(sorry: just repost to follow correct thread/subjet)
I just found another example from rfc3261 where an endpoint will use 5xx class answer:
12.2.2 UAS Behavior
Page 76:
If the remote sequence number is empty, it MUST be set to the value of the sequence number in the CSeq header field value in the request. If the remote sequence number was not empty, but the sequence number of the request is lower than the remote sequence number, the request is out of order and MUST be rejected with a 500 (Server Internal Error) response.
Hope I convinced you!
tks, Aymeric MOIZARD / ANTISIP amsip - http://www.antisip.com osip2 - http://www.osip.org eXosip2 - http://savannah.nongnu.org/projects/exosip/
On Wed, 16 Jan 2008, Iñaki Baz Castillo wrote:
On Wednesday 16 January 2008 13:44:10 A.smith wrote:
If I try and use the whole example cfg (not just the route) I am recieving an error like:
0(23448) find_cmd_export_t: <lookup> not found 0(23448) parse error (105,23-24): unknown command, missing loadmodule?
"lookup()" is defined in "registrar" module that you are not loading: http://www.openser.org/docs/modules/1.2.x/registrar.html#AEN342
-- Iñaki Baz Castillo ibc@in.ilimit.es
Users mailing list Users@lists.openser.org http://lists.openser.org/cgi-bin/mailman/listinfo/users
On Wednesday 16 January 2008 14:58:22 Aymeric Moizard wrote:
(sorry: just repost to follow correct thread/subjet)
I just found another example from rfc3261 where an endpoint will use 5xx class answer:
12.2.2 UAS Behavior
Page 76:
If the remote sequence number is empty, it MUST be set to the value of the sequence number in the CSeq header field value in the request. If the remote sequence number was not empty, but the sequence number of the request is lower than the remote sequence number, the request is out of order and MUST be rejected with a 500 (Server Internal Error) response.Hope I convinced you!
Yes ;)
So the question here is why OpenSer is replying 407. But it's so strange...
Hi Aymeric,
could you describe the message flow (requests and replies)? I understand you do parallel forking to 2 clients that return 5xx replies, but where the 407 comes from??
regards, bogdan
Iñaki Baz Castillo wrote:
On Wednesday 16 January 2008 14:58:22 Aymeric Moizard wrote:
(sorry: just repost to follow correct thread/subjet)
I just found another example from rfc3261 where an endpoint will use 5xx class answer:
12.2.2 UAS Behavior
Page 76:
If the remote sequence number is empty, it MUST be set to the value of the sequence number in the CSeq header field value in the request. If the remote sequence number was not empty, but the sequence number of the request is lower than the remote sequence number, the request is out of order and MUST be rejected with a 500 (Server Internal Error) response.Hope I convinced you!
Yes ;)
So the question here is why OpenSer is replying 407. But it's so strange...
On Wed, 16 Jan 2008, Bogdan-Andrei Iancu wrote:
Hi Aymeric,
could you describe the message flow (requests and replies)? I understand you do parallel forking to 2 clients that return 5xx replies, but where the 407 comes from??
I was about to send the capture:
http://antisip.antisip.com/publish-issue.pcap
Put the filter "sip contains 77622" to view the incoming transaction + the 2 outgoing transactions. 2 501 are received and one 407 is sent back. There is no incoming 407 that comes to openser.
I have to admit that the call flow is strange, because my openser forwards the PUBLISH sent by a user to himself. (I don't have presence server) The second strange thing is that the same softphone is registred twice on the same IP... However, this demonstrates the issue.
In case, there is only ONE binding for the user, the 501 is forwarded correctly...
To reproduce the error: My softphone: http://sip.antisip.com/download/emansip-setup/emansip-setup-v411-rc10.exe Create an account first on: http://sip.antisip.com/
I'm currently modifying my softphone to send 405, hoping that will fix the issue... However, it would still be nice to solve it.
tks for your effort, Aymeric
regards, bogdan
Iñaki Baz Castillo wrote:
On Wednesday 16 January 2008 14:58:22 Aymeric Moizard wrote:
(sorry: just repost to follow correct thread/subjet)
I just found another example from rfc3261 where an endpoint will use 5xx class answer:
12.2.2 UAS Behavior
Page 76:
If the remote sequence number is empty, it MUST be set to the value of the sequence number in the CSeq header field value in the request. If the remote sequence number was not empty, but the sequence number of the request is lower than the remote sequence number, the request is out of order and MUST be rejected with a 500 (Server Internal Error) response.Hope I convinced you!
Yes ;)
So the question here is why OpenSer is replying 407. But it's so strange...
I guess somehow the message gets looped to the proxy again:
Take a look at the topmost Via header of the relayed PUBLISH. At the end you see .1 and .2. This measn the .1 branch and the .2 branch. Where is the .0 branch?
I guess it is lopped back to openser (via loopback interface) and is rejected with 407.
Try "ngrep -d any" or "tcpdump -i any" to see loopback too!
regards klaus
Aymeric Moizard schrieb:
On Wed, 16 Jan 2008, Bogdan-Andrei Iancu wrote:
Hi Aymeric,
could you describe the message flow (requests and replies)? I understand you do parallel forking to 2 clients that return 5xx replies, but where the 407 comes from??
I was about to send the capture:
http://antisip.antisip.com/publish-issue.pcap
Put the filter "sip contains 77622" to view the incoming transaction + the 2 outgoing transactions. 2 501 are received and one 407 is sent back. There is no incoming 407 that comes to openser.
I have to admit that the call flow is strange, because my openser forwards the PUBLISH sent by a user to himself. (I don't have presence server) The second strange thing is that the same softphone is registred twice on the same IP... However, this demonstrates the issue.
In case, there is only ONE binding for the user, the 501 is forwarded correctly...
To reproduce the error: My softphone: http://sip.antisip.com/download/emansip-setup/emansip-setup-v411-rc10.exe Create an account first on: http://sip.antisip.com/
I'm currently modifying my softphone to send 405, hoping that will fix the issue... However, it would still be nice to solve it.
tks for your effort, Aymeric
regards, bogdan
Iñaki Baz Castillo wrote:
On Wednesday 16 January 2008 14:58:22 Aymeric Moizard wrote:
(sorry: just repost to follow correct thread/subjet)
I just found another example from rfc3261 where an endpoint will use 5xx class answer:
12.2.2 UAS Behavior
Page 76:
If the remote sequence number is empty, it MUST be set to the value of the sequence number in the CSeq header field value in therequest. If the remote sequence number was not empty, but the sequence number of the request is lower than the remote sequence number, the request is out of order and MUST be rejected with a 500 (Server Internal Error) response.
Hope I convinced you!
Yes ;)
So the question here is why OpenSer is replying 407. But it's so strange...
I agree - the branch 0 is missing (only 1 and 2 show up in the trace), so it must be on the lo.....
regards, bogdan
Klaus Darilion wrote:
I guess somehow the message gets looped to the proxy again:
Take a look at the topmost Via header of the relayed PUBLISH. At the end you see .1 and .2. This measn the .1 branch and the .2 branch. Where is the .0 branch?
I guess it is lopped back to openser (via loopback interface) and is rejected with 407.
Try "ngrep -d any" or "tcpdump -i any" to see loopback too!
regards klaus
Aymeric Moizard schrieb:
On Wed, 16 Jan 2008, Bogdan-Andrei Iancu wrote:
Hi Aymeric,
could you describe the message flow (requests and replies)? I understand you do parallel forking to 2 clients that return 5xx replies, but where the 407 comes from??
I was about to send the capture:
http://antisip.antisip.com/publish-issue.pcap
Put the filter "sip contains 77622" to view the incoming transaction + the 2 outgoing transactions. 2 501 are received and one 407 is sent back. There is no incoming 407 that comes to openser.
I have to admit that the call flow is strange, because my openser forwards the PUBLISH sent by a user to himself. (I don't have presence server) The second strange thing is that the same softphone is registred twice on the same IP... However, this demonstrates the issue.
In case, there is only ONE binding for the user, the 501 is forwarded correctly...
To reproduce the error: My softphone: http://sip.antisip.com/download/emansip-setup/emansip-setup-v411-rc10.exe
Create an account first on: http://sip.antisip.com/
I'm currently modifying my softphone to send 405, hoping that will fix the issue... However, it would still be nice to solve it.
tks for your effort, Aymeric
regards, bogdan
Iñaki Baz Castillo wrote:
On Wednesday 16 January 2008 14:58:22 Aymeric Moizard wrote:
(sorry: just repost to follow correct thread/subjet)
I just found another example from rfc3261 where an endpoint will use 5xx class answer:
12.2.2 UAS Behavior
Page 76:
If the remote sequence number is empty, it MUST be set to thevalue of the sequence number in the CSeq header field value in the request. If the remote sequence number was not empty, but the sequence number of the request is lower than the remote sequence number, the request is out of order and MUST be rejected with a 500 (Server Internal Error) response.
Hope I convinced you!
Yes ;)
So the question here is why OpenSer is replying 407. But it's so strange...
On Wednesday 16 January 2008 16:27:57 Bogdan-Andrei Iancu wrote:
I agree - the branch 0 is missing (only 1 and 2 show up in the trace), so it must be on the lo.....
Maybe he could do a "ngrep" capture with "-i any" option.
Iñaki Baz Castillo wrote:
On Wednesday 16 January 2008 16:27:57 Bogdan-Andrei Iancu wrote:
I agree - the branch 0 is missing (only 1 and 2 show up in the trace), so it must be on the lo.....
Maybe he could do a "ngrep" capture with "-i any" option.
ngrep: -d tcpdump: -i
regards klaus
On Wednesday 16 January 2008 20:13:03 Klaus Darilion wrote:
Iñaki Baz Castillo wrote:
On Wednesday 16 January 2008 16:27:57 Bogdan-Andrei Iancu wrote:
I agree - the branch 0 is missing (only 1 and 2 show up in the trace), so it must be on the lo.....
Maybe he could do a "ngrep" capture with "-i any" option.
ngrep: -d tcpdump: -i
Yes thanks ;)
On Wed, 16 Jan 2008, Klaus Darilion wrote:
I guess somehow the message gets looped to the proxy again:
Take a look at the topmost Via header of the relayed PUBLISH. At the end you see .1 and .2. This measn the .1 branch and the .2 branch. Where is the .0 branch?
I guess it is lopped back to openser (via loopback interface) and is rejected with 407.
Try "ngrep -d any" or "tcpdump -i any" to see loopback too!
Right! There was a 3rd binding "sip:xxx@sip.antisip.com" targetted to an undefined user...
Any hint how to workaround this case? I suppose I might be able to detect this situation inside my "branch" routing script?
tks, Aymeric MOIZARD / ANTISIP amsip - http://www.antisip.com osip2 - http://www.osip.org eXosip2 - http://savannah.nongnu.org/projects/exosip/
regards klaus
Aymeric Moizard schrieb:
On Wed, 16 Jan 2008, Bogdan-Andrei Iancu wrote:
Hi Aymeric,
could you describe the message flow (requests and replies)? I understand you do parallel forking to 2 clients that return 5xx replies, but where the 407 comes from??
I was about to send the capture:
http://antisip.antisip.com/publish-issue.pcap
Put the filter "sip contains 77622" to view the incoming transaction + the 2 outgoing transactions. 2 501 are received and one 407 is sent back. There is no incoming 407 that comes to openser.
I have to admit that the call flow is strange, because my openser forwards the PUBLISH sent by a user to himself. (I don't have presence server) The second strange thing is that the same softphone is registred twice on the same IP... However, this demonstrates the issue.
In case, there is only ONE binding for the user, the 501 is forwarded correctly...
To reproduce the error: My softphone: http://sip.antisip.com/download/emansip-setup/emansip-setup-v411-rc10.exe Create an account first on: http://sip.antisip.com/
I'm currently modifying my softphone to send 405, hoping that will fix the issue... However, it would still be nice to solve it.
tks for your effort, Aymeric
regards, bogdan
Iñaki Baz Castillo wrote:
On Wednesday 16 January 2008 14:58:22 Aymeric Moizard wrote:
(sorry: just repost to follow correct thread/subjet)
I just found another example from rfc3261 where an endpoint will use 5xx class answer:
12.2.2 UAS Behavior
Page 76:
If the remote sequence number is empty, it MUST be set to the value of the sequence number in the CSeq header field value in therequest. If the remote sequence number was not empty, but the sequence number of the request is lower than the remote sequence number, the request is out of order and MUST be rejected with a 500 (Server Internal Error) response.
Hope I convinced you!
Yes ;)
So the question here is why OpenSer is replying 407. But it's so strange...
Yes, you can use branch_route to individually inspect each branch. Also you can drop them via "drop" statement.
Regards, Bogdan
Aymeric Moizard wrote:
On Wed, 16 Jan 2008, Klaus Darilion wrote:
I guess somehow the message gets looped to the proxy again:
Take a look at the topmost Via header of the relayed PUBLISH. At the end you see .1 and .2. This measn the .1 branch and the .2 branch. Where is the .0 branch?
I guess it is lopped back to openser (via loopback interface) and is rejected with 407.
Try "ngrep -d any" or "tcpdump -i any" to see loopback too!
Right! There was a 3rd binding "sip:xxx@sip.antisip.com" targetted to an undefined user...
Any hint how to workaround this case? I suppose I might be able to detect this situation inside my "branch" routing script?
tks, Aymeric MOIZARD / ANTISIP amsip - http://www.antisip.com osip2 - http://www.osip.org eXosip2 - http://savannah.nongnu.org/projects/exosip/
Bogdan-Andrei Iancu wrote:
Yes, you can use branch_route to individually inspect each branch. Also you can drop them via "drop" statement.
Or in first place avoid the bad location entry in subscriber table - e.g. screen the contact URI before save().
regards klaus
On Wed, 16 Jan 2008, Klaus Darilion wrote:
Bogdan-Andrei Iancu wrote:
Yes, you can use branch_route to individually inspect each branch. Also you can drop them via "drop" statement.
Or in first place avoid the bad location entry in subscriber table - e.g. screen the contact URI before save().
Would be nice to provide some more clue on this.
tks, Aymeric MOIZARD / ANTISIP amsip - http://www.antisip.com osip2 - http://www.osip.org eXosip2 - http://savannah.nongnu.org/projects/exosip/
regards klaus
Aymeric Moizard schrieb:
On Wed, 16 Jan 2008, Klaus Darilion wrote:
Bogdan-Andrei Iancu wrote:
Yes, you can use branch_route to individually inspect each branch. Also you can drop them via "drop" statement.
Or in first place avoid the bad location entry in subscriber table - e.g. screen the contact URI before save().
Would be nice to provide some more clue on this.
Hi Aymeric!
SIP is by design buggy: The SIP protocol tells us to save the contact during REGISTER and to use this contact for incoming calls to the respective user. But the contact is user provided - and user provided data should never be trusted without validation (like everybody does with HTTP forms).
A simple example:
REGISTER sip.antisip.com To: sip:klaus3000@sip.antisip.com Contact: sip:0043123456@ipaddress.ofthe.pstngatewayof.antisip
Now, incoming calls to klaus3000 will be forwarded to the pstngateway which usually trusts the proxy and establishes the call.
Thus, the proxy should screen the contact. This can be done 2 times: Either during registration (before save()) or while call-routing (after lookup().
IMO it is best to both methods. Checking for illegal destinations (like direct addressing of the PSTN gateway or other internal SIP components) can be done using openser's blacklist feature. Define blacklists which will be activated except the proxy really wants to route the call to the PSTN gateway.
Further, I also screen the contact during registration (actually with openser's blacklist feature this is not really needed anymore - but often you have system with older openser versions and you might not update) using the permissions module and forbid IP addresses of internal components, the proxy itself and optional also domains.
Recently there was a similar thread which is IMO worth reading: http://www.openser.org/pipermail/users/2007-December/014853.html and long explanation from me: http://www.openser.org/pipermail/users/2007-December/014867.html
regards Klaus
On Thursday 17 January 2008 09:14:35 Klaus Darilion wrote:
SIP is by design buggy: The SIP protocol tells us to save the contact during REGISTER and to use this contact for incoming calls to the respective user. But the contact is user provided
I understant what you mean, but sincerely, I can't imagine how a registrar could validate user provided "Contact". Yes, it can forbid some IP's or domains (see comment below anyway) but how a registrar can know that the "Contact" header belongs or not to the device sending the REGISTER?
Another design option wolud be use internal and trusted data for the "Contact" isntead of user provided, but how does it make sense?
The only solution I see could be forzing a convention for the "Contact" URI:
AoR = user@domain.com --> Contact = user_domain.com@any_IP
So if the registrar receives a REGISTER for AoR "user@domain.com" containing a "Contact" different that "user_domain.com@any_IP" it should reject it.
A convention with just username part: AoR = user@domain.com --> Contact = user@any_IP wouldn't be so strong since it doesn't avoid flood in case of multidomain.
But of course, forcing this convention should be done at RFC3261 (IMHO).
Further, I also screen the contact during registration (actually with openser's blacklist feature this is not really needed anymore - but often you have system with older openser versions and you might not update) using the permissions module and forbid IP addresses of internal components, the proxy itself and optional also domains.
In this point, remember that forbiding some IP addresses in "register.deny" is not useful at all since a malicious user can set a public domain pointing to that internal IP and set a "Contact: sip:pstn_number@domain_hacker.com".
As you said, a solution is forbidding domain names in "Contact" (but not very RFC3261 compliant).
The best is reading the thread you pointed i nwhich you and others gave very good solutions and explanations for this serious problem.
Regards.
On Thursday 17 January 2008 10:10:46 Iñaki Baz Castillo wrote:
wouldn't be so strong since it doesn't avoid flood in case of multidomain.
"flood???"
Sorry, my dog was typing for me and he must learn a lot still. I meant "flood".
Iñaki Baz Castillo schrieb:
On Thursday 17 January 2008 09:14:35 Klaus Darilion wrote:
SIP is by design buggy: The SIP protocol tells us to save the contact during REGISTER and to use this contact for incoming calls to the respective user. But the contact is user provided
I understant what you mean, but sincerely, I can't imagine how a registrar could validate user provided "Contact". Yes, it can forbid some IP's or domains (see comment below anyway) but how a registrar can know that the "Contact" header belongs or not to the device sending the REGISTER?
Yes. You can not validate every IP address - but you can deny known fake IP addresses (the IP addresses of internal components).
Further, you could use fix_nated_register for each clients (which of course breaks communication with asymmetric clients (Cisco phones+pix) but this is spoofable (unless src_IP will be used for nonce calculation.)
klaus
Another design option wolud be use internal and trusted data for the "Contact" isntead of user provided, but how does it make sense?
The only solution I see could be forzing a convention for the "Contact" URI:
AoR = user@domain.com --> Contact = user_domain.com@any_IP
So if the registrar receives a REGISTER for AoR "user@domain.com" containing a "Contact" different that "user_domain.com@any_IP" it should reject it.
A convention with just username part: AoR = user@domain.com --> Contact = user@any_IP wouldn't be so strong since it doesn't avoid flood in case of multidomain.
But of course, forcing this convention should be done at RFC3261 (IMHO).
Further, I also screen the contact during registration (actually with openser's blacklist feature this is not really needed anymore - but often you have system with older openser versions and you might not update) using the permissions module and forbid IP addresses of internal components, the proxy itself and optional also domains.
In this point, remember that forbiding some IP addresses in "register.deny" is not useful at all since a malicious user can set a public domain pointing to that internal IP and set a "Contact: sip:pstn_number@domain_hacker.com".
As you said, a solution is forbidding domain names in "Contact" (but not very RFC3261 compliant).
The best is reading the thread you pointed i nwhich you and others gave very good solutions and explanations for this serious problem.
Regards.
I'm trying the permissions module as you advised but can't make it work.
At first, I only installed register.allow and register.deny and have only used allow_register().
It was not working and magically work after installing empty "permissions.allow" and "permissions.deny" files...
May be you might fix this! Anyway, it's working now.
tks, Aymeric MOIZARD / ANTISIP amsip - http://www.antisip.com osip2 - http://www.osip.org eXosip2 - http://savannah.nongnu.org/projects/exosip/
On Wed, 16 Jan 2008, Iñaki Baz Castillo wrote:
On Wednesday 16 January 2008 14:58:22 Aymeric Moizard wrote:
(sorry: just repost to follow correct thread/subjet)
I just found another example from rfc3261 where an endpoint will use 5xx class answer:
12.2.2 UAS Behavior
Page 76:
If the remote sequence number is empty, it MUST be set to the value of the sequence number in the CSeq header field value in the request. If the remote sequence number was not empty, but the sequence number of the request is lower than the remote sequence number, the request is out of order and MUST be rejected with a 500 (Server Internal Error) response.Hope I convinced you!
Yes ;)
Very good point!
So the question here is why OpenSer is replying 407. But it's so strange...
I agree. I rechecked my configuration but my configuration definitly not modify a possible forked answer into a "challenge" operation.
I've grepped in the code for "407", "proxy_challenge", challenge calls, but none seems to be possibly called in my case. Although I don't know much about openser internal code and I'm still not able to find where the "best response selection" is made.
Although, openser don't use one of the "to" tag from the 501 into the 407... It's not required, but might help to find out where in the code the issue might happen.
tks, Aymeric MOIZARD / ANTISIP amsip - http://www.antisip.com osip2 - http://www.osip.org eXosip2 - http://savannah.nongnu.org/projects/exosip/
-- Iñaki Baz Castillo ibc@in.ilimit.es
Users mailing list Users@lists.openser.org http://lists.openser.org/cgi-bin/mailman/listinfo/users
I've grepped in the code for "407", "proxy_challenge", challenge calls, but none seems to be possibly called in my case. Although I don't know much about openser internal code and I'm still not able to find where the "best response selection" is made.
I would seriously recommend logging all decisions you take in the config file using x_log(), so you can follow a transaction in the logfile. By default the logfile is filled with mostly what OpenSER is doing, while the "why" is much, much more interesting.
On Wed, 16 Jan 2008, Andreas Sikkema wrote:
I've grepped in the code for "407", "proxy_challenge", challenge calls, but none seems to be possibly called in my case. Although I don't know much about openser internal code and I'm still not able to find where the "best response selection" is made.
I would seriously recommend logging all decisions you take in the config file using x_log(), so you can follow a transaction in the logfile. By default the logfile is filled with mostly what OpenSER is doing, while the "why" is much, much more interesting.
In my openser configuration, I have a xlog() call before EVERY sl_send_reply. The last executed script to handle the PUBLISH is:
if (!t_relay()) { sl_reply_error(); };
I got "t_on_branch("2");" which does contains only code to handle media relay and exit.
So, I'm looking for the why ;)
Any advise?
tks, Aymeric MOIZARD / ANTISIP amsip - http://www.antisip.com osip2 - http://www.osip.org eXosip2 - http://savannah.nongnu.org/projects/exosip/
-- Andreas Sikkema
Users mailing list Users@lists.openser.org http://lists.openser.org/cgi-bin/mailman/listinfo/users
-
Andreas Sikkema -
Aymeric Moizard -
Bogdan-Andrei Iancu -
Iñaki Baz Castillo -
Klaus Darilion