[SR-Users] Re-invites from carrier breaks the call

Alex Balashov abalashov at evaristesys.com
Thu Feb 19 19:10:01 CET 2015


Hi,

On 02/19/2015 12:59 PM, Andres wrote:

> We have struggled with this issue ourselves.  The problem was that we
> did not want our SIP server to behave like an open relay.  We were
> seeing that the session-timer Re-Invites have a  Request-URI with the IP
> of the other
> endpoint instead of the Proxy.  If the SIP server is an open relay then
> no problem, but ours is not so the config file was very strict and
> dropped the Re-Invite (since the Request-URI had an external IP) thus
> dropping the call.  The config file could be enhanced by testing for
> has_totag() since the Re-Invite has the totag but an original Invite
> does not, but the hacker could put a bogus totag and make calls so its
> more secure to leave it this way.  We ended up disabling session-timers
> at some our clients PBXs.  Its always a balancing act between
> convenience/services and more security.  We chose more security.

 From a SIP point of view, this is a strange position to take. An "open 
relay" is an idea that normally applies to the unrestricted relay of 
_initial_ requests to foreign domains. Requests flowing within a dialog 
(i.e. loose-routed) are _supposed_ to have an RURI pointing to the 
endpoint's domain: this is known as the "remote target" of a dialog, and 
is set by the Contact URI of both dialog parties.

I suppose it's true that one could compel your proxy to relay a 
sequential request (like a reinvite) to any domain by including a Route 
header and a To-tag, but what effect would this have on the far-end UA? 
It would not match the spoofed request to an existing dialog.

-- Alex

-- 
Alex Balashov - Principal
Evariste Systems LLC
235 E Ponce de Leon Ave
Suite 106
Decatur, GA 30030
United States

Tel: +1-678-954-0670
Web: http://www.evaristesys.com/, http://www.alexbalashov.com/



More information about the sr-users mailing list