Hi, On 02/19/2015 12:59 PM, Andres wrote:
We have struggled with this issue ourselves. The problem was that we did not want our SIP server to behave like an open relay. We were seeing that the session-timer Re-Invites have a Request-URI with the IP of the other endpoint instead of the Proxy. If the SIP server is an open relay then no problem, but ours is not so the config file was very strict and dropped the Re-Invite (since the Request-URI had an external IP) thus dropping the call. The config file could be enhanced by testing for has_totag() since the Re-Invite has the totag but an original Invite does not, but the hacker could put a bogus totag and make calls so its more secure to leave it this way. We ended up disabling session-timers at some our clients PBXs. Its always a balancing act between convenience/services and more security. We chose more security.
From a SIP point of view, this is a strange position to take. An "open relay" is an idea that normally applies to the unrestricted relay of _initial_ requests to foreign domains. Requests flowing within a dialog (i.e. loose-routed) are _supposed_ to have an RURI pointing to the endpoint's domain: this is known as the "remote target" of a dialog, and is set by the Contact URI of both dialog parties.
I suppose it's true that one could compel your proxy to relay a sequential request (like a reinvite) to any domain by including a Route header and a To-tag, but what effect would this have on the far-end UA? It would not match the spoofed request to an existing dialog.
-- Alex -- Alex Balashov - Principal Evariste Systems LLC 235 E Ponce de Leon Ave Suite 106 Decatur, GA 30030 United States Tel: +1-678-954-0670 Web: http://www.evaristesys.com/, http://www.alexbalashov.com/ _______________________________________________ SIP Express Router (SER) and Kamailio (OpenSER) - sr-users mailing list sr-users@lists.sip-router.org http://lists.sip-router.org/cgi-bin/mailman/listinfo/sr-users
