[SR-Users] INVITE messages not authenticated (default configuration)?

Jiri Kuthan jiri at iptel.org
Fri Mar 8 01:26:38 CET 2013


well, it is really a matter of policy (and not software) what to
authenticate and opinions on it can differ. I like the pre-configured
options in oob, but that may be very well just because I wrote
them :)
https://github.com/flowroute/kamailio/blob/master/etc/sip-router-oob.cfg
(note it is for sip-router flavor and I'm not sure how far the
kamailio merging process has digged into config files -- the logic
should be apparent though)

I think a simple and reasonable policy is to authenticate *ALL* INVITEs
without To-tag (i.e. those that really initiate a call) and ALL REGISTERs
that have a served domain in From.

It is also worthwhile checking if the digest username corresponds
(equals in the simplest caste) the From URI. Otherwise the proxy
server could accept an INVITE authenticated by foo at bar.com in
digest header field and still permit john at bar.com in From.

Going more relaxed is certainly unsafe. Challenging more can break
interoperability. (some phones are silly not to support authentication
for BYE, call-forwarding schemes may lead to unexpected domains in
URIs, CANCEL/ACK just don't have it, etc.)

jiri



On 3/7/13 11:20 PM, Paul Belanger wrote:
> Greeting,
>
> Hopefully, I'm understanding the following default kamailio.cfg[1]
> file.  Over the weekend, I was attached by SipVicious.  Following
> along with the example Daniel[2] create with kamailio and asterisk, I
> have almost the same setup.  Rather then storing my SIP profiles in
> Asterisk database, I have then in Kamailio.
>
> To my point, the attacker was actually able to by pass any sort of
> authentication, but simply sending an INIVTE message:
>
> ./svmap.py -e 18885551234 kamailio.example.org -m INVITE
>
> Which kamailio, forwarded to Asterisk and because there is no
> additional auth within asterisk, was able to hit the asterisk context
> for getting processed (they did not get out to the real world).
> However, my question is.... why do we not authenticate INVITE
> messages?  If my understanding is correct, if would require something
> like the following:
>
> if (is_method("INVITE")) {
>      if (!proxy_authorize("$fd", "subscriber")) {
>          proxy_challenge("$fd", "0");
>          exit;
>      }
> }
>
> If so, why not also do it in the default configuration file?
>
> [1] http://git.sip-router.org/cgi-bin/gitweb.cgi?p=sip-router;a=blob_plain;f=etc/kamailio.cfg;hb=HEAD
> [2] http://kb.asipto.com/asterisk:realtime:kamailio-3.3.x-asterisk-10.7.0-astdb
>



More information about the sr-users mailing list