereever the requester asks. There are admonitions
in the OpenSER docs about the need to secure loose_route(), but there's
no information I can find on how you should do this. In particular, a
simple authorization scheme is not good enough - just because someone
should be allowed to place calls through the gateway, doesn't mean it
should be allowed absolute control over the routing of the request, or
they could use information gleaned from Via headers of previous
transactions to add or bypass routing steps within the private network
at will.
At first: do not allow loose route for out-of-dialog requests.
Second: Usually in-dialog requests are just get routed as the client
should reject the request if it is a faked in-dialog request.
Neverthelss - YES - it is possible to send messages to internal SIP
servers by finding out the IP address and spoofing Route headers. Thus,
either the internal components must be secure on their own or you have
to use a B2BUA to hide them.
regards
klaus
It is possible to securely use OpenSER on a security boundary? If so, how?
Max.
_______________________________________________
Users mailing list
Users(a)lists.openser.org
http://lists.openser.org/cgi-bin/mailman/listinfo/users