Hi, I just wonder if this is according to RFC.
I have a UA (ekiga) which adds a Route:<OBP>;lr in INVITE Is this "legal"?
At least in default scripts, it's being loose routed, and not following normal message processing...
br hw,
Helge Waastad wrote:
Hi, I just wonder if this is according to RFC.
I have a UA (ekiga) which adds a Route:<OBP>;lr in INVITE Is this "legal"?
No "lr" should be an url param and not a route (rr) param. For example:
Route: sip:proxy;lr
It's called a pre-existing route set if the request is sent outside of a dialog. And using a pre-existing route set it the RECOMMENDED way of specifying an outbound proxy. Refer to RFC 3261 section 8.1.1.1.
/Mikael
At least in default scripts, it's being loose routed, and not following normal message processing...
br hw,
Helge Waastad wrote:
Hi, I just wonder if this is according to RFC.
I have a UA (ekiga) which adds a Route:<OBP>;lr in INVITE Is this "legal"?
At least in default scripts, it's being loose routed, and not following normal message processing...
Yes, this is fine. This is a "pre-loaded" route. They work fine in my setup as long as: - the client uses loose routing (this is the case in your scenario) - the proxy known that it is responsible for the host/IP in the Route header (by default these are the IP addresses openser is listening on. For domains they must be specified by alias=....)
e.g. this is not processed in the loose_route block (openser 1.0.0): INVITE sip:klaus@enum.at SIP/2.0 Via: SIP/2.0/UDP 10.10.0.50:5088;rport;branch=z9hG4bK662862690 Route: sip:83.136.32.160;lr From: sip:klaus@enum.at;tag=3909918647 To: sip:klaus@enum.at
regards klaus
Klaus Darilion writes:
- the proxy known that it is responsible for the host/IP in the Route
header (by default these are the IP addresses openser is listening on.
klaus,
how do you test that there is only one route in the predefined route set? if there is more, they could be used to bypass your security checks for the initial request.
-- juha
Juha Heinanen wrote:
Klaus Darilion writes:
- the proxy known that it is responsible for the host/IP in the Route
header (by default these are the IP addresses openser is listening on.
klaus,
how do you test that there is only one route in the predefined route set? if there is more, they could be used to bypass your security checks for the initial request.
I do test for totag in the loose_route section.
regards klaus
Juha Heinanen wrote:
Klaus Darilion writes:
I do test for totag in the loose_route section.
and what do you do if there is no to-tag like in the case of preloaded route set by nokia phones?
Until now I only had the case with exosip (e.g. my SIPTAPI) which puts in the outbound proxy as pre loaded route (enum.at is hosted by ...160 but exosip does not support SRV thus I have to use a pre loaded route with .160 as next hop, although this is main proxy):
INVITE sip:klaus@enum.at SIP/2.0 Via: SIP/2.0/UDP 10.10.0.50:5088;rport;branch=z9hG4bK662862690 Route: sip:83.136.32.160;lr From: sip:klaus@enum.at;tag=3909918647 To: sip:klaus@enum.at
So, there is only 1 route header, without totag.
If this message is processed by loose_route, loose_route recognizes that .160 is itself and thus the loose_route block is not entered but the message is processed like any other request without route header (openser 1.0.0)
regards klaus
Helge Waastad writes:
I have a UA (ekiga) which adds a Route:<OBP>;lr in INVITE Is this "legal"?
i'm pretty sure that rfc3261 allows so called pre-loaded route sets in initial requests, but for security reasons, many proxy configurations deny them. i too found recently that nokia phones, when configured to use sip, add by default a route header pointing to the outbound proxy.
rather that simply rejecting initial requests with pre-loaded route sets, it might be possible to configure the proxy to allow them, but only if there is a single route entry that points to the proxy itself. i haven't had time to think how this could be tested in openser.cfg.
-- juha
Hi, I did modify my (a little-bit confused) loose route to loose route only INVITES/ACK with totags (has_totag). The rest should be going through the normal ACL procedures.
But, could not a request relayed through other proxies also have a to tag aswell? (and then again bypass security?)
br hw
man, 13,.03.2006 kl. 16.20 +0200, skrev Juha Heinanen:
Helge Waastad writes:
I have a UA (ekiga) which adds a Route:<OBP>;lr in INVITE Is this "legal"?
i'm pretty sure that rfc3261 allows so called pre-loaded route sets in initial requests, but for security reasons, many proxy configurations deny them. i too found recently that nokia phones, when configured to use sip, add by default a route header pointing to the outbound proxy.
rather that simply rejecting initial requests with pre-loaded route sets, it might be possible to configure the proxy to allow them, but only if there is a single route entry that points to the proxy itself. i haven't had time to think how this could be tested in openser.cfg.
-- juha
Helge Waastad writes:
I did modify my (a little-bit confused) loose route to loose route only INVITES/ACK with totags (has_totag). The rest should be going through the normal ACL procedures.
that won't help you with phones line nokia, which add Route header to INITIAL request (which never have To tags).
-- juha
by default, loose_route() function detects the pre-loaded route: if there is only one Route hdr pointing to the server, it will be consumed and loose_route() will return false. If more than one Route hdr is present, the routing will be done as usual - function will consume the Route and set the destination to the next Route - true is returned.
regards, bogdan
Juha Heinanen wrote:
Helge Waastad writes:
I did modify my (a little-bit confused) loose route to loose route only INVITES/ACK with totags (has_totag). The rest should be going through the normal ACL procedures.
that won't help you with phones line nokia, which add Route header to INITIAL request (which never have To tags).
-- juha
Users mailing list Users@openser.org http://openser.org/cgi-bin/mailman/listinfo/users
Hi, excellent. Now I at least understood my problem.
I will have a loose_route problem in a "dispatcher/OBP scenario" since the route header will not be the proxy it self, but the OBP/Dispatcher address, hence a routing loop will occure... (Probably Loose routing should be done at OBP layer...I just have to figure it out.)
Thanks,
br hw
man, 13,.03.2006 kl. 17.35 +0200, skrev Bogdan-Andrei Iancu:
by default, loose_route() function detects the pre-loaded route: if there is only one Route hdr pointing to the server, it will be consumed and loose_route() will return false. If more than one Route hdr is present, the routing will be done as usual - function will consume the Route and set the destination to the next Route - true is returned.
regards, bogdan
Juha Heinanen wrote:
Helge Waastad writes:
I did modify my (a little-bit confused) loose route to loose route only INVITES/ACK with totags (has_totag). The rest should be going through the normal ACL procedures.
that won't help you with phones line nokia, which add Route header to INITIAL request (which never have To tags).
-- juha
Users mailing list Users@openser.org http://openser.org/cgi-bin/mailman/listinfo/users
Helge Waastad wrote:
Hi, excellent. Now I at least understood my problem.
I will have a loose_route problem in a "dispatcher/OBP scenario" since the route header will not be the proxy it self, but the OBP/Dispatcher address, hence a routing loop will occure... (Probably Loose routing should be done at OBP layer...I just have to figure it out.)
The the OBP is addressed using a pre-loaded route, it should remove the Route header and forward it to the main proxy. Maybe the problem is the route header:
Route:<OBP>;lr
Is the OBP really inside <> or is this just your formatting?
klaus
Thanks,
br hw
man, 13,.03.2006 kl. 17.35 +0200, skrev Bogdan-Andrei Iancu:
by default, loose_route() function detects the pre-loaded route: if there is only one Route hdr pointing to the server, it will be consumed and loose_route() will return false. If more than one Route hdr is present, the routing will be done as usual - function will consume the Route and set the destination to the next Route - true is returned.
regards, bogdan
Juha Heinanen wrote:
Helge Waastad writes:
I did modify my (a little-bit confused) loose route to loose route only INVITES/ACK with totags (has_totag). The rest should be going through the normal ACL procedures.
that won't help you with phones line nokia, which add Route header to INITIAL request (which never have To tags).
-- juha
Users mailing list Users@openser.org http://openser.org/cgi-bin/mailman/listinfo/users
Hi, sorry about that: (I know I'm not always RFC compliant myself ;-) )
Route: sip:xxx.xxx.xxx.xxx:5060;lr
man, 13,.03.2006 kl. 17.17 +0100, skrev Klaus Darilion:
Helge Waastad wrote:
Hi, excellent. Now I at least understood my problem.
I will have a loose_route problem in a "dispatcher/OBP scenario" since the route header will not be the proxy it self, but the OBP/Dispatcher address, hence a routing loop will occure... (Probably Loose routing should be done at OBP layer...I just have to figure it out.)
The the OBP is addressed using a pre-loaded route, it should remove the Route header and forward it to the main proxy. Maybe the problem is the route header:
Route:<OBP>;lr
Is the OBP really inside <> or is this just your formatting?
klaus
Thanks,
br hw
man, 13,.03.2006 kl. 17.35 +0200, skrev Bogdan-Andrei Iancu:
by default, loose_route() function detects the pre-loaded route: if there is only one Route hdr pointing to the server, it will be consumed and loose_route() will return false. If more than one Route hdr is present, the routing will be done as usual - function will consume the Route and set the destination to the next Route - true is returned.
regards, bogdan
Juha Heinanen wrote:
Helge Waastad writes:
I did modify my (a little-bit confused) loose route to loose route only INVITES/ACK with totags (has_totag). The rest should be going through the normal ACL procedures.
that won't help you with phones line nokia, which add Route header to INITIAL request (which never have To tags).
-- juha
Users mailing list Users@openser.org http://openser.org/cgi-bin/mailman/listinfo/users
Bogdan-Andrei Iancu writes:
by default, loose_route() function detects the pre-loaded route: if there is only one Route hdr pointing to the server, it will be consumed and loose_route() will return false. If more than one Route hdr is present, the routing will be done as usual - function will consume the Route and set the destination to the next Route - true is returned.
great and thanks for the explanation. currently, rel_1_0_0 README only says:
The function performs loose routing as defined in RFC3261. See the RFC3261 for more details.
This function can be used from REQUEST_ROUTE.
Example 1-6. loose_route usage ... loose_route();
i.e., it doesn't explain what loose_route() returns and when.
-- juha
-
Bogdan-Andrei Iancu -
Helge Waastad -
Juha Heinanen -
Klaus Darilion -
Mikael Magnusson