[sr-dev] why new tcp connection?
Iñaki Baz Castillo
ibc at aliax.net
Fri Nov 6 17:41:22 CET 2009
El Viernes, 6 de Noviembre de 2009, Andrei Pelinescu-Onciul escribió:
> On Nov 06, 2009 at 14:39, I?aki Baz Castillo <ibc at aliax.net> wrote:
> > El Viernes, 6 de Noviembre de 2009, Klaus Darilion escribi?:
> > > Hi Juha!
> > >
> > > Personally I do not like the alias approach. IIRC correctly there were
> > > some security issues with aliases (at least some time ago) and ser does
> > > hand aliases a little bit different then described by IETF to avoid
> > > this issues.
> > Could I know about those security issues? (just a brief description).
> IIRC the original alias draft required to alias also the IP, so for
> example a message from ip: 184.108.40.206 with src_port 1234 and having in via
> 220.127.116.11:5060 would set an alias on the proxy:
> 18.104.22.168:5060->22.214.171.124:1234 which is evidently a security problem (I can
> use it to redirect someone else's traffic to me).
> In ser/sr/kamailio the alias will work only for the port, so in the
> above example the alias will be:
> 126.96.36.199:5060->188.8.131.52:1234 and IIRC a message might be logged.
IETF *always* proposes exotic solutions based on user provided information!
> Even using only the port for the alias there can still be problems if
> there are several UACs behind the same NAT that listen on the same port
> (e.g. 5060). All of them would add 5060 in the via and on the proxy
> there would be attempts to set multiple aliases for nat_ip:5060.
> In this case one UAC will also get the requests intended for the others.
> This can also be used on purpose, to intercept the messages of the
> other users behind the same NAT or on the same machine.
I though that the "alias" behavior was different:
- UA adds "alias" in Via (with no value, just an empty parameter).
- Then the proxy does know that it can reuse the existing connection to route
new requests to this UA.
I don't understand why the user has provide address information. Perhaps I
read other draft XD
Iñaki Baz Castillo <ibc at aliax.net>
More information about the sr-dev