At 11:42 AM 3/15/2004, Klaus Darilion wrote:
Hi!
I've got a small problem and don't know how to solve it best, so I would
appreciate your comments:
I want to allow my ser users to call any IP destination for free and always, but I want to
restrict access to the PSTN. Therefore, I authenticate, account and check if user is in
PSTN group before forwarding to the gateway (local GW or the GW of an PSTN termination
provider).
But, for example if one of my users call 1234567(a)anydomain.com and this domain resolvs to
the IP address of the gateway, the request would be forwarded to the gateway, and the GW
would accept the call as it comes from a trusted SIP proxy. How can I prevent this?
There are some techniques you may use to lower the risks by other means
than calling outside.
You may for example authenticate and account all calls to outbound domains
-- this way, only users of your domain will be able to make such calls and
will be accounted for (but group checks are not executed!).
A technique is to split SER in two proxies -- general-purpose proxy and
gateway barrier proxy. The gateway barrier would avoid risky logic such
as DNS resolution and do simply its ACL job.
Other rechnique an esteemed seruser deployed is to insert a secret prefix
in SER to URIs considered to go to gateway and only accept such at the
gateway. (I haven't given it a try yet, I would have to see if we need
some extra work to mangle the prefix if it appears in gateway's contacts.
Otherwise callers may be tempted to learn and upload or provision such
contacts.)
-jiri