[Kamailio-Devel] [ openser-Feature Requests-2726791 ] check r-r header of reply

Iñaki Baz Castillo ibc at aliax.net
Thu Apr 2 18:45:41 CEST 2009

2009/4/2 Juha Heinanen <jh at tutpro.com>:

> Iñaki Baz Castillo writes:
>  > In case c), there is nothing to do.
> uac could check that 200 ok came from the same address where it send
> the invite.

Not sure of that. Imagine two proxies doing load balancing and adding
a SRV record in the VIA.
Proxy_1 routes a request to UAS and crashes so when UAS sends the 200
to the "received" address it will fail (ICMP error) and since it
doesn't receive ACK it must re-sed the 200 to the address in Via. This
is a SRV record so now it gets Proxy_2, sends the 200 there and
Proxy_2 routes it to UAC. This 200 arrives to UAC from an address
different than the destination.

Well, I hate what I've said. It's just a hyper-exotic and useless
specification in RFC3261. XD

Some phones (as Linksys) include an option to drop SIP traffic from
any address but the configured proxy/outbound-proxy.

> my point is that IF uac receives a reply from its proxy, it must be able
> to trust its r-r header.
> now proxy does not do any checking and as result, uac_replace_from
> function, for example, is totally useless.

I don't understand why you mention "uac_replace_from". Isn't enough
the risk of spoofed RR in the 200?


Iñaki Baz Castillo
<ibc at aliax.net>

More information about the Devel mailing list