[OpenSER-Devel] [ openser-Patches-1671611 ] nathelper: udpping_from (forged udpping source_ip)

SourceForge.net noreply at sourceforge.net
Mon Sep 24 15:13:55 CEST 2007


Patches item #1671611, was opened at 2007-03-01 11:59
Message generated for change (Comment added) made by marcushunger
You can respond by visiting: 
https://sourceforge.net/tracker/?func=detail&atid=743022&aid=1671611&group_id=139143

Please note that this message will contain a full copy of the comment thread,
including the initial issue submission, for this request,
not just the latest update.
Category: modules
Group: ver devel
Status: Open
Resolution: Accepted
Priority: 5
Private: No
Submitted By: Marcus Hunger (marcushunger)
Assigned to: Bogdan (bogdan_iancu)
Summary: nathelper: udpping_from (forged udpping source_ip)

Initial Comment:
Hi,

for some loadbalancing setups it might be interessting to spoof the natping's source-ip on multiple hosts so the pings would apear to come from the same host. I created a patch for that. It uses raw-sockets and works for me on linux.

I am not sure, how portable this approach is, so some people might have a look on this to get it running on other platforms than linux.

Best regards,
Marcus

----------------------------------------------------------------------

>Comment By: Marcus Hunger (marcushunger)
Date: 2007-09-24 15:13

Message:
Logged In: YES 
user_id=1704473
Originator: YES

Hi,

I did not implement raw-sockets for sip-pings because I assumed that using
loose-routing instead and go through the proxies would be a bit more
sip-like.

----------------------------------------------------------------------

Comment By: Bogdan (bogdan_iancu)
Date: 2007-09-14 20:55

Message:
Logged In: YES 
user_id=1275325
Originator: NO

Hi Marcus,

Most of the patch you submitted was applied - the only thing that was held
back is the "udpping_from_path" functionality.

But I have a question for you:

why the raw socket is not used for sending the SIP-pings, but only the
udp-pings...I know that is quite a strange outcome as the signalling will
not be symmetric anymore and it might screw the nat even more...

----------------------------------------------------------------------

Comment By: Marcus Hunger (marcushunger)
Date: 2007-06-26 12:22

Message:
Logged In: YES 
user_id=1704473
Originator: YES

File Added: natping_bugfix.patch

----------------------------------------------------------------------

Comment By: Marcus Hunger (marcushunger)
Date: 2007-06-13 10:14

Message:
Logged In: YES 
user_id=1704473
Originator: YES

Hi,
I updated the patch. Now it enables the nathelper to select the source-ip
from the last path-element so if you have different loadbalancers in front
of your proxy, natpings were sent with their ip. Set udpping_from_path to 1
to use it. Also this patch allows you to send sipping-packets following the
contacts path (as suggested in
http://openser.org/pipermail/devel/2006-March/002143.html). 

The patch is against branch 1.2. 


File Added: natping.patch

----------------------------------------------------------------------

Comment By: Klaus Darilion (klaus_darilion)
Date: 2007-03-23 08:26

Message:
Logged In: YES 
user_id=1318360
Originator: NO

Hi!

I think this feature would also be interesting for stateless load
balancers. E.g. if you only want to route the initial request via the load
balancer and all other traffic directly via the selected proxy. The
dispatcher forwards the request without adding a Via header and spoofing
the clients source address. Then the proxy would reply directly to the
client bypassing the loadbalancer.

----------------------------------------------------------------------

Comment By: Carsten Bock (carstenbock)
Date: 2007-03-20 16:20

Message:
Logged In: YES 
user_id=1488991
Originator: NO

Hi Marcus,

I agree, i also find your patch useful. Currently we forward the REGISTER
to our loadbalancer to do the nat-pinging. I will be happy to skip this in
the near future ;-)

Carsten

----------------------------------------------------------------------

Comment By: Klaus Darilion (klaus_darilion)
Date: 2007-03-12 10:16

Message:
Logged In: YES 
user_id=1318360
Originator: NO

Hi!

What about adding raw-sockets in general, not only for nathelper. E.g.
when using force-Send_socket and the socket does not exist, a raw socket is
used with spoofed Ip address.
+: nice feature for testing or HA setup
-: easy spoofing for script kiddies

----------------------------------------------------------------------

Comment By: Marcus Hunger (marcushunger)
Date: 2007-03-01 16:03

Message:
Logged In: YES 
user_id=1704473
Originator: YES

axlh,

to 1)

Sounds interesting but I see a trust issue when using path information.
Somehow the right path-element would have to be chosen as source for the
natpings. 
Another issue is that it seems quite hard for nathelper to obtain the
path-information from usrloc. In the current implementation of nathelper's
natping, all contacts are gathered from usrloc at once using
get_all_ucontacts. The function does not deliver the contact's path, so an
extra request to get_urecord would had to made for every contact. This
increases the complexity of the operation and results in a slow-down.
Another approach would be to modify get_all_ucontacts to additionally
return the path but this would break compatibility. Any comments?

to 2)

The raw socket is created at initialisation-time and persists even after
dropping privileges. So there's no problem. :-)

Best regards,
Marcus

----------------------------------------------------------------------

Comment By: axlh (axlh)
Date: 2007-03-01 14:06

Message:
Logged In: YES 
user_id=1212856
Originator: NO

Nice patch. I like the idea, but see 2 issues with the current
implementation:

1) configuring 1 fixed source_ip doesn't handle a cluster of
loadbalancers. I suggest using the path info stored in the location table
instead of the parameter.

2) raw sockets require root privileges. There should be some way for
OpenSER to drop all other unneccesary privileges when run as root.

----------------------------------------------------------------------

You can respond by visiting: 
https://sourceforge.net/tracker/?func=detail&atid=743022&aid=1671611&group_id=139143



More information about the Devel mailing list