Aymeric Moizard schrieb:
On Wed, 16 Jan 2008, Klaus Darilion wrote:
Bogdan-Andrei Iancu wrote:
Yes, you can use branch_route to individually inspect each branch. Also you can drop them via "drop" statement.
Or in first place avoid the bad location entry in subscriber table - e.g. screen the contact URI before save().
Would be nice to provide some more clue on this.
Hi Aymeric!
SIP is by design buggy: The SIP protocol tells us to save the contact during REGISTER and to use this contact for incoming calls to the respective user. But the contact is user provided - and user provided data should never be trusted without validation (like everybody does with HTTP forms).
A simple example:
REGISTER sip.antisip.com To: sip:klaus3000@sip.antisip.com Contact: sip:0043123456@ipaddress.ofthe.pstngatewayof.antisip
Now, incoming calls to klaus3000 will be forwarded to the pstngateway which usually trusts the proxy and establishes the call.
Thus, the proxy should screen the contact. This can be done 2 times: Either during registration (before save()) or while call-routing (after lookup().
IMO it is best to both methods. Checking for illegal destinations (like direct addressing of the PSTN gateway or other internal SIP components) can be done using openser's blacklist feature. Define blacklists which will be activated except the proxy really wants to route the call to the PSTN gateway.
Further, I also screen the contact during registration (actually with openser's blacklist feature this is not really needed anymore - but often you have system with older openser versions and you might not update) using the permissions module and forbid IP addresses of internal components, the proxy itself and optional also domains.
Recently there was a similar thread which is IMO worth reading: http://www.openser.org/pipermail/users/2007-December/014853.html and long explanation from me: http://www.openser.org/pipermail/users/2007-December/014867.html
regards Klaus