[SR-Users] loose_route security

Olle E. Johansson oej at edvina.net
Mon Apr 11 10:15:34 CEST 2011


11 apr 2011 kl. 09.25 skrev Klaus Darilion:

> Hi Eric!
> 
> Am 11.04.2011 02:09, schrieb Eric Hiller:
>> As I look and play with loose_route functionality it seems that by
>> simply placing a route: proxyip;lr header in my invite I can bypass any
>> and all security otherwise built into the configuration.
> 
> True!
> 
>> Is this the way everyone has it?
> 
> Hopefully not!
> 
>> I have been unable to find any configuration examples
>> online that show how to secure/restrict access to loose_route?
> 
> The default configuration of Kamailio 3.1 is save. (I think the default
> configurations of older Openser releases were unsafe)
> 
> The basic principle is: allow loose routing only for in-dialog requests
> and make sure that the UAS (the node where Kamailio forwards the
> request) rejects in-dilaog requests to unknown dialog (if you use
> Asterisk make sure to have pendantic=yes).
> 
> Thus: Check for to-tag. This is how you can differ out-of-dialog
> requests from in-dialog requests. Only if the to-tag is present, call
> loose_route(). If the to-tag is not present, then do not call
> loose_route and reject the request or handle it according the local
> routing policies.

It's harder when routing outbound. You don't want to be a reflector used in a DDOS attack.
YOu either limit who can use your kamailio by authorization or keep some kind of dialog state.

/O


More information about the sr-users mailing list