[SR-Users] Pre-loaded routes verification

Daniel-Constantin Mierla miconda at gmail.com
Mon Jan 4 16:02:03 CET 2021 

Hello,

the Kamailio approach in the default configuration file is to not trust
any pre-loaded Route headers, so it removes all of them via
remove_hf("Route").

Practically, it is like: you sent it to me, it is my job now to route it
where I want. Preloaded Route headers can be a bit dangerous, especially
when having to interconnect with old gateways that trust traffic by ip,
without checking other headers/domains.

For example, one type of tricks used in the early days it to put 2 Route
headers in the initial INVITE (first proxy, the second the pstn gateway)
with R-URI a foreign domain. After loose routing, the target is the pst
gateway but the INVITE has a foreign domain not matching myself which
can end up being sent directly out via route[SIPOUT] without any
additional ACL checks, because the system thought is going to be sent to
an external sip provider. Obviously, additional checks or rules can be
added in Kamailio config, even catch it with loose_route() return codes,
but what I wanted to highlight is that Route headers in initial request
must be treated with care and long time ago we decided just to remove
them in default config, instead of trying to identify case-specific
needs of handling Route headers for initial requests.

If people feel the use cases has changed and there is a need for update,
typically before major releases we run a round of asking what should get
in the default config.

Cheers,
Daniel

On 04.01.21 15:46, Duarte Rocha wrote:
> Greetings,
>
> I'm doing a migration from a opensips system to kamailio one and i'm
> trying to replicate its functionalities.
>
> The system is a Registrar with a pstn gateway. I noticed that on the
> opensips version, loose_route() is called on initial requests and it
> seems to be used to protect against preloaded routes.
>
> However, on the default Kamailio configuration file loose_route() is
> only called on requests in-dialog and the verification mentioned above
> is not used.
>
> Why doesn't Kamailio includes this verification? Is there are any
> security concerns not using it? 
>
> Best Regards,
>
> _______________________________________________
> Kamailio (SER) - Users Mailing List
> sr-users at lists.kamailio.org
> https://lists.kamailio.org/cgi-bin/mailman/listinfo/sr-users

-- 
Daniel-Constantin Mierla -- www.asipto.com
www.twitter.com/miconda -- www.linkedin.com/in/miconda
Funding: https://www.paypal.me/dcmierla

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.kamailio.org/pipermail/sr-users/attachments/20210104/f848fc47/attachment.htm>

More information about the sr-users mailing list