Hello,
I remember having read somewhere that the 'ser.cfg' file used at 'iptel.org' can be downloaded somewhere in order to be used as an example for many of the functionalities ser offers. Unfortunately I can't remember where I read this, nor did I find it on the ftp server... :(
Is this config file still available for download?
I am mainly asking because I am looking for an answer for the following phenomenon: I have SER running on my home network (on the gateway). When I try to send an IM to my account at iptel.org using kphone and I use my gateway SER as an outbound proxy, everything runs smoothly; I get a message back from iptel.org that the IM will be delivered to me as soon as I login the next time (what will not happen until I solved the NAT problem ;)). Now, when I try the same without using my gateway as an outbound proxy, I get the beloved message from iptel.org that it doesn't like my private Contact address.
The only way the two requests differ is that the one using the outbound proxy uses a record-route
I have attached the ngrep logfile, if anyone can explain me this behaviour I'd be glad.
regards, felix
At 09:30 PM 9/7/2003, Felix Schmid wrote:
Hello,
I remember having read somewhere that the 'ser.cfg' file used at 'iptel.org' can be downloaded somewhere in order to be used as an example for many of the functionalities ser offers. Unfortunately I can't remember where I read this, nor did I find it on the ftp server... :(
Is this config file still available for download?
There is no such 8.11 iptel config file available.
I am mainly asking because I am looking for an answer for the following phenomenon: I have SER running on my home network (on the gateway). When I try to send an IM to my account at iptel.org using kphone and I use my gateway SER as an outbound proxy, everything runs smoothly; I get a message back from iptel.org that the IM will be delivered to me as soon as I login the next time (what will not happen until I solved the NAT problem ;)). Now, when I try the same without using my gateway as an outbound proxy, I get the beloved message from iptel.org that it doesn't like my private Contact address.
I hope that's easy to explain. We deny requests with private-IP addresses in their contact header field. Such requests can't be followed up by subsequent requests -- private IP addresses maky subsequent conversation non-routable. We better deny and tell you it would break rather than let it break later.
We except cases in which record-route was applied as we assume that record-routing is used in a smart way to get subsequent requests over NATs.
The only way the two requests differ is that the one using the outbound proxy uses a record-route
That's exactly the point.
-Jiri
Jiri,
I am aware of the reason why private Contacts make no sense. What was confusing me is that, in the record-route-header, my PRIVATE ip-address is quoted (not my dialup address) as shown in the ngrep-dump I attached. That's why I was interested in the config you are using at iptel.org. You are saying that there is no such one for 8.11 - what about 8.10? Is this still available?
regards, felix
On Sun, 2003-09-07 at 21:58, Jiri Kuthan wrote:
At 09:30 PM 9/7/2003, Felix Schmid wrote:
Hello,
I remember having read somewhere that the 'ser.cfg' file used at 'iptel.org' can be downloaded somewhere in order to be used as an example for many of the functionalities ser offers. Unfortunately I can't remember where I read this, nor did I find it on the ftp server... :(
Is this config file still available for download?
There is no such 8.11 iptel config file available.
I am mainly asking because I am looking for an answer for the following phenomenon: I have SER running on my home network (on the gateway). When I try to send an IM to my account at iptel.org using kphone and I use my gateway SER as an outbound proxy, everything runs smoothly; I get a message back from iptel.org that the IM will be delivered to me as soon as I login the next time (what will not happen until I solved the NAT problem ;)). Now, when I try the same without using my gateway as an outbound proxy, I get the beloved message from iptel.org that it doesn't like my private Contact address.
I hope that's easy to explain. We deny requests with private-IP addresses in their contact header field. Such requests can't be followed up by subsequent requests -- private IP addresses maky subsequent conversation non-routable. We better deny and tell you it would break rather than let it break later.
We except cases in which record-route was applied as we assume that record-routing is used in a smart way to get subsequent requests over NATs.
The only way the two requests differ is that the one using the outbound proxy uses a record-route
That's exactly the point.
-Jiri
On Sunday 07 September 2003 21:58, Jiri Kuthan wrote:
At 09:30 PM 9/7/2003, Felix Schmid wrote:
I am mainly asking because I am looking for an answer for the following phenomenon: I have SER running on my home network (on the gateway). When I try to send an IM to my account at iptel.org using kphone and I use my gateway SER as an outbound proxy, everything runs smoothly; I get a message back from iptel.org that the IM will be delivered to me as soon as I login the next time (what will not happen until I solved the NAT problem ;)). Now, when I try the same without using my gateway as an outbound proxy, I get the beloved message from iptel.org that it doesn't like my private Contact address.
I hope that's easy to explain. We deny requests with private-IP addresses in their contact header field. Such requests can't be followed up by subsequent requests -- private IP addresses maky subsequent conversation non-routable. We better deny and tell you it would break rather than let it break later.
We except cases in which record-route was applied as we assume that record-routing is used in a smart way to get subsequent requests over NATs.
But his record-route entrys are broken too. So we should fix our config to protect us from guys like Felix ;-)
Felix: maybe you should try 'mhomed=yes' in your config to get correct record-route and via headers in the requests which pass your gateway.
Greetings Nils
On 07-09 22:07, Nils Ohlmeier wrote:
But his record-route entrys are broken too. So we should fix our config to protect us from guys like Felix ;-)
We do not check what is in Record-Route, only Contacts are checked. Checking for private IPs in Record-Route is more complicated because private IPs in Record-Route are legal under some circumstances.
Jan.
On Sun, 2003-09-07 at 22:07, Nils Ohlmeier wrote:
On Sunday 07 September 2003 21:58, Jiri Kuthan wrote:
At 09:30 PM 9/7/2003, Felix Schmid wrote:
I am mainly asking because I am looking for an answer for the following phenomenon: I have SER running on my home network (on the gateway). When I try to send an IM to my account at iptel.org using kphone and I use my gateway SER as an outbound proxy, everything runs smoothly; I get a message back from iptel.org that the IM will be delivered to me as soon as I login the next time (what will not happen until I solved the NAT problem ;)). Now, when I try the same without using my gateway as an outbound proxy, I get the beloved message from iptel.org that it doesn't like my private Contact address.
I hope that's easy to explain. We deny requests with private-IP addresses in their contact header field. Such requests can't be followed up by subsequent requests -- private IP addresses maky subsequent conversation non-routable. We better deny and tell you it would break rather than let it break later.
We except cases in which record-route was applied as we assume that record-routing is used in a smart way to get subsequent requests over NATs.
But his record-route entrys are broken too. So we should fix our config to protect us from guys like Felix ;-)
Don't tell me you don't like FreeBSD users...
Felix: maybe you should try 'mhomed=yes' in your config to get correct record-route and via headers in the requests which pass your gateway.
Yes this worked!! Now the requests show the dialup ip in the record-route header. Thanks! Btw., is this option explained in user guide?
cheers, felix
Greetings Nils
On Sunday 07 September 2003 22:22, Felix Schmid wrote:
On Sun, 2003-09-07 at 22:07, Nils Ohlmeier wrote:
But his record-route entrys are broken too. So we should fix our config to protect us from guys like Felix ;-)
Don't tell me you don't like FreeBSD users...
No, we simply do not like NAT (and the pain in the a** we get from its usage).
Felix: maybe you should try 'mhomed=yes' in your config to get correct record-route and via headers in the requests which pass your gateway.
Yes this worked!! Now the requests show the dialup ip in the record-route header. Thanks! Btw., is this option explained in user guide?
Not, yet AFAIK. The documentation is not up-to-date with the release. Volunteers are welcome :-)
Greets Nils
On Sun, 2003-09-07 at 22:27, Nils Ohlmeier wrote:
On Sunday 07 September 2003 22:22, Felix Schmid wrote:
On Sun, 2003-09-07 at 22:07, Nils Ohlmeier wrote:
But his record-route entrys are broken too. So we should fix our config to protect us from guys like Felix ;-)
Don't tell me you don't like FreeBSD users...
No, we simply do not like NAT (and the pain in the a** we get from its usage).
...and I am beginning to do so too. I guess I will have to give siproxd another try..:(
Felix: maybe you should try 'mhomed=yes' in your config to get correct record-route and via headers in the requests which pass your gateway.
Yes this worked!! Now the requests show the dialup ip in the record-route header. Thanks! Btw., is this option explained in user guide?
Not, yet AFAIK. The documentation is not up-to-date with the release. Volunteers are welcome :-)
So what exactly does 'mhomed' stand for? - I have already spotted loooots of typos in the docs :) What's the appreciated procedure to submit them? diffs?
Greets Nils
At 10:33 PM 9/7/2003, Felix Schmid wrote:
No, we simply do not like NAT (and the pain in the a** we get from its usage).
...and I am beginning to do so too. I guess I will have to give siproxd another try..:(
Getting the SIP part done is not so hard. If you sit at the NAT with SER, you can use record-routing and mhomed, then SIP will pass. The hard part is however media. In general, I like using less-invasive NAT traversal methods as STUN better today, but not every telephone supports it.
So what exactly does 'mhomed' stand for? - I have already spotted loooots of typos in the docs :) What's the appreciated procedure to submit them? diffs?
Diffs are very welcome.
-Jiri
At 10:22 PM 9/7/2003, Felix Schmid wrote:
Felix: maybe you should try 'mhomed=yes' in your config to get correct record-route and via headers in the requests which pass your gateway.
Yes this worked!! Now the requests show the dialup ip in the record-route header. Thanks! Btw., is this option explained in user guide?
Very briefly -- some people think it is a terrible hack, they are right to a certain extent and that's why the feature hasn't gotten too much publicity. What it does is it uses kernel's IP routing in an esthetically questionnable way to determine outbound IP address.
-jiri
Hello, comments inline.
On 07-09 21:30, Felix Schmid wrote:
Hello,
I remember having read somewhere that the 'ser.cfg' file used at 'iptel.org' can be downloaded somewhere in order to be used as an example for many of the functionalities ser offers. Unfortunately I can't remember where I read this, nor did I find it on the ftp server... :(
Is this config file still available for download?
No, unfortunately it is not available anymore.
I am mainly asking because I am looking for an answer for the following phenomenon: I have SER running on my home network (on the gateway). When I try to send an IM to my account at iptel.org using kphone and I use my gateway SER as an outbound proxy, everything runs smoothly; I get a message back from iptel.org that the IM will be delivered to me as soon as I login the next time (what will not happen until I solved the NAT problem ;)). Now, when I try the same without using my gateway as an outbound proxy, I get the beloved message from iptel.org that it doesn't like my private Contact address.
The only way the two requests differ is that the one using the outbound proxy uses a record-route
This is a bug in our configuration because Contact header field shouldn't be checked in MESSAGEs. We will fix it, thanks.
And now why you get different response when you use a record-routing proxy.
If a SIP messages contains Record-Route header field then we do not check what is in the Contact, because the server will not use the header field anyway. Further messages will be sent to the URI in the Record-Route. Inserting a private IP into Contact is perfectly legal in this case because the record routing proxy might be in a private address space and probably knows how to route such requests.
If there is no Record-Route then our proxy uses Contact to route further requests and thus it check if the URI in the Contact is reachable.
Jan.
On Sun, 2003-09-07 at 22:04, Jan Janak wrote:
Hello, comments inline.
On 07-09 21:30, Felix Schmid wrote:
Hello,
I remember having read somewhere that the 'ser.cfg' file used at 'iptel.org' can be downloaded somewhere in order to be used as an example for many of the functionalities ser offers. Unfortunately I can't remember where I read this, nor did I find it on the ftp server... :(
Is this config file still available for download?
No, unfortunately it is not available anymore.
I am mainly asking because I am looking for an answer for the following phenomenon: I have SER running on my home network (on the gateway). When I try to send an IM to my account at iptel.org using kphone and I use my gateway SER as an outbound proxy, everything runs smoothly; I get a message back from iptel.org that the IM will be delivered to me as soon as I login the next time (what will not happen until I solved the NAT problem ;)). Now, when I try the same without using my gateway as an outbound proxy, I get the beloved message from iptel.org that it doesn't like my private Contact address.
The only way the two requests differ is that the one using the outbound proxy uses a record-route
This is a bug in our configuration because Contact header field shouldn't be checked in MESSAGEs. We will fix it, thanks.
Damn! I was expecting this! This will take away the last working piece from my setup :( Now I won't even be able to send IM's to myself to read them later using the webfrontend :-)
And now why you get different response when you use a record-routing proxy.
If a SIP messages contains Record-Route header field then we do not check what is in the Contact, because the server will not use the header field anyway. Further messages will be sent to the URI in the Record-Route. Inserting a private IP into Contact is perfectly legal in this case because the record routing proxy might be in a private address space and probably knows how to route such requests.
As I have just posted in another mail - the record-route shows my private ip-address. ??
If there is no Record-Route then our proxy uses Contact to route further requests and thus it check if the URI in the Contact is reachable.
Thanks for the explanation - the config file would still have some educational value.
cheers felix
Jan.
On 07-09 22:12, Felix Schmid wrote:
This is a bug in our configuration because Contact header field shouldn't be checked in MESSAGEs. We will fix it, thanks.
Damn! I was expecting this! This will take away the last working piece from my setup :( Now I won't even be able to send IM's to myself to read them later using the webfrontend :-)
No, you will, I wrote it shouldn't check, that means MESSAGEs with private IPs in Contacts should be accepted.
And now why you get different response when you use a record-routing proxy.
If a SIP messages contains Record-Route header field then we do not check what is in the Contact, because the server will not use the header field anyway. Further messages will be sent to the URI in the Record-Route. Inserting a private IP into Contact is perfectly legal in this case because the record routing proxy might be in a private address space and probably knows how to route such requests.
As I have just posted in another mail - the record-route shows my private ip-address. ??
As I have just posted in another mail :-), we don't check what's in Record-Route (even if we should).
Jan.
At 10:04 PM 9/7/2003, Jan Janak wrote:
This is a bug in our configuration because Contact header field shouldn't be checked in MESSAGEs. We will fix it, thanks.
I beg to disagree. There are elderly implementations which use contacts in MESSAGE, and if they include non-routable IP addresses, subsequent conversation may be breaken.
-jiri
On 07-09 22:14, Jiri Kuthan wrote:
At 10:04 PM 9/7/2003, Jan Janak wrote:
This is a bug in our configuration because Contact header field shouldn't be checked in MESSAGEs. We will fix it, thanks.
I beg to disagree. There are elderly implementations which use contacts in MESSAGE, and if they include non-routable IP addresses, subsequent conversation may be breaken.
What implementations use Contacts in MESSAGEs ? Anyway, I think the condition is too general. We should check REGISTER, INVITE, and SUBSCRIBE only (ok and MESSAGE too in this case).
Jan.
At 10:30 PM 9/7/2003, Jan Janak wrote:
On 07-09 22:14, Jiri Kuthan wrote:
At 10:04 PM 9/7/2003, Jan Janak wrote:
This is a bug in our configuration because Contact header field shouldn't be checked in MESSAGEs. We will fix it, thanks.
I beg to disagree. There are elderly implementations which use contacts in MESSAGE, and if they include non-routable IP addresses, subsequent conversation may be breaken.
What implementations use Contacts in MESSAGEs ?
The most widely used messaging software, guess which it is :)
Anyway, I think the condition is too general. We should check REGISTER, INVITE, and SUBSCRIBE only (ok and MESSAGE too in this case).
Why?
-jiri
On 07-09 22:57, Jiri Kuthan wrote:
At 10:30 PM 9/7/2003, Jan Janak wrote:
On 07-09 22:14, Jiri Kuthan wrote:
At 10:04 PM 9/7/2003, Jan Janak wrote:
This is a bug in our configuration because Contact header field shouldn't be checked in MESSAGEs. We will fix it, thanks.
I beg to disagree. There are elderly implementations which use contacts in MESSAGE, and if they include non-routable IP addresses, subsequent conversation may be breaken.
What implementations use Contacts in MESSAGEs ?
The most widely used messaging software, guess which it is :)
Anyway, I think the condition is too general. We should check REGISTER, INVITE, and SUBSCRIBE only (ok and MESSAGE too in this case).
Why?
Because it makes sense only for requests that create a dialog. Other requests may contain Contacts too (I don't know why, but think about MS Messenger) and I wouldn't restrict what can be put in there.
For example, what should happen if the server receives a NOTIFY containing a private IP in Contact ? The current config will refuse it.
Jan.
At 11:09 PM 9/7/2003, Jan Janak wrote:
Because it makes sense only for requests that create a dialog. Other requests may contain Contacts too (I don't know why, but think about MS Messenger) and I wouldn't restrict what can be put in there.
It is exactly the "keep-pace-with-SIP-extentions" argument which makes me believe that we should stick to what we are doing. Whatever request is used (FOOBAR), if it bears a private IP address in Contact, it asks its peer to send something there, which is a mistake. I don't see a case in which non-routable contact is useful, unless overridden by RR-ing.
For example, what should happen if the server receives a NOTIFY containing a private IP in Contact ? The current config will refuse it.
Which is correct, imho.
-jiri
On 07-09 23:45, Jiri Kuthan wrote:
At 11:09 PM 9/7/2003, Jan Janak wrote:
Because it makes sense only for requests that create a dialog. Other requests may contain Contacts too (I don't know why, but think about MS Messenger) and I wouldn't restrict what can be put in there.
It is exactly the "keep-pace-with-SIP-extentions" argument which makes me believe that we should stick to what we are doing. Whatever request is used (FOOBAR), if it bears a private IP address in Contact, it asks its peer to send something there, which is a mistake. I don't see a case in which non-routable contact is useful, unless overridden by RR-ing.
For example, what should happen if the server receives a NOTIFY containing a private IP in Contact ? The current config will refuse it.
Which is correct, imho.
Well, I was thinking mostly about broken implementations that put Contact into messages which don't use it. IMHO we shouldn't reject them.
Jan.
-
Felix Schmid -
Jan Janak -
Jiri Kuthan -
Nils Ohlmeier