[OpenSIPS-Devel] [ opensips-Patches-3496382 ] TM: No Retransmissions For 407/401
SourceForge.net
noreply at sourceforge.net
Mon Mar 5 19:27:43 CET 2012
Patches item #3496382, was opened at 2012-03-02 11:59
Message generated for change (Comment added) made by bogdan_iancu
You can respond by visiting:
https://sourceforge.net/tracker/?func=detail&atid=1086412&aid=3496382&group_id=232389
Please note that this message will contain a full copy of the comment thread,
including the initial issue submission, for this request,
not just the latest update.
Category: modules
Group: 1.7.x
Status: Open
Resolution: None
Priority: 5
Private: No
Submitted By: Nobody/Anonymous (nobody)
>Assigned to: Bogdan-Andrei Iancu (bogdan_iancu)
Summary: TM: No Retransmissions For 407/401
Initial Comment:
Currently if a transaction exists before proxy_challenge() from the auth module is used, then the 407 is sent statefully. At the moment this means that OpenSIPs will send retransmissions of the 407 if no ACK is received.
According to RFC 3261, retransmitting 407s/401s is probably a bad idea:
26.3.2.4 DoS Protection
<snip/>
UAs and proxy servers SHOULD challenge questionable requests with
only a single 401 (Unauthorized) or 407 (Proxy Authentication
Required), forgoing the normal response retransmission algorithm, and
thus behaving statelessly towards unauthenticated requests.
Retransmitting the 401 (Unauthorized) or 407 (Proxy Authentication
Required) status response amplifies the problem of an attacker
using a falsified header field value (such as Via) to direct
traffic to a third party.
In summary, the mutual authentication of proxy servers through
mechanisms such as TLS significantly reduces the potential for rogue
intermediaries to introduce falsified requests or responses that can
deny service. This commensurately makes it harder for attackers to
make innocent SIP nodes into agents of amplification.
The attached patch checks if the status code is 401 or 407 before starting the retransmissions timer. It's a simple patch against 1.7.1.
Thanks!
- David
----------------------------------------------------------------------
>Comment By: Bogdan-Andrei Iancu (bogdan_iancu)
Date: 2012-03-05 10:27
Message:
Hi David,
I see your patch addresses only the case when the 407/401 is locally
generated, while allowing retransmissions for the received 407/401 - and as
I read the RFC, this behaviour affects also the UAs and the proxies .
Is my understanding correct ?
Thanks and regards,
Bogdan
----------------------------------------------------------------------
You can respond by visiting:
https://sourceforge.net/tracker/?func=detail&atid=1086412&aid=3496382&group_id=232389
More information about the Devel
mailing list