[Kamailio-Users] SIP Digest Access Authentication RELAY survey

Luciano Afranllie listas.luafran at gmail.com
Thu Jan 15 22:08:01 CET 2009


What should I do to get 1.5? Is there a 1.5 branch or should I get trunk?

Thanks
Luciano

On Thu, Jan 15, 2009 at 12:21 PM, Daniel-Constantin Mierla
<miconda at gmail.com> wrote:
> Hello,
>
> thanks Klaus and Victor for details.
>
> With kamailio 1.5 this can be solved in another way, pretty easy --
> allow users to call only from registered devices.
>
> Check here the example 2:
> http://openser.blogspot.com/2008/10/registrar-enhancements.html
>
> The condition can be extended so that you match the received(source
> ip)/contact in invite with the contact in location record.
>
> So guys, start testing 1.5, it does have lot of cool new features:
> http://www.kamailio.org/dokuwiki/doku.php/features:new-in-1.5.x
>
> Cheers,
> Daniel
>
> On 01/15/2009 12:00 PM, Klaus Darilion wrote:
>> Hi!
>>
>> For those who are interested in this attack - I have attached the
>> relevant slides from my SIP security lectures.
>>
>> regards
>> Klaus
>>
>> PS: an exploit based on sipp scenario files is available too on
>> request (for educational purposes :-)
>>
>>
>>
>> Klaus Darilion schrieb:
>>> IIRC to solve this issue completely the UAC should never send
>>> credentials to unknown parties - only to its SIP proxy (some clients
>>> have a "force outbound proxy" feature which does the same). Then the
>>> SIP proxy can remove credentials before forwarding to other parties.
>>>
>>> As soon as a client send messages (with credentials) directly to
>>> other parties there is nothing you can do on the proxy side.
>>>
>>> regards
>>> klaus
>>>
>>> Victor Pascual Ávila schrieb:
>>>> Hi,
>>>> excuse me if this message is not directly related to Kamailio.
>>>>
>>>> I'm just wondering if folks could share with me if (and how) they have
>>>> prevented the "SIP Digest Access Authentication RELAY" in their
>>>> networks (and what worked for them or not).
>>>> NAT boxes reduce dramatically the scenarios for a successful attack.
>>>> Otherwise, some might be mitigating the attack by means of forcing UAs
>>>> to use outbound proxies while others might be reducing the attack
>>>> incentives by means of message integrity.
>>>>
>>>> Any comment would be appreciated,
>>>
>>> _______________________________________________
>>> Kamailio (OpenSER) - Users mailing list
>>> Users at lists.kamailio.org
>>> http://lists.kamailio.org/cgi-bin/mailman/listinfo/users
>>> http://lists.openser-project.org/cgi-bin/mailman/listinfo/users
>> ------------------------------------------------------------------------
>>
>> _______________________________________________
>> Kamailio (OpenSER) - Users mailing list
>> Users at lists.kamailio.org
>> http://lists.kamailio.org/cgi-bin/mailman/listinfo/users
>> http://lists.openser-project.org/cgi-bin/mailman/listinfo/users
>
> --
> Daniel-Constantin Mierla
> http://www.asipto.com
>
>
> _______________________________________________
> Kamailio (OpenSER) - Users mailing list
> Users at lists.kamailio.org
> http://lists.kamailio.org/cgi-bin/mailman/listinfo/users
> http://lists.openser-project.org/cgi-bin/mailman/listinfo/users




More information about the Users mailing list