[sr-dev] Some question about auth_identity module

[Iñaki Baz Castillo]

2011/2/23 Klaus Darilion <klaus.mailinglists at pernau.at>:
>> What is @identity ??
>
> @xxx is a 'select', see ser's select framework:
>
> http://sip-router.org/docbook/sip-router/branch/master/select_list/select_list.html
> http://sip-router.org/wiki/ref_manual/selects

Thanks, I missed them.


>> - When acting as verifier, the proxy must get the certificate via HTTP
>> from the URL given in the Identity-Info header of the request. The
>> module doesn't include TCP/HTTP timeouts so, what would happen if an
>> attacker set a non-responding domain in such header? would the
>> kamailio/ser process block when trying to retrieve the certificate
>> until the kernel returns error for the TCP establishment? (it could
>> take even minutes!!!).
>
> Try it. ;-)

I plan to try the module soon, but cannot do it now, please tell me :)
NOTE: I mean the case in which the HTTP server has a DROP rule in its
firewall, so the TCP connection would take long time to return error.
I know that curl uses a configurable timer for the HTTP/TCP connection
operation, but even 1-2 seconds could be enough to leave a proxy
unusable (imagine 100 calls at the same time containing Indentity-Info
pointing to 100 different domains with DROP rule).




>> So we must be careful and don't use fix_contact(), force_rtpproxy() or
>> whatever function modifying From/To/Contact/body. This means that this
>> won't work in most of the cases (who doesn't deal with NATted
>> clients?). The only solution seems to be calling msg_apply_changes(),
>> but this doesn't seem to be very good. Am I wrong? So, is this module
>> really usable in real environments? somebody using it?
>
> You can do any modifications before auth_add_identity(), but not after
> auth_add_identity(). auth_add_identity() internally calls
> msg_apply_changes functionality.

Good to know, thanks. IMHO it should be clearly documented.


-- 
Iñaki Baz Castillo
<ibc at aliax.net>