Curve ball suggestion: Surely just authenticate all register requests with www-challenge. Hide your gateway and SER behind a firewall so your Gateway cannot be seen from the outside work (from a SIP Signalling perspective), and for PSTN calls from authenticated users do a rewritehost and forward to send the INVITEs on to the PSTN gateway?
Neill....;o) -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Juha Heinanen Sent: 14 December 2007 10:05 To: Iñaki Baz Castillo Cc: [email protected] Subject: Re: [OpenSER-Users] Security hole in REGISTER's Contact using domain Iñaki Baz Castillo writes: > > 1) buy pstn gws that accept no hostnames (just its own ip address) in > > the hostpart of r-uri. example, cisco ios with later software > > releases. > > So really isn't there solution just in OpenSer-Registrar side?? this is registrar solution. you use parmissions module and don;t accept registrations where ip address in hostpart of contact belongs to your gws. > > 2) forget the hostpart check all together and instead check the > > userpart, where you have put something special that the gw then > > removes. > > So you mean for example: > > register.deny: > -------------------- > ALL : "^sip:.*secret_word_.*@" > ---------------------- > > And later, in any call to PSTN OpenSer should add: > > $ru = "secret_word_" + $ru; you can use lcr module to add the prefix. > so the uri arriving to the gw becomes: > > sip:[EMAIL PROTECTED] > > And the gw should just allow calls from OpenSer with urri username beginning > with "secret_word_" and it should strip it. that is correct, but the prefix does not need to be secret, just something that doesn't normally appear in userparts. > Is this what you mean? anyway, a little complex, isn't it? XDD why do you think it is complex? one row in register.deny and one strip at the gateway. -- juha _______________________________________________ Users mailing list [email protected] http://lists.openser.org/cgi-bin/mailman/listinfo/users _______________________________________________ Users mailing list [email protected] http://lists.openser.org/cgi-bin/mailman/listinfo/users
