[Users] feature request
Bogdan-Andrei Iancu
bogdan at voice-system.ro
Wed Jul 27 21:17:02 CEST 2005
Hi Juha,
Juha Heinanen wrote:
>Bogdan-Andrei Iancu writes:
>
> > I was already considering this feature, from same reasons as you.
> > Attacks may hide behind DNS address IPs of critical components of a
> > platform (like GW).
>
>GWs (and any SIP UAs) should reject requests where request uri doesn't
>designate the SIP UA itself. if they don't, report it as a bug to the
>manufacturer.
>
>
I agree, but is not the case I was referring to. Imagine the following
scenario: some user upload as contact or redirect/forward address an uri
like "sip:user at somedomain.com"; he can later switch the DNS entry of the
domain "somedomain.com" to point to your GW IP.
In [Open]SER, the DNS resolve is done when no more scripting is
possible, so .... :)
> > I was thinking having this in core to be able to use it both in
> > stateless (core) and statefull (tm) mode. My concern is where/how to
> > define the IP black list. If it will be kept in core, will the core
> > populated it (via script??) or module should register IPs to the core
> > list? All this in the idea of being able to do a nice provisioning of
> > the IP blacklist.
>
>in order to be useful, blacklist must be kept in a database table, which
>ser can reload into memory by a fifo command.
>
>
again, agree; the question is where to keep the list: in core and the
core should export fifo command for reload from file maybe (the core
should not be DB dependent)?
regards,
bogdan
More information about the sr-users
mailing list