[OpenSIPS-Users] Addressing Increased Security
Bogdan-Andrei Iancu
bogdan at opensips.org
Wed Apr 10 10:48:57 CEST 2013
Nick,
yes, it is true -> use $si and $sp to see the source IP and port (see
http://www.opensips.org/Resources/DocsCoreVar19#toc80) .
Regards,
Bogdan-Andrei Iancu
OpenSIPS Founder and Developer
http://www.opensips-solutions.com
On 04/09/2013 09:19 PM, Nick Khamis wrote:
> On Tue, Apr 9, 2013 at 1:28 PM, Bogdan-Andrei Iancu
> <bogdan at opensips.org <mailto:bogdan at opensips.org>> wrote:
>
> Hello Nick,
>
> You can say that the IP level info may be trusted (as it is
> provided by IP layer which is out of users control, so pretty safe).
>
> About the content of the SIP package, without authentication,
> nothing is to be trusted. Doing digest authentication for SIP
> requests, you can trust the username+realm of the caller (username
> in auth hdr which usually matches the SIP FROM hdr). So that's the
> only information that you can say for 100% it is sure.
>
> If you want to have more authenticated, take a look at SIP
> Identity support
> (http://www.opensips.org/html/docs/modules/1.9.x/identity.html),
> but you also need that support in the clients too.
>
> Regards,
>
> Bogdan-Andrei Iancu
> OpenSIPS Founder and Developer
> http://www.opensips-solutions.com
>
>
> On 04/09/2013 06:43 PM, Nick Khamis wrote:
>> Hello Everyone,
>>
>> When performing certain security tasks using script and database
>> queries, we would like
>> to make sure that we are processing the more secure parts of the
>> SIP packet. As you know
>> fu, fd, tu, and td can be manually set by any user, as we do here
>> in the SIP proxy world:
>>
>> From: "Mike Peer" <sip:5148390676 at 10.147.23.144
>> <mailto:sip%3A5148390676 at 10.147.23.144>>;tag=as15bc6a70.
>> To: <sip:1000 at sip.example.com <mailto:sip%3A1000 at sip.example.com>>.
>> Contact: <sip:5148392007 at 10.147.23.144
>> <mailto:sip%3A5148392007 at 10.147.23.144>>.
>>
>> And therefore not the most secure place to look when performing
>> security critical tasks.
>> (i.e., who is attempting to make/place a call)
>>
>> Not sure what this part of the SIP packet is called:
>>
>> U 2013/04/09 11:27:33.449280 69.147.236.82:5060
>> <http://69.147.236.82:5060> -> 192.168.2.5:5060
>> <http://192.168.2.5:5060>
>>
>> But it seems like a safe place to look since it looks like it's
>> generated on our side. If so, what OpenSIPS variables return
>>
>> Source: 10.147.23.144:5060 <http://10.147.23.144:5060> and
>> Destination: 192.168.2.5:5060 <http://192.168.2.5:5060>
>>
>> Would src_ip and dst_ip be the best place to start? As for dst_ip
>> it will always be the address
>> of the interface that receives the traffic however, what about
>> interfaces that are behind a nat (i.e., public/private ips).
>>
>> Maybe the Via info is safer to process in cases where the
>> caller/callee is going through
>> a sexy little proxy like OpenSIPS? ;)
>>
>> Via: SIP/2.0/UDP 10.147.23.144:5060;branch=z9hG4bK5027614e;rport.
>>
>> Your Insights are greatly appreciated,
>>
>> Nick
>>
>>
>> _______________________________________________
>> Users mailing list
>> Users at lists.opensips.org <mailto:Users at lists.opensips.org>
>> http://lists.opensips.org/cgi-bin/mailman/listinfo/users
>
>
> Hello Bogdan,
>
> I hope all is well, and thank you for your response :). We are
> interested in the IP level info. I am assuming that info is this stuff
> here:
>
> U 2013/04/09 11:27:33.449280 69.147.236.82:5060
> <http://69.147.236.82:5060/>->192.168.2.5:5060 <http://192.168.2.5:5060/>
>
> If so, what variables (avp...) do we have at our disposal for this
> info. Is it src_ip and dst_ip? Is there anything else?
>
> N.
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.opensips.org/pipermail/users/attachments/20130410/8becf0fe/attachment.htm>
More information about the Users
mailing list