Hi,

On 02/19/2015 12:59 PM, Andres wrote:

We have struggled with this issue ourselves.  The problem was that we
did not want our SIP server to behave like an open relay.  We were
seeing that the session-timer Re-Invites have a  Request-URI with the IP
of the other
endpoint instead of the Proxy.  If the SIP server is an open relay then
no problem, but ours is not so the config file was very strict and
dropped the Re-Invite (since the Request-URI had an external IP) thus
dropping the call.  The config file could be enhanced by testing for
has_totag() since the Re-Invite has the totag but an original Invite
does not, but the hacker could put a bogus totag and make calls so its
more secure to leave it this way.  We ended up disabling session-timers
at some our clients PBXs.  Its always a balancing act between
convenience/services and more security.  We chose more security.

>From a SIP point of view, this is a strange position to take. An "open relay" is an idea that normally applies to the unrestricted relay of _initial_ requests to foreign domains. Requests flowing within a dialog (i.e. loose-routed) are _supposed_ to have an RURI pointing to the endpoint's domain: this is known as the "remote target" of a dialog, and is set by the Contact URI of both dialog parties.

I suppose it's true that one could compel your proxy to relay a sequential request (like a reinvite) to any domain by including a Route header and a To-tag, but what effect would this have on the far-end UA? It would not match the spoofed request to an existing dialog.

-- Alex

--
Alex Balashov - Principal
Evariste Systems LLC
235 E Ponce de Leon Ave
Suite 106
Decatur, GA 30030
United States

Tel: +1-678-954-0670
Web: http://www.evaristesys.com/, http://www.alexbalashov.com/

_______________________________________________
SIP Express Router (SER) and Kamailio (OpenSER) - sr-users mailing list
sr-users@lists.sip-router.org
http://lists.sip-router.org/cgi-bin/mailman/listinfo/sr-users