[Kamailio-Users] SIP Digest Access Authentication RELAY survey

Daniel-Constantin Mierla miconda at gmail.com
Fri Jan 16 11:37:26 CET 2009


I added this information in the wiki:
http://www.kamailio.org/dokuwiki/doku.php/features:new-in-1.5.x

Cheers,
Daniel


On 01/16/2009 11:04 AM, Klaus Darilion wrote:
>
>
> Luciano Afranllie schrieb:
>> What should I do to get 1.5? Is there a 1.5 branch or should I get 
>> trunk?
>
> Trunk. 1.5 branch will be created when 1.5 will be released (somewhere 
> in February)
>
> klaus
>
>>
>> Thanks
>> Luciano
>>
>> On Thu, Jan 15, 2009 at 12:21 PM, Daniel-Constantin Mierla
>> <miconda at gmail.com> wrote:
>>> Hello,
>>>
>>> thanks Klaus and Victor for details.
>>>
>>> With kamailio 1.5 this can be solved in another way, pretty easy --
>>> allow users to call only from registered devices.
>>>
>>> Check here the example 2:
>>> http://openser.blogspot.com/2008/10/registrar-enhancements.html
>>>
>>> The condition can be extended so that you match the received(source
>>> ip)/contact in invite with the contact in location record.
>>>
>>> So guys, start testing 1.5, it does have lot of cool new features:
>>> http://www.kamailio.org/dokuwiki/doku.php/features:new-in-1.5.x
>>>
>>> Cheers,
>>> Daniel
>>>
>>> On 01/15/2009 12:00 PM, Klaus Darilion wrote:
>>>> Hi!
>>>>
>>>> For those who are interested in this attack - I have attached the
>>>> relevant slides from my SIP security lectures.
>>>>
>>>> regards
>>>> Klaus
>>>>
>>>> PS: an exploit based on sipp scenario files is available too on
>>>> request (for educational purposes :-)
>>>>
>>>>
>>>>
>>>> Klaus Darilion schrieb:
>>>>> IIRC to solve this issue completely the UAC should never send
>>>>> credentials to unknown parties - only to its SIP proxy (some clients
>>>>> have a "force outbound proxy" feature which does the same). Then the
>>>>> SIP proxy can remove credentials before forwarding to other parties.
>>>>>
>>>>> As soon as a client send messages (with credentials) directly to
>>>>> other parties there is nothing you can do on the proxy side.
>>>>>
>>>>> regards
>>>>> klaus
>>>>>
>>>>> Victor Pascual Ávila schrieb:
>>>>>> Hi,
>>>>>> excuse me if this message is not directly related to Kamailio.
>>>>>>
>>>>>> I'm just wondering if folks could share with me if (and how) they 
>>>>>> have
>>>>>> prevented the "SIP Digest Access Authentication RELAY" in their
>>>>>> networks (and what worked for them or not).
>>>>>> NAT boxes reduce dramatically the scenarios for a successful attack.
>>>>>> Otherwise, some might be mitigating the attack by means of 
>>>>>> forcing UAs
>>>>>> to use outbound proxies while others might be reducing the attack
>>>>>> incentives by means of message integrity.
>>>>>>
>>>>>> Any comment would be appreciated,
>>>>> _______________________________________________
>>>>> Kamailio (OpenSER) - Users mailing list
>>>>> Users at lists.kamailio.org
>>>>> http://lists.kamailio.org/cgi-bin/mailman/listinfo/users
>>>>> http://lists.openser-project.org/cgi-bin/mailman/listinfo/users
>>>> ------------------------------------------------------------------------ 
>>>>
>>>>
>>>> _______________________________________________
>>>> Kamailio (OpenSER) - Users mailing list
>>>> Users at lists.kamailio.org
>>>> http://lists.kamailio.org/cgi-bin/mailman/listinfo/users
>>>> http://lists.openser-project.org/cgi-bin/mailman/listinfo/users
>>> -- 
>>> Daniel-Constantin Mierla
>>> http://www.asipto.com
>>>
>>>
>>> _______________________________________________
>>> Kamailio (OpenSER) - Users mailing list
>>> Users at lists.kamailio.org
>>> http://lists.kamailio.org/cgi-bin/mailman/listinfo/users
>>> http://lists.openser-project.org/cgi-bin/mailman/listinfo/users

-- 
Daniel-Constantin Mierla
http://www.asipto.com





More information about the sr-users mailing list