On 04/01/2009 01:35 PM, Juha Heinanen wrote:
Daniel-Constantin Mierla writes:
Indeed, there can be an extra check there. Not sure how much protection it adds here. When X calls Y, if caller is trusted (e.g., auth user, trusted peer) then either call goes to costly resource (PSTN) that is also trusted, to a local user or untrusted destination, case in which you route only if does not cost you anything. If local users are not trustable and use "custom UA", then replies can go to first Via, skipping the rest of Via stack, ignoring negative replies after 200ok. Unless there is symmetric nat and they are forced to use the proxy, the safest will be a b2bua.
i don't understand, how the above relates to the security issue that i brought up. it has nothing to do with cost, but a possibility to make uac send in-dialog requests so that they by-pass the proxy. nasty things documented earlier can happen if that is not prevented.
I meant protection so that proxy does not lose control of the call. If proper R-R processing according to specs is avoided on purpose or not by UA, it is hard to correct something on a proxy.
Say you get a 200OK to an INVITE with spoofed r-r, should it be dropped?
definitely yes. there could, for example, be a flag that tells if the check needs to be done, so that you don't waste resources needlessly if uas is trusted.
It is more complex that it looks, proper ending in that stage will be: - drop 200ok - send negative reply upstream - ack downstream - bye downstream - catch 200ok for by
If simply drop te 200ok, there will be retransmission flowing around.
Cheers, Daniel