[Kamailio-Devel] [ openser-Feature Requests-2726791 ] check r-r header of reply

Iñaki Baz Castillo ibc at aliax.net
Thu Apr 2 18:15:20 CEST 2009


2009/4/2 Juha Heinanen <jh at tutpro.com>:
> Alex Hermann writes:
>
>  > That doesn't help very much. This will only detect a malicious UAS, but it
>  > doesn't do anything to prevent it from bypassing the proxy. If the UAC (or
>  > UAS) is malicious, it can skip whatever RR-headers it wants.
>
> what i would like to achieve is better protection for uac (my user) who
> sent request through my proxy.  it is very bad, if reply from my proxy
> to the uac does not contain the r-r uri that the proxy itself added.

Hi Juha, imagine the following cases:


a) UAC behind NAT (so it can receive SIP traffic from the proxy):
In this case the 200 from the UAS contains spoofed RR pointing to target.

UAC                       Proxy                 UAS (malicious)       target

------ INVITE ------------->   ------ INVITE + RR --------->
<---- 200 (maicious RR) ----   <---- 200 (maicious RR) -----
------------------in-dialog-requests------------------------------------>


b) UAC behind NAT (so it can receive SIP traffic from the proxy):
In this case the 200 from the UAS doesn NOT contain RR but a Contact
pointing to target.

UAC                       Proxy                 UAS (malicious)       target

------ INVITE ---------->     ------ INVITE + RR -------->
<---- 200 (no RR) ------      <----- 200 (no RR) ---------
------------------------in-dialog-requests----------------------------->


c) UAC with public IP (so it can receive SIP traffic from anywhere):
In this case the 200 from the UAS doesn NOT contain RR but a Contact
pointing to target, and the 200 is sent directly to the UAC.

UAC                       Proxy                   UAS (malicious)      target

------ INVITE ---------->     ------ INVITE + RR -------->
<---------------------- 200 (no RR) ----------------------
------------------------in-dialog-requests------------------------------>



In case a), the proxy could check the RR as you suggest and convert
the 200 into 4XX.

In case b), the proxy coud check if RR does exist and drop the reply
if there aren't (since the proxy knows that it added it in the
request).

In case c), there is nothing to do.



-- 
Iñaki Baz Castillo
<ibc at aliax.net>



More information about the Devel mailing list