Hi Eric! Am 11.04.2011 02:09, schrieb Eric Hiller: > As I look and play with loose_route functionality it seems that by > simply placing a route: proxyip;lr header in my invite I can bypass any > and all security otherwise built into the configuration.
True! > Is this the way everyone has it? Hopefully not! > I have been unable to find any configuration examples > online that show how to secure/restrict access to loose_route? The default configuration of Kamailio 3.1 is save. (I think the default configurations of older Openser releases were unsafe) The basic principle is: allow loose routing only for in-dialog requests and make sure that the UAS (the node where Kamailio forwards the request) rejects in-dilaog requests to unknown dialog (if you use Asterisk make sure to have pendantic=yes). Thus: Check for to-tag. This is how you can differ out-of-dialog requests from in-dialog requests. Only if the to-tag is present, call loose_route(). If the to-tag is not present, then do not call loose_route and reject the request or handle it according the local routing policies. regards Klaus _______________________________________________ SIP Express Router (SER) and Kamailio (OpenSER) - sr-users mailing list sr-users@lists.sip-router.org http://lists.sip-router.org/cgi-bin/mailman/listinfo/sr-users
