<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
</head>
<body>
<p>Hello,</p>
<p>the Kamailio approach in the default configuration file is to not
trust any pre-loaded Route headers, so it removes all of them via
remove_hf("Route").</p>
<p>Practically, it is like: you sent it to me, it is my job now to
route it where I want. Preloaded Route headers can be a bit
dangerous, especially when having to interconnect with old
gateways that trust traffic by ip, without checking other
headers/domains.</p>
<p>For example, one type of tricks used in the early days it to put
2 Route headers in the initial INVITE (first proxy, the second the
pstn gateway) with R-URI a foreign domain. After loose routing,
the target is the pst gateway but the INVITE has a foreign domain
not matching myself which can end up being sent directly out via
route[SIPOUT] without any additional ACL checks, because the
system thought is going to be sent to an external sip provider.
Obviously, additional checks or rules can be added in Kamailio
config, even catch it with loose_route() return codes, but what I
wanted to highlight is that Route headers in initial request must
be treated with care and long time ago we decided just to remove
them in default config, instead of trying to identify
case-specific needs of handling Route headers for initial
requests.</p>
<p>If people feel the use cases has changed and there is a need for
update, typically before major releases we run a round of asking
what should get in the default config. <br>
</p>
<p>Cheers,<br>
Daniel<br>
</p>
<div class="moz-cite-prefix">On 04.01.21 15:46, Duarte Rocha wrote:<br>
</div>
<blockquote type="cite"
cite="mid:CAAJJHZh+LhCT5=XOAb=_A2RLGkwVfFWP5+7vTibEX5OuzhWghA@mail.gmail.com">
<meta http-equiv="content-type" content="text/html; charset=UTF-8">
<div dir="ltr">Greetings, <br>
<br>
I'm doing a migration from a opensips system to kamailio one and
i'm trying to replicate its functionalities.<br>
<br>
The system is a Registrar with a pstn gateway. I noticed that on
the opensips version, loose_route() is called on initial
requests and it seems to be used to protect against preloaded
routes. <br>
<br>
However, on the default Kamailio configuration file
loose_route() is only called on requests in-dialog and the
verification mentioned above is not used. <br>
<br>
Why doesn't Kamailio includes this verification? Is there are
any security concerns not using it? <br>
<div><br>
</div>
<div>Best Regards,</div>
</div>
<br>
<fieldset class="mimeAttachmentHeader"></fieldset>
<pre class="moz-quote-pre" wrap="">_______________________________________________
Kamailio (SER) - Users Mailing List
<a class="moz-txt-link-abbreviated" href="mailto:sr-users@lists.kamailio.org">sr-users@lists.kamailio.org</a>
<a class="moz-txt-link-freetext" href="https://lists.kamailio.org/cgi-bin/mailman/listinfo/sr-users">https://lists.kamailio.org/cgi-bin/mailman/listinfo/sr-users</a>
</pre>
</blockquote>
<pre class="moz-signature" cols="72">--
Daniel-Constantin Mierla -- <a class="moz-txt-link-abbreviated" href="http://www.asipto.com">www.asipto.com</a>
<a class="moz-txt-link-abbreviated" href="http://www.twitter.com/miconda">www.twitter.com/miconda</a> -- <a class="moz-txt-link-abbreviated" href="http://www.linkedin.com/in/miconda">www.linkedin.com/in/miconda</a>
Funding: <a class="moz-txt-link-freetext" href="https://www.paypal.me/dcmierla">https://www.paypal.me/dcmierla</a></pre>
</body>
</html>