8 May
2006
8 May
'06
5:03 p.m.
Dear Sirs,
being new to SIP and OpenSer, I have read the SIP introduction and
Admin's Guide, but there still is an issue that I could not find
information about.
I would like to set up a SIP infrastructure made of many UAs and one SIP
proxy (OpenSer). I want to bypass any NAT configuration so that I will
use UAs with STUN support and mediaproxy module on OpenSer; I will
perform billing (accounting) on the SIP proxy, so I will use record
route on OpenSer.
I want to make sure that my accounting will *never* be bypassed. This
seems quite difficult because the fields 'Contact' and 'Via' contain the
real address of the UA (or the translated one in case of NAT
configuration) and the SIP header will be fowarded to the other UA.
Sniffing the network for SIP packets, any user will be able to know the
real address of the UA and make direct call bypassing the SIP proxy.
How could I secure this situation, avoiding to forward Contact and Via
fields containing the real UA address? I was thinking if it is possible
to replace UA address with SIP proxy address, or would I break any
protocol rule?
Thank you in advance!!
Best regards,
--
Marco Meinardi <m.meinardi(a)reteitaly.com>
ReteItaly S.r.l.
www.reteitaly.com
_____________________________________________
C.so Svizzera, 185 - 10149 Torino - Italy
Tel. +39 011 7767694 - Mobile +39 335 7878604
Fax +39 011 746179
_____________________________________________
10 May
10 May
2:55 p.m.
Hi Marco,
Marco Meinardi wrote:
Dear Sirs,
being new to SIP and OpenSer, I have read the SIP introduction and
Admin's Guide, but there still is an issue that I could not find
information about.
I would like to set up a SIP infrastructure made of many UAs and one
SIP proxy (OpenSer). I want to bypass any NAT configuration so that I
will use UAs with STUN support and mediaproxy module on OpenSer; I
will perform billing (accounting) on the SIP proxy, so I will use
record route on OpenSer.
I want to make sure that my accounting will *never* be bypassed. This
seems quite difficult because the fields 'Contact' and 'Via' contain
the real address of the UA (or the translated one in case of NAT
configuration) and the SIP header will be fowarded to the other UA.
Sniffing the network for SIP packets, any user will be able to know
the real address of the UA and make direct call bypassing the SIP proxy.
indeed, sequential request may by-pass proxies on the path (even if RR
was used). For fixed entities like GWs, you can avoid this by
configuring the GW to accept requests only form your proxy (which will
act as a border controller for your domain). Even if a client will try
to send directly to GW, it will be blocked.
How could I secure this situation, avoiding to forward Contact and Via
fields containing the real UA address? I was thinking if it is
possible to replace UA address with SIP proxy address, or would I
break any protocol rule?
there is no such support for the moment. VIA and Contact are key routing
elements and playing with them might get things broken. also you have
to consider that contact is a per-dialog information and if you change
it, you need to remember the original value across the entire dialog.
regards,
bogdan
3:56 p.m.
Dear Bogdan,
thanks for your clear reply.
indeed, sequential request may by-pass proxies on the
path (even if RR
was used). For fixed entities like GWs, you can avoid this by
configuring the GW to accept requests only form your proxy (which will
act as a border controller for your domain). Even if a client will try
to send directly to GW, it will be blocked.
This is clear for securing PSTN access, but I would like to set up a SIP
proxy that can totally hide UAs identities, even using an RTP proxy for
proxying also all RTP streams (I am aware of bandwidth requirements and
performance limitation), regardless of they are NATed hosts or not.
there is no such support for the moment. VIA and
Contact are key
routing elements and playing with them might get things broken. also
you have to consider that contact is a per-dialog information and if
you change it, you need to remember the original value across the
entire dialog.
So I understand that it is not possible to prevent real UAs address
contacts from being forwarded to far end users. If you confirm this, do
you think of any workaround?
Thanks a lot in advance and kindest regards.
Marco
Bogdan-Andrei Iancu wrote:
Hi Marco,
Marco Meinardi wrote:
--
Marco Meinardi <m.meinardi(a)reteitaly.com>
ReteItaly S.r.l.
www.reteitaly.com
_____________________________________________
C.so Svizzera, 185 - 10149 Torino - Italy
Tel. +39 011 7767694 - Mobile +39 335 7878604
Fax +39 011 746179
_____________________________________________
Dear Sirs,
being new to SIP and OpenSer, I have read the SIP introduction and
Admin's Guide, but there still is an issue that I could not find
information about.
I would like to set up a SIP infrastructure made of many UAs and one
SIP proxy (OpenSer). I want to bypass any NAT configuration so that I
will use UAs with STUN support and mediaproxy module on OpenSer; I
will perform billing (accounting) on the SIP proxy, so I will use
record route on OpenSer.
I want to make sure that my accounting will *never* be bypassed. This
seems quite difficult because the fields 'Contact' and 'Via' contain
the real address of the UA (or the translated one in case of NAT
configuration) and the SIP header will be fowarded to the other UA.
Sniffing the network for SIP packets, any user will be able to know
the real address of the UA and make direct call bypassing the SIP proxy.
indeed, sequential request may by-pass proxies on the path (even if RR
was used). For fixed entities like GWs, you can avoid this by
configuring the GW to accept requests only form your proxy (which will
act as a border controller for your domain). Even if a client will try
to send directly to GW, it will be blocked.
How could I secure this situation, avoiding to forward Contact and Via
fields containing the real UA address? I was thinking if it is
possible to replace UA address with SIP proxy address, or would I
break any protocol rule?
there is no such support for the moment. VIA and Contact are key routing
elements and playing with them might get things broken. also you have
to consider that contact is a per-dialog information and if you change
it, you need to remember the original value across the entire dialog.
regards,
bogdan
4:04 p.m.
Hi Marco,
Marco Meinardi wrote:
currently you cannot do it - neither for VIA, nor for Contact and RR/Route.
but in the future, with quite some development, it might be possible.
For example the dialog module may offer a good support for Contact and
RR/Route hiding since it offers dialog persistence.
regards,
bogdan
there is no
such support for the moment. VIA and Contact are key
routing elements and playing with them might get things broken. also
you have to consider that contact is a per-dialog information and if
you change it, you need to remember the original value across the
entire dialog.
So I understand that it is not possible to prevent real UAs address
contacts from being forwarded to far end users. If you confirm this,
do you think of any workaround?
6761
days inactive
6763
days old
4 comments
3 participants
participants (3)
-
Andreas Granig -
Bogdan-Andrei Iancu -
Marco Meinardi