[SR-Users] loose_route security
Klaus Darilion
klaus.mailinglists at pernau.at
Mon Apr 11 09:25:08 CEST 2011
Hi Eric!
Am 11.04.2011 02:09, schrieb Eric Hiller:
> As I look and play with loose_route functionality it seems that by
> simply placing a route: proxyip;lr header in my invite I can bypass any
> and all security otherwise built into the configuration.
True!
> Is this the way everyone has it?
Hopefully not!
> I have been unable to find any configuration examples
> online that show how to secure/restrict access to loose_route?
The default configuration of Kamailio 3.1 is save. (I think the default
configurations of older Openser releases were unsafe)
The basic principle is: allow loose routing only for in-dialog requests
and make sure that the UAS (the node where Kamailio forwards the
request) rejects in-dilaog requests to unknown dialog (if you use
Asterisk make sure to have pendantic=yes).
Thus: Check for to-tag. This is how you can differ out-of-dialog
requests from in-dialog requests. Only if the to-tag is present, call
loose_route(). If the to-tag is not present, then do not call
loose_route and reject the request or handle it according the local
routing policies.
regards
Klaus
More information about the sr-users
mailing list