[SR-Users] Implementation of RFC 5393
Olle E. Johansson
oej at edvina.net
Wed Oct 21 14:59:04 CEST 2015
> On 21 Oct 2015, at 14:51, Guillaume <tetram100 at hotmail.fr> wrote:
>
> But why don't you implement this feature after your demo at kamailio world? Do you think it's useless at the end?
I have it implemented, but in a routing script. It’s not useless, but not the full function. You need to be able to reuse
breadth and a script can’t easily do that - only TM knows if there’s a branch failure and can restart another branch that was previously blocked. Move to kind of semi-serial forking based on available resources instead of going parallell.
>
> And how your script was working with kamailio ?
Just fine :-)
But I guess you want another answer. I calculated the number of branches in each fork and added the required headers when sending downstream. Without it Kamailio would eat up my laptop and eventually explode and crash.
With it, a lot of branches was blocked and the network (and my laptop) saved.
I will have to dig up the scripts, written on the flights back home from SIPit, to be able to remember exactly how I did it.
I do believe we will have to do something to TM so that TM knows the allowed number of branches and keeps control of it. We have some hooks for branch failures now that may be used to improve my script - so it may be easier to get it done properly without source code changes today.
Max-breadth is critical to avoid flooding of a network when forking.
/O
>
>
> Thanks for your response
>
>
> Guillaume
>
> From: oej at edvina.net <mailto:oej at edvina.net>
> Date: Wed, 21 Oct 2015 14:15:43 +0200
> To: miconda at gmail.com <mailto:miconda at gmail.com>
> CC: sr-users at lists.sip-router.org <mailto:sr-users at lists.sip-router.org>
> Subject: Re: [SR-Users] Implementation of RFC 5393
>
>
> On 21 Oct 2015, at 14:09, Daniel-Constantin Mierla <miconda at gmail.com <mailto:miconda at gmail.com>> wrote:
>
> Hello,
>
> checking the IP in the Via headers can be done in config file using a while loop:
>
> $var(i) = 0;
>
> while($(hdr(Via)[$var(i)])!=$null) {
> # use transformations to extract the IP in $(hdr(Via)[$var(i)]) and test it against $Ri
> ...
> $var(i) = $var(i) + 1;
> }
>
> Also, checking the max-breadth should be possible in config file -- iirc, Olle played with it at one of the SIPit events I attended, maybe he can add more details here. I haven't read the RFC 5393 to be able to provide an example here.
> I have a kind-of working solution in script, that I used in the Dangerous Demos at kamailio world.
>
>
> If someone wants to add a module to simplify the config, he/she is welcome to do it.
> :-)
>
> I think it needs to have hooks into tm.
>
> /O
>
> Cheers,
> Daniel
>
> On 21/10/15 10:35, Guillaume wrote:
> Hi guys,
>
> What do you think about the RFC 5393 on loop detection and amplification attack protection?
>
> The RFC is short and still a proposed standard but don't you think it could be useful to prevent loop and amplification attack? Because even if the max-forward field reduces the loop to ~70 hosts (in most cases) with some techniques we could fork the message up to 2^70 messages (as described in the RFC) to crash the servers.
>
> Basically the server has to do 2 things:
> * check if it is not already in the via of the message
> * the previous check is not enough as a B2BUA could have replace the via headers, so the RFC introduces a new field called max-breadth to limit the forking.
>
> I have not seen a lot of implementation of this RFC on the free SIP software and I think it could be a good way to improve kamailio making a module for it (the easier way to implement this feature I think).
>
> In fact I'm in a research internship about VoIP security and I have time to develop such a module for kamailio if you think it's a good idea (I'm looking for some security improvements in free software solutions so if you have other idea don't hesitate to tell me).
>
> Cheers,
>
>
> Tetram
>
>
> _______________________________________________
> SIP Express Router (SER) and Kamailio (OpenSER) - sr-users mailing list
> sr-users at lists.sip-router.org <mailto:sr-users at lists.sip-router.org>
> http://lists.sip-router.org/cgi-bin/mailman/listinfo/sr-users <http://lists.sip-router.org/cgi-bin/mailman/listinfo/sr-users>
>
> --
> Daniel-Constantin Mierla
> http://twitter.com/#!/miconda <http://twitter.com/#%21/miconda> - http://www.linkedin.com/in/miconda <http://www.linkedin.com/in/miconda>
> Book: SIP Routing With Kamailio - http://www.asipto.com <http://www.asipto.com/>
>
> _______________________________________________ SIP Express Router (SER) and Kamailio (OpenSER) - sr-users mailing list sr-users at lists.sip-router.org <mailto:sr-users at lists.sip-router.org> http://lists.sip-router.org/cgi-bin/mailman/listinfo/sr-users <http://lists.sip-router.org/cgi-bin/mailman/listinfo/sr-users>_______________________________________________
> SIP Express Router (SER) and Kamailio (OpenSER) - sr-users mailing list
> sr-users at lists.sip-router.org <mailto:sr-users at lists.sip-router.org>
> http://lists.sip-router.org/cgi-bin/mailman/listinfo/sr-users <http://lists.sip-router.org/cgi-bin/mailman/listinfo/sr-users>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.sip-router.org/pipermail/sr-users/attachments/20151021/78151fcf/attachment.html>
More information about the sr-users
mailing list