3 Mar
2003
3 Mar
'03
1:11 a.m.
Hi Michael,
This is exactly what I would like to achieve.
I understand the meaning of your pseudo code below, but alas I have not enough
knowledge and skills to transform your pseudo code below into a working
script.
Could you please provide a real example ?
Lasse
Michael_Graff(a)isc.org wrote:
Nils Ohlmeier <nils(a)ohlmeier.de> writes:
A proxy can challenge Invites and Byes, but
should not do this with
external Invites to your local user. Otherwise your your user
wouldn't be reachable from outside.
I implemented something much like this:
if (to me):
if register
www_authorize or fail if not a valid register
done
if claiming to be "From" one of the domains I accept
registrations for
proxy_authorize
done
if not to me (I'm relaying for a local phone to an external address)
proxy_authorize (once again, based on from address)
done
--Michael 
4 Mar
4 Mar
8:05 p.m.
At 12:11 AM 3/3/2003, Lasse Jansson wrote:
Hi Michael,
This is exactly what I would like to achieve.
I understand the meaning of your pseudo code below, but alas I have not enough
knowledge and skills to transform your pseudo code below into a working
script.
Could you please provide a real example ?
You may want to look at the default script and add the "if (to me)" condition.
The "if (to me)" condition can be implemented with 0_8_10 as a brute regexp
search: if (search("(From|f).*mydomain\.com"))
The upcoming release will have specific support to address this issues.
-Jiri
Lasse
Michael_Graff(a)isc.org wrote:
--
Jiri Kuthan http://iptel.org/~jiri/
Nils Ohlmeier <nils(a)ohlmeier.de> writes:
_______________________________________________
Serusers mailing list
serusers(a)lists.iptel.org
http://lists.iptel.org/mailman/listinfo/serusers A proxy can challenge Invites and Byes, but
should not do this with
external Invites to your local user. Otherwise your your user
wouldn't be reachable from outside.
I implemented something much like this:
if (to me):
if register
www_authorize or fail if not a valid register
done
if claiming to be "From" one of the domains I accept
registrations for
proxy_authorize
done
if not to me (I'm relaying for a local phone to an external address)
proxy_authorize (once again, based on from address)
done
--Michael
11:43 p.m.
Thanks for your answer !
I guess then that the following lines (based on the default script) would work
to implement all of Michael's example ?
Lasse
if (uri=~mydomain.com) {
if (method=="REGISTER") {
# Uncomment this if you want to use digest authentication
if (!www_authorize("mydomain.com", "subscriber")) {
www_challenge("mydomain.com", "1");
break;
};
save("location");
break;
};
# For authenticating requests with methods other than REGISTER
if (search("(f|From).*mydomain\.com")) {
if (!proxy_authorize("mydomain.com", "subscriber")) {
proxy_challenge("mydomain.com", "1");
break;
};
};
# native SIP destinations are handled using our USRLOC DB
if (!lookup("location")) {
sl_send_reply("404", "Not Found");
break;
};
} else {
# For authenticating requests to other domains, any method
if (search("(f|From).*mydomain\.com")) {
if (!proxy_authorize("mydomain.com", "subscriber")) {
proxy_challenge("mydomain.com", "1");
break;
};
};
};
# forward to current uri now
if (!t_relay()) {
sl_reply_error();
};
On Tuesday 04 March 2003 19.05, Jiri Kuthan wrote:
At 12:11 AM 3/3/2003, Lasse Jansson wrote:
Hi Michael,
This is exactly what I would like to achieve.
I understand the meaning of your pseudo code below, but alas I have not
enough knowledge and skills to transform your pseudo code below into a
working script.
Could you please provide a real example ?
You may want to look at the default script and add the "if (to me)"
condition. The "if (to me)" condition can be implemented with 0_8_10 as a
brute regexp search: if (search("(From|f).*mydomain\.com"))
The upcoming release will have specific support to address this issues.
-Jiri
Lasse
Michael_Graff(a)isc.org wrote:
--
Jiri Kuthan http://iptel.org/~jiri/
_______________________________________________
Serusers mailing list
serusers(a)lists.iptel.org
http://lists.iptel.org/mailman/listinfo/serusers Nils Ohlmeier <nils(a)ohlmeier.de> writes:
_______________________________________________
Serusers mailing list
serusers(a)lists.iptel.org
http://lists.iptel.org/mailman/listinfo/serusers A proxy can challenge Invites and Byes, but
should not do this with
external Invites to your local user. Otherwise your your user
wouldn't be reachable from outside.
I implemented something much like this:
if (to me):
if register
www_authorize or fail if not a valid register
done
if claiming to be "From" one of the domains I accept
registrations for
proxy_authorize
done
if not to me (I'm relaying for a local phone to an external address)
proxy_authorize (once again, based on from address)
done
--Michael
5 Mar
5 Mar
3:08 a.m.
At 10:43 PM 3/4/2003, Lasse Jansson wrote:
Thanks for your answer !
I guess then that the following lines (based on the default script) would work
to implement all of Michael's example ?
Lasse
if (uri=~mydomain.com) {
perhaps better (uri=~"[@:]mydomain\.com"). Everything else seems reasonable to
me.
-Jiri
11:10 p.m.
Thanks,
One last question: I guess that if I want my server to offer <forwarding of
requests to other domains> only to authorized users in my domain I should
restrict the last part more, as follows:
# For requests to other domains
if (!proxy_authorize("mydomain.com", "subscriber")) {
proxy_challenge("mydomain.com", "1");
break;
};
(i.e. I can skip the (search("(f|From).*mydomain\.com")) condition in this
case)
Lasse
On Wednesday 05 March 2003 02.08, Jiri Kuthan wrote:
At 10:43 PM 3/4/2003, Lasse Jansson wrote:
Thanks for your answer !
I guess then that the following lines (based on the default script) would
work to implement all of Michael's example ?
Lasse
if (uri=~mydomain.com) {
perhaps better (uri=~"[@:]mydomain\.com"). Everything else seems reasonable
to me.
-Jiri
_______________________________________________
Serusers mailing list
serusers(a)lists.iptel.org
http://lists.iptel.org/mailman/listinfo/serusers
6 Mar
6 Mar
12:05 a.m.
Lasse,
I see two limitations:
- if you only challenge INVITEs to outside domain, people out of your
domain can call people in your domain and claim shamelessly your domain
name in From, which is then sort of rubberstamped by the proxy; so I think
you can combine challenging based on From along with "anti-spam" policy
"drop invites which have my domain neither in From nor in r-uri"
- if you apply such policies to other requests than BYE, you will run into
troubles, better be permissive about non-INVITEs. See
http://www.ietf.org/mail-archive/working-groups/sipping/current/msg04002.ht…
-Jiri
At 10:10 PM 3/5/2003, Lasse Jansson wrote:
Thanks,
One last question: I guess that if I want my server to offer <forwarding of
requests to other domains> only to authorized users in my domain I should
restrict the last part more, as follows:
# For requests to other domains
if (!proxy_authorize("mydomain.com", "subscriber")) {
proxy_challenge("mydomain.com", "1");
break;
};
(i.e. I can skip the (search("(f|From).*mydomain\.com")) condition in this
case)
Lasse
On Wednesday 05 March 2003 02.08, Jiri Kuthan wrote:
> At 10:43 PM 3/4/2003, Lasse Jansson wrote:
> >Thanks for your answer !
> >
> >I guess then that the following lines (based on the default script) would
> > work to implement all of Michael's example ?
> >
> >Lasse
> >
> > if (uri=~mydomain.com) {
>
> perhaps better (uri=~"[@:]mydomain\.com"). Everything else seems
reasonable
> to me.
>
> -Jiri
>
> _______________________________________________
> Serusers mailing list
> serusers(a)lists.iptel.org
> http://lists.iptel.org/mailman/listinfo/serusers
--
Jiri Kuthan http://iptel.org/~jiri/
7 Mar
7 Mar
1:49 a.m.
OK, I see what you mean. I think the policy you recommend will do just fine in
order to stop the most obvious types of abuse of a sip server. (If you want
more paranoid "firewalling" you need to know sip really well, and there is
always a risk that you stop legal cases).
Thanks for yor advice. The following script should do the trick then, huh ?
Lasse
# REQUESTS DIRECTED TO MY DOMAIN
if (uri=~"[@:]mydomain\.com") {
# Challenge registrations
if (method=="REGISTER") {
if (!www_authorize("mydomain.com", "subscriber")) {
www_challenge("mydomain.com", "1");
break;
};
save("location");
break;
};
# Challenge any other request where the sender has my domain in From
if (search("(f|From).*mydomain\.com")) {
if (!proxy_authorize("mydomain.com", "subscriber")) {
proxy_challenge("mydomain.com", "1");
break;
};
};
# native SIP destinations are handled using our USRLOC DB
if (!lookup("location")) {
sl_send_reply("404", "Not Found");
break;
};
# REQUESTS DIRECTED TO OTHER DOMAINS
} else {
# Challenge any request where the sender has my domain in From
if (search("(f|From).*mydomain\.com")) {
if (!proxy_authorize("mydomain.com", "subscriber")) {
proxy_challenge("mydomain.com", "1");
break;
};
# Drop INVITE requests where the sender does not have my domain in From
} else {
if (method=="INVITE") {
sl_send_reply("403", "Forbidden");
break;
};
};
};
# forward to current uri now
if (!t_relay()) {
sl_reply_error();
};
On Wednesday 05 March 2003 23.05, Jiri Kuthan wrote:
Lasse,
I see two limitations:
- if you only challenge INVITEs to outside domain, people out of your
domain can call people in your domain and claim shamelessly your domain
name in From, which is then sort of rubberstamped by the proxy; so I
think you can combine challenging based on From along with "anti-spam"
policy "drop invites which have my domain neither in From nor in r-uri" -
if you apply such policies to other requests than BYE, you will run into
troubles, better be permissive about non-INVITEs. See
http://www.ietf.org/mail-archive/working-groups/sipping/current/msg04002.ht
ml
-Jiri
At 10:10 PM 3/5/2003, Lasse Jansson wrote:
Thanks,
One last question: I guess that if I want my server to offer <forwarding
of requests to other domains> only to authorized users in my domain I
should restrict the last part more, as follows:
# For requests to other domains
if (!proxy_authorize("mydomain.com", "subscriber")) {
proxy_challenge("mydomain.com", "1");
break;
};
(i.e. I can skip the (search("(f|From).*mydomain\.com")) condition in this
case)
Lasse
On Wednesday 05 March 2003 02.08, Jiri Kuthan wrote:
> At 10:43 PM 3/4/2003, Lasse Jansson wrote:
> >Thanks for your answer !
> >
> >I guess then that the following lines (based on the default script)
> > would work to implement all of Michael's example ?
> >
> >Lasse
> >
> > if (uri=~mydomain.com) {
>
> perhaps better (uri=~"[@:]mydomain\.com"). Everything else seems
> reasonable to me.
>
> -Jiri
>
> _______________________________________________
> Serusers mailing list
> serusers(a)lists.iptel.org
> http://lists.iptel.org/mailman/listinfo/serusers
--
Jiri Kuthan http://iptel.org/~jiri/
_______________________________________________
Serusers mailing list
serusers(a)lists.iptel.org
http://lists.iptel.org/mailman/listinfo/serusers
16 Mar
16 Mar
1:01 a.m.
Or perhaps I understand a little bit better now. I think the following script
passage will work better. /Lasse
P.S. To other beginners at SIP: Several clients can't handle the qop parameter
correctly so it is safer to change the "1" to "0" in the challenges.
# REQUESTS DIRECTED TO MY DOMAIN
if (uri=~"[@:]mydomain\.com") {
# Challenge registrations
if (method=="REGISTER") {
if (!www_authorize("mydomain.com", "subscriber")) {
www_challenge("mydomain.com", "1");
break;
};
save("location");
break;
};
# Challenge INVITE request where the sender has my domain in From
if (method=="INVITE") {
if (search("(f|From).*mydomain\.com")) {
if (!proxy_authorize("mydomain.com", "subscriber")) {
proxy_challenge("mydomain.com", "1");
break;
};
};
};
# native SIP destinations are handled using our USRLOC DB
if (!lookup("location")) {
sl_send_reply("404", "Not Found");
break;
};
# REQUESTS DIRECTED TO OTHER DOMAINS
} else {
# Challenge any INVITE request where the sender has my domain in From
if (method=="INVITE") {
if (search("(f|From).*mydomain\.com")) {
if (!proxy_authorize("mydomain.com", "subscriber")) {
proxy_challenge("mydomain.com", "1");
break;
};
# Drop INVITE requests where the sender does not have my domain in From
} else {
sl_send_reply("403", "Forbidden");
break;
};
};
};
# forward to current uri now
if (!t_relay()) {
sl_reply_error();
};
On Friday 07 March 2003 00.49, Lasse Jansson wrote:
OK, I see what you mean.
<snip>
> I see two limitations:
> - if you only challenge INVITEs to outside domain, people out of your
> domain can call people in your domain and claim shamelessly your domain
> name in From, which is then sort of rubberstamped by the proxy; so I
> think you can combine challenging based on From along with "anti-spam"
> policy "drop invites which have my domain neither in From nor in r-uri"
> - if you apply such policies to other requests than BYE, you will run into
> troubles, better be permissive about non-INVITEs. See
>
> http://www.ietf.org/mail-archive/working-groups/sipping/current/msg04002.
>ht ml
>
> -Jiri
>
> At 10:10 PM 3/5/2003, Lasse Jansson wrote:
> >Thanks,
> >
> >One last question: I guess that if I want my server to offer <forwarding
> > of requests to other domains> only to authorized users in my domain I
> > should restrict the last part more, as follows:
> >
> ># For requests to other domains
> > if (!proxy_authorize("mydomain.com",
"subscriber")) {
> > proxy_challenge("mydomain.com",
"1");
> > break;
> > };
> >
> >(i.e. I can skip the (search("(f|From).*mydomain\.com")) condition in
> > this case)
> >
> >Lasse
4:19 p.m.
Hello,
On 16-03 00:01, Lasse Jansson wrote:
Or perhaps I understand a little bit better now. I
think the following script
passage will work better. /Lasse
P.S. To other beginners at SIP: Several clients can't handle the qop parameter
correctly so it is safer to change the "1" to "0" in the challenges.
And there were (maybe still are) clients that cannot handle
authentication without qop parameter correctly :-)
Jan.
28 Mar
28 Mar
3:13 p.m.
Looks reasonable to me. My apologies it has taken so long to reply -- I've been
traveling too much.
-Jiri
At 12:01 AM 3/16/2003, Lasse Jansson wrote:
Or perhaps I understand a little bit better now. I
think the following script
passage will work better. /Lasse
P.S. To other beginners at SIP: Several clients can't handle the qop parameter
correctly so it is safer to change the "1" to "0" in the challenges.
# REQUESTS DIRECTED TO MY DOMAIN
if (uri=~"[@:]mydomain\.com") {
# Challenge registrations
if (method=="REGISTER") {
if (!www_authorize("mydomain.com",
"subscriber")) {
www_challenge("mydomain.com", "1");
break;
};
save("location");
break;
};
# Challenge INVITE request where the sender has my domain in From
if (method=="INVITE") {
if (search("(f|From).*mydomain\.com")) {
if (!proxy_authorize("mydomain.com",
"subscriber")) {
proxy_challenge("mydomain.com",
"1");
break;
};
};
};
# native SIP destinations are handled using our USRLOC DB
if (!lookup("location")) {
sl_send_reply("404", "Not Found");
break;
};
# REQUESTS DIRECTED TO OTHER DOMAINS
} else {
# Challenge any INVITE request where the sender has my domain in From
if (method=="INVITE") {
if (search("(f|From).*mydomain\.com")) {
if (!proxy_authorize("mydomain.com",
"subscriber")) {
proxy_challenge("mydomain.com",
"1");
break;
};
# Drop INVITE requests where the sender does not have my domain in From
} else {
sl_send_reply("403", "Forbidden");
break;
};
};
};
# forward to current uri now
if (!t_relay()) {
sl_reply_error();
};
On Friday 07 March 2003 00.49, Lasse Jansson wrote:
--
Jiri Kuthan http://iptel.org/~jiri/
OK, I see what you mean.
<snip>
> I see two limitations:
> - if you only challenge INVITEs to outside domain, people out of your
> domain can call people in your domain and claim shamelessly your domain
> name in From, which is then sort of rubberstamped by the proxy; so I
> think you can combine challenging based on From along with "anti-spam"
> policy "drop invites which have my domain neither in From nor in r-uri"
> - if you apply such policies to other requests than BYE, you will run into
> troubles, better be permissive about non-INVITEs. See
>
> http://www.ietf.org/mail-archive/working-groups/sipping/current/msg04002.
>ht ml
>
> -Jiri
>
> At 10:10 PM 3/5/2003, Lasse Jansson wrote:
> >Thanks,
> >
> >One last question: I guess that if I want my server to offer <forwarding
> > of requests to other domains> only to authorized users in my domain I
> > should restrict the last part more, as follows:
> >
> ># For requests to other domains
> > if (!proxy_authorize("mydomain.com",
"subscriber")) {
> > proxy_challenge("mydomain.com",
"1");
> > break;
> > };
> >
> >(i.e. I can skip the (search("(f|From).*mydomain\.com")) condition in
> > this case)
> >
> >Lasse
_______________________________________________
Serusers mailing list
serusers(a)lists.iptel.org
http://lists.iptel.org/mailman/listinfo/serusers
31 Mar
31 Mar
10:04 p.m.
OK, thanks
I've learned something from this thread. I understand the delay in your
answer, and I am anyway impressed by your "mail answering throughput" !
Lasse
On Friday 28 March 2003 14.13, Jiri Kuthan wrote:
Looks reasonable to me. My apologies it has taken so
long to reply -- I've
been traveling too much.
-Jiri
At 12:01 AM 3/16/2003, Lasse Jansson wrote:
Or perhaps I understand a little bit better now. I
think the following
script passage will work better. /Lasse
P.S. To other beginners at SIP: Several clients can't handle the qop
parameter correctly so it is safer to change the "1" to "0" in the
challenges.
# REQUESTS DIRECTED TO MY DOMAIN
if (uri=~"[@:]mydomain\.com") {
# Challenge registrations
if (method=="REGISTER") {
if (!www_authorize("mydomain.com",
"subscriber"))
{ www_challenge("mydomain.com", "1"); break;
};
save("location");
break;
};
# Challenge INVITE request where the sender has my domain in From
if (method=="INVITE") {
if (search("(f|From).*mydomain\.com")) {
if (!proxy_authorize("mydomain.com",
"subscriber")) { proxy_challenge("mydomain.com", "1");
break;
};
};
};
# native SIP destinations are handled using our USRLOC DB
if (!lookup("location")) {
sl_send_reply("404", "Not Found");
break;
};
# REQUESTS DIRECTED TO OTHER DOMAINS
} else {
# Challenge any INVITE request where the sender has my domain in From
if (method=="INVITE") {
if (search("(f|From).*mydomain\.com")) {
if (!proxy_authorize("mydomain.com",
"subscriber")) { proxy_challenge("mydomain.com", "1");
break;
};
# Drop INVITE requests where the sender does not have my domain in From
} else {
sl_send_reply("403", "Forbidden");
break;
};
};
};
# forward to current uri now
if (!t_relay()) {
sl_reply_error();
};
On Friday 07 March 2003 00.49, Lasse Jansson wrote:
--
Jiri Kuthan http://iptel.org/~jiri/
_______________________________________________
Serusers mailing list
serusers(a)lists.iptel.org
http://lists.iptel.org/mailman/listinfo/serusers OK, I see what you mean.
<snip>
> I see two limitations:
> - if you only challenge INVITEs to outside domain, people out of your
> domain can call people in your domain and claim shamelessly your
> domain name in From, which is then sort of rubberstamped by the proxy;
> so I think you can combine challenging based on From along with
> "anti-spam" policy "drop invites which have my domain neither in
From
> nor in r-uri" - if you apply such policies to other requests than BYE,
> you will run into troubles, better be permissive about non-INVITEs.
> See
>
> http://www.ietf.org/mail-archive/working-groups/sipping/current/msg040
>02. ht ml
>
> -Jiri
>
> At 10:10 PM 3/5/2003, Lasse Jansson wrote:
> >Thanks,
> >
> >One last question: I guess that if I want my server to offer
> > <forwarding of requests to other domains> only to authorized users
> > in my domain I should restrict the last part more, as follows:
> >
> ># For requests to other domains
> > if (!proxy_authorize("mydomain.com",
"subscriber")) {
> > proxy_challenge("mydomain.com",
"1");
> > break;
> > };
> >
> >(i.e. I can skip the (search("(f|From).*mydomain\.com")) condition in
> > this case)
> >
> >Lasse
_______________________________________________
Serusers mailing list
serusers(a)lists.iptel.org
http://lists.iptel.org/mailman/listinfo/serusers
7907
days inactive
7936
days old
10 comments
3 participants
participants (3)
-
Jan Janak -
Jiri Kuthan -
Lasse Jansson