Re: [OpenSIPS-Users] Addressing Increased Security

Tue, 09 Apr 2013 10:28:51 -0700 

Hello Nick,
You can say that the IP level info may be trusted (as it is provided by IP layer which is out of users control, so pretty safe). 


About the content of the SIP package, without authentication, nothing is 
to be trusted. Doing digest authentication for SIP requests, you can 
trust the username+realm of the caller (username in auth hdr which 
usually matches the SIP FROM hdr). So that's the only information that 
you can say for 100% it is sure.



If you want to have more authenticated, take a look at SIP Identity 
support (http://www.opensips.org/html/docs/modules/1.9.x/identity.html), 
but you also need that support in the clients too.


Regards,

Bogdan-Andrei Iancu
OpenSIPS Founder and Developer
http://www.opensips-solutions.com


On 04/09/2013 06:43 PM, Nick Khamis wrote:

Hello Everyone,


When performing certain security tasks using script and database 
queries, we would like
to make sure that we are processing the more secure parts of the SIP 
packet. As you know
fu, fd, tu, and td can be manually set by any user, as we do here in 
the SIP proxy world:



From: "Mike Peer" <sip:[email protected] 
<mailto:sip%[email protected]>>;tag=as15bc6a70.

To: <sip:[email protected] <mailto:sip%[email protected]>>.

Contact: <sip:[email protected] 
<mailto:sip%[email protected]>>.



And therefore not the most secure place to look when performing 
security critical tasks.

(i.e., who is attempting to make/place a call)

Not sure what this part of the SIP packet is called:


U 2013/04/09 11:27:33.449280 69.147.236.82:5060 
<http://69.147.236.82:5060> -> 192.168.2.5:5060 <http://192.168.2.5:5060>



But it seems like a safe place to look since it looks like it's 
generated on our side. If so, what OpenSIPS variables return



Source: 10.147.23.144:5060 <http://10.147.23.144:5060> and 
Destination: 192.168.2.5:5060 <http://192.168.2.5:5060>



Would src_ip and dst_ip be the best place to start? As for dst_ip it 
will always be the address
of the interface that receives the traffic however, what about 
interfaces that are behind a nat (i.e., public/private ips).



Maybe the Via info is safer to process in cases where the 
caller/callee is going through

a sexy little proxy like OpenSIPS? ;)

Via: SIP/2.0/UDP 10.147.23.144:5060;branch=z9hG4bK5027614e;rport.

Your Insights are greatly appreciated,

Nick


_______________________________________________
Users mailing list
[email protected]
http://lists.opensips.org/cgi-bin/mailman/listinfo/users

_______________________________________________
Users mailing list
[email protected]
http://lists.opensips.org/cgi-bin/mailman/listinfo/users






















					Reply via email to