[Kamailio-Users] SIP Digest Access Authentication RELAY survey
Klaus Darilion
klaus.mailinglists at pernau.at
Fri Jan 16 10:04:37 CET 2009
Luciano Afranllie schrieb:
> What should I do to get 1.5? Is there a 1.5 branch or should I get trunk?
Trunk. 1.5 branch will be created when 1.5 will be released (somewhere
in February)
klaus
>
> Thanks
> Luciano
>
> On Thu, Jan 15, 2009 at 12:21 PM, Daniel-Constantin Mierla
> <miconda at gmail.com> wrote:
>> Hello,
>>
>> thanks Klaus and Victor for details.
>>
>> With kamailio 1.5 this can be solved in another way, pretty easy --
>> allow users to call only from registered devices.
>>
>> Check here the example 2:
>> http://openser.blogspot.com/2008/10/registrar-enhancements.html
>>
>> The condition can be extended so that you match the received(source
>> ip)/contact in invite with the contact in location record.
>>
>> So guys, start testing 1.5, it does have lot of cool new features:
>> http://www.kamailio.org/dokuwiki/doku.php/features:new-in-1.5.x
>>
>> Cheers,
>> Daniel
>>
>> On 01/15/2009 12:00 PM, Klaus Darilion wrote:
>>> Hi!
>>>
>>> For those who are interested in this attack - I have attached the
>>> relevant slides from my SIP security lectures.
>>>
>>> regards
>>> Klaus
>>>
>>> PS: an exploit based on sipp scenario files is available too on
>>> request (for educational purposes :-)
>>>
>>>
>>>
>>> Klaus Darilion schrieb:
>>>> IIRC to solve this issue completely the UAC should never send
>>>> credentials to unknown parties - only to its SIP proxy (some clients
>>>> have a "force outbound proxy" feature which does the same). Then the
>>>> SIP proxy can remove credentials before forwarding to other parties.
>>>>
>>>> As soon as a client send messages (with credentials) directly to
>>>> other parties there is nothing you can do on the proxy side.
>>>>
>>>> regards
>>>> klaus
>>>>
>>>> Victor Pascual Ávila schrieb:
>>>>> Hi,
>>>>> excuse me if this message is not directly related to Kamailio.
>>>>>
>>>>> I'm just wondering if folks could share with me if (and how) they have
>>>>> prevented the "SIP Digest Access Authentication RELAY" in their
>>>>> networks (and what worked for them or not).
>>>>> NAT boxes reduce dramatically the scenarios for a successful attack.
>>>>> Otherwise, some might be mitigating the attack by means of forcing UAs
>>>>> to use outbound proxies while others might be reducing the attack
>>>>> incentives by means of message integrity.
>>>>>
>>>>> Any comment would be appreciated,
>>>> _______________________________________________
>>>> Kamailio (OpenSER) - Users mailing list
>>>> Users at lists.kamailio.org
>>>> http://lists.kamailio.org/cgi-bin/mailman/listinfo/users
>>>> http://lists.openser-project.org/cgi-bin/mailman/listinfo/users
>>> ------------------------------------------------------------------------
>>>
>>> _______________________________________________
>>> Kamailio (OpenSER) - Users mailing list
>>> Users at lists.kamailio.org
>>> http://lists.kamailio.org/cgi-bin/mailman/listinfo/users
>>> http://lists.openser-project.org/cgi-bin/mailman/listinfo/users
>> --
>> Daniel-Constantin Mierla
>> http://www.asipto.com
>>
>>
>> _______________________________________________
>> Kamailio (OpenSER) - Users mailing list
>> Users at lists.kamailio.org
>> http://lists.kamailio.org/cgi-bin/mailman/listinfo/users
>> http://lists.openser-project.org/cgi-bin/mailman/listinfo/users
More information about the Users
mailing list