[OpenSER-Users] Multidomain and in-dialog REFER auth issue
Klaus Darilion
klaus.mailinglists at pernau.at
Tue Oct 16 11:33:47 CEST 2007
Iñaki Baz Castillo wrote:
> El Monday 15 October 2007 22:35:34 Klaus Darilion escribió:
>> Iñaki Baz Castillo wrote:
>>> El Monday 15 October 2007 12:12:44 Klaus Darilion escribió:
>>>> What exactly do you want to achieve? Do you want to allow REFER only
>>>> intradomain?
>>> Exactly.
>>> - Imagine you admin a OpenSer that gives service to 2 independent
>>> companies (domain_A and domain_B).
>>> - Imagine a user_A of domain_A calls to a user_B of domain_B.
>>> - During the call user_A does REFER.
>>> - OpenSer requires auth por REFER, so user_A sends auth (it can since
>>> it's a local user).
>>> - So finally user_B is transferred by an external user. Of course this is
>>> not tolerable.
>>>
>>> So I need to allow a REFER just if the caller and called are in the same
>>> domain, but REFER is in-dialog so there is not domain name in the URI.
>> just an idea: check if $fd of REFER is identical to domain in REFER to
>> header - if not -> reject it.
>
> It's a great idea!
> Of course I need to test it. For example:
> What about if the "Refer-to" header just contains "sip:001234234234" with no
> @domain? maybe there are "broken" SIP devices which auto-complete this URI
> with their domain?
>
>
>
>
>> Further, if B's phone send out the new INVITE, if $rd != $fd then do not
>> send the call to the gateway.
>
> Humm, it can't be, because in case of a forwarding (implemented in OpenSer) I
> do allow calls from others domain to PSTN gateway.
Usually, if a client wants to dial a phone number, the client will add
its own domain as RURI domain. E.g.
sip:client at mydomain.com calls PSTN 12345: RURI=sip:12345 at mydomain.com ->
forward to PSTN gateway
sip:client at mydomain.com calls sip:12345 at otherdomain.com --> forward
request to otherdomain. Regardless if otherdomain.com is hosted in the
same openser or any others SIP proxy, at otherdomain.com this is an
incoming SIP call from an external SIP client which MUST NOT be routed
to the PSTN.
Thus, I would add both checks.
regards
klaus
More information about the Users
mailing list