[SR-Users] Implementation of RFC 5393

Guillaume tetram100 at hotmail.fr
Wed Oct 21 14:51:00 CEST 2015 

But why don't you implement this feature after your demo at kamailio world? Do you think it's useless at the end?

And how your script was working with kamailio ?


Thanks for your response


Guillaume

From: oej at edvina.net
Date: Wed, 21 Oct 2015 14:15:43 +0200
To: miconda at gmail.com
CC: sr-users at lists.sip-router.org
Subject: Re: [SR-Users] Implementation of RFC 5393


On 21 Oct 2015, at 14:09, Daniel-Constantin Mierla <miconda at gmail.com> wrote:Hello,checking the IP in the Via headers can be done in config file using a while loop:$var(i) = 0;while($(hdr(Via)[$var(i)])!=$null) {   # use transformations to extract the IP in $(hdr(Via)[$var(i)]) and test it against $Ri   ...   $var(i) = $var(i)  + 1;}Also, checking the max-breadth should be possible in config file -- iirc, Olle played with it at one of the SIPit events I attended, maybe he can add more details here. I haven't read the RFC 5393 to be able to provide an example here.I have a kind-of working solution in script, that I used in the Dangerous Demos at kamailio world.
If someone wants to add a module to simplify the config, he/she is welcome to do it.:-)
I think it needs to have hooks into tm.
/O
Cheers,DanielOn 21/10/15 10:35, Guillaume wrote:
Hi guys,

What do you think about the RFC 5393 on loop detection and amplification attack protection? 

The RFC is short and still a proposed standard but don't you think it could be useful to prevent loop and amplification attack? Because even if the max-forward field reduces the loop to ~70 hosts (in most cases) with some techniques we could fork the message up to 2^70 messages (as described in the RFC) to crash the servers.

Basically the server has to do 2 things:
* check if it is not already in the via of the message
* the previous check is not enough as a B2BUA could have replace the via headers, so the RFC introduces a new field called max-breadth to limit the forking.

I have not seen a lot of implementation of this RFC on the free SIP software and I think it could be a good way to improve kamailio making a module for it (the easier way to implement this feature I think).

In fact I'm in a research internship about VoIP security and I have time to develop such a module for kamailio if you think it's a good idea (I'm looking for some security improvements in free software solutions so if you have other idea don't hesitate to tell me).

Cheers,


Tetram


_______________________________________________
SIP Express Router (SER) and Kamailio (OpenSER) - sr-users mailing list
sr-users at lists.sip-router.org
http://lists.sip-router.org/cgi-bin/mailman/listinfo/sr-users
-- 
Daniel-Constantin Mierla
http://twitter.com/#!/miconda - http://www.linkedin.com/in/miconda
Book: SIP Routing With Kamailio - http://www.asipto.com

_______________________________________________
SIP Express Router (SER) and Kamailio (OpenSER) - sr-users mailing list
sr-users at lists.sip-router.org
http://lists.sip-router.org/cgi-bin/mailman/listinfo/sr-users 		 	   		  
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.sip-router.org/pipermail/sr-users/attachments/20151021/699c9f48/attachment.html>

More information about the sr-users mailing list