[Serdev] Can the function is_to_local be added to the domain
module
Zeus Ng
zeus.ng at isquare.com.au
Tue May 25 09:10:25 UTC 2004
Jan,
I already did authentication for user within my domains. The problem I have
is calls from/to other domains. The include message dumps are from two
different proxies. Here is the setup.
UA2 (87654321 at isquare.com.au)
|
Proxy2 (sip.isquare.com.au)
|
Proxy1 (example.domain)
|
UA1 (kennygee at example.domain)
The call was originated from UA2 (87654321 at isquare.com.au) to UA1
(kennygee at example.domain) via proxy2 and proxy1. All signalling goes fine
until the ACK from UA1 get to Proxy1. The R-URI had been rewritten and it's
not from a domain Proxy1 responsible. Thus the ACK will not be forward to
UA1. The same goes for the BYE.
I'm not sure how to handle this situation since ACK and BYE should not be
authenticated.
I agree whole heartly that checking the to header is absolutely not safe
enough. Could you get me some insight on this particular issue.
Thanks,
Zeus
> -----Original Message-----
> From: Jan Janak [ <mailto:jan at iptel.org> mailto:jan at iptel.org]
> Sent: Tuesday, 25 May 2004 5:42 PM
> To: Zeus Ng
> Cc: serdev at lists.iptel.org
> Subject: Re: [Serdev] Can the function is_to_local be added
> to the domain module
>
>
> You can use digest authentication as well and challenge all
> messages except ACK and CANCEL. Relying on To header field is
> not reliable since the header field is not involved in
> routing and there is no check of that header field at all, so
> it can contain anything.
>
> Jan.
>
> On 25-05 16:38, Zeus Ng wrote:
> > In an effort to prevent third party from using our sip
> proxy as a open
> > relay, I'm try to use the following logic for tight control.
> >
> > If (!(is_from_local() || is_uri_host_local())) {
> > xlog("L_ERR", "Relay access denied");
> > sl_send_reply("404", "Relay access not allowed here");
> > break;
> > };
> >
> > However, I think this is not a reliable checking method as
> R-URI can
> > be changed along the way from proxy to proxy. Is it possible to
> > introduce the
> > is_to_local() function much like the is_from_local() in the
> domain module.
> > As far as I understand, the "To" header should not be
> changed even after
> > passing a proxy. So, checking it for relay access is much
> better than
> > checking R-URI.
> >
> > Your comment is welcome.
> >
> >
> > Zeus Ng
> >
> >
> **********************************************************************
> > This email and any files transmitted with it are confidential and
> > intended solely for the use of the individual or entity to
> whom they
> > are addressed.
> >
> > If you have received this email in error, you are prohibited from
> > reading, copying, distributing and using the information. Please
> > contact the sender immediately by return email and destroy the
> > original message.
> > ******************************************************************
> >
> >
> > _______________________________________________
> > Serdev mailing list
> > serdev at lists.iptel.org <http://lists.iptel.org/mailman/listinfo/serdev>
http://lists.iptel.org/mailman/listinfo/serdev
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.iptel.org/pipermail/serdev/attachments/20040525/34ffa31d/attachment.htm
More information about the Serdev
mailing list