[Kamailio-Devel] [ openser-Feature Requests-2726791 ] check r-r header of reply
Iñaki Baz Castillo
ibc at aliax.net
Thu Apr 2 20:57:38 CEST 2009
El Jueves 02 Abril 2009, Juha Heinanen escribió:
> Iñaki Baz Castillo writes:
> > And then how does the From looks in the in-dialog request? Corrumpetd?
> > or un- touched?
Ok. However I don't consider it so critic (I must mean the From modication).
Usually uac_replace_from() is just used when Kamailio routes requests to
stupid gateways/softswitches requiring the PSTN number in the From header
insted of inspecting PAI/RPID headers.
If you want to send a request to an "untrusted" UAS, a proxy can do very few
work on "protecting" your identity (the second Via will show where you are,
the Contact header probably will show your username...).
If a malicious UAS spoofes the RR in the 200 OK, the proxy could detect it and
drop the request, but no more. The UAS could get the same effect by setting a
spoofed Contact in the 200 OK.
Such issues show us what I already think: a SIP topology just based on proxies
cannot offer enough privacy and security, it's not possible according to SIP
specifications. For privacy requeriments (real privacy) a B2BUA is required,
for secure accounting a B2BUA is required (there are more or less 200 ways to
confuse a proxy on accounting...).
A proxy can do some efforts on offering privacy and other services not related
to a proxy node, but we cannot expect them to be perfect and 100% reliable.
If not, we will require more and more "features" in the proxy, features not
belonging to a SIP proxy (as Contact hidding, second Via removing...). All
these task belong to a B2BUA.
Just my opinion. Regards.
Iñaki Baz Castillo <ibc at aliax.net>
More information about the Devel