[SR-Users] loose_route security
Olle E. Johansson
oej at edvina.net
Mon Apr 11 10:15:34 CEST 2011
11 apr 2011 kl. 09.25 skrev Klaus Darilion:
> Hi Eric!
>
> Am 11.04.2011 02:09, schrieb Eric Hiller:
>> As I look and play with loose_route functionality it seems that by
>> simply placing a route: proxyip;lr header in my invite I can bypass any
>> and all security otherwise built into the configuration.
>
> True!
>
>> Is this the way everyone has it?
>
> Hopefully not!
>
>> I have been unable to find any configuration examples
>> online that show how to secure/restrict access to loose_route?
>
> The default configuration of Kamailio 3.1 is save. (I think the default
> configurations of older Openser releases were unsafe)
>
> The basic principle is: allow loose routing only for in-dialog requests
> and make sure that the UAS (the node where Kamailio forwards the
> request) rejects in-dilaog requests to unknown dialog (if you use
> Asterisk make sure to have pendantic=yes).
>
> Thus: Check for to-tag. This is how you can differ out-of-dialog
> requests from in-dialog requests. Only if the to-tag is present, call
> loose_route(). If the to-tag is not present, then do not call
> loose_route and reject the request or handle it according the local
> routing policies.
It's harder when routing outbound. You don't want to be a reflector used in a DDOS attack.
YOu either limit who can use your kamailio by authorization or keep some kind of dialog state.
/O
More information about the sr-users
mailing list