[Serusers] Loose routing question

Michael Ulitskiy mdu113 at acedsl.com
Thu May 19 17:38:28 CEST 2005


On Thursday 19 May 2005 07:49 am, Jan Janak wrote:
> On 02-05-2005 19:00, Michael Ulitskiy wrote:
> > Hello,
> > 
> > I'm trying to comprehend loose routing concept and I have
> > a question that concerns me.
> > As far as I understand loose routing says that if there're Route
> > headers in a message it should be forwarded according to the URIs
> > set in Route headers. 
> > I thought that this is true only within a dialog, but RFC3261 (part 16.6) says:
> > "Requests establishing a dialog may contain a preloaded Route header field."
> > Also SER manual says: " the failure not to include loose routing in your scripts 
> > may lead to infinite loops. Make sure that you include the following script 
> > fragment immediately after request sanity checks" and provide the following
> > piece of code:
> > if (loose_route()) {
> >         t_relay();
> >         break;
> > };
> > 
> > which as far as I understand unconditionally forwards message if Route header
> > is present.
> > So I'm wondering what about security? 
> 
>   Your concerns are correct. Loose routing and especially pre-loaded
>   route sets can become security issue. Moreover, when loose routing is
>   being used, then the SIP message can be forwarded to the URI from the
>   2nd Route header field -- but all security-related check in SER
>   usually check the Request-URI (which is the contact of the remote
>   party in this case).
> 
>   You should put all the access control checks also before
>   t_relay in the loose_route condition.  This will ensure that the
>   caller has permissions to place calls to the URI in the Request-URI,
>   nothing less nothing more.
> 
>   This is not yet enough (as you corrently point out in the text below)
>   and because it is not possible to check the real IP and port of the
>   next hop after all changes have been done by SER (and it is complex
>   becuase it can involve DNS queries to resolve SRV/A records), you would 
>   need to deploy some screening on the gateway side too.
> 
>   The gateway should check if the request is coming from the IP and port
>   of the trusted proxy server and in addition to that it should verify
>   that the Request-URI contains the IP (not hostname) and port that belongs 
>   to the gateway. The Request-URI test is important because an attacker could
>   create a fake DNS record that will resolve to the IP of your gateway
>   and this way he could bypass access control checks on the proxy. If
>   the request-uri of the message contains the IP of the gateway then you
>   know that the proxy server did all the access control checks because
>   it knew it was forwarding to the gateway. Requests containing another
>   IP or any hostname in the Request-URI should be rejected by the
>   gateway.
> 
>   If the gateway does not support such screening then you could put
>   another SER instance with very simple configuration (that would just
>   perform the checks, no loose routing) in front of it. The simpler the
>   better in this case.
> 
>   Some people on the list also suggested putting a "magic cookie" into
>   the Request-URI which will only be known to the SIP Proxy and gateway.
>   The proxy server would only put the cookie into the Request-URI if it
>   successfuly performed all the security checks and if it knows that it
>   is forwarding to the gateway. The gateway would reject any request
>   that does not contain the magic cookie.
> 
>      Jan.

Thanks Jan and everyone else who replied.
I got it. Just wanted to point out again that I believe it would be to everyone
best to make it more clear in documentation.

Michael
 
> > If I follow this guidelines how I would
> > shield my PSTN gateway if anyone can construct message and 
> > pre-load it with URI of my gateway and all my proxies must honor it.
> > For example I have a PSTN gateway on ip address 10.1.1.5 and proxy
> > on 10.1.1.10 that supposed to interface outside world.
> >
> > So I guess if someone construct a message like this:
> > 
> > INVITE sip:12345 at somewhere.com SIP/2.0
> > ...
> > Route: <sip:12345 at 10.1.1.5;lr>
> > 
> > my proxy will forward it to PSTN gateway and it will make outbound call.
> > 
> > Is this true? Please enlighten me on this.
> > Thank you,
> > 
> > Michael
> > 
> > _______________________________________________
> > Serusers mailing list
> > serusers at lists.iptel.org
> > http://lists.iptel.org/mailman/listinfo/serusers
> 




More information about the sr-users mailing list