[asterisk-bugs] [JIRA] (ASTERISK-27284) Status of RFC 3323 and PJSIP

dtryba (JIRA) noreply at issues.asterisk.org
Thu Sep 21 11:17:07 CDT 2017


     [ https://issues.asterisk.org/jira/browse/ASTERISK-27284?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]

dtryba updated ASTERISK-27284:
------------------------------

    Description: 
My upstream provider complained that Anonymous calls to our endusers got de-anonymized during transit in our platform. These incoming calls have the headers:
{quote}
From: "Anonymous" <sip:anonymous at anonymous.invalid>
{quote}
and
{quote}
Privacy: id;user;critical
P-Asserted-Identity: "Example" <sip:0123456789 at example.org;user=phone>
{quote}
After passing through Asterisk 13.14.x, the Privacy header is removed, PAI is unaffected and From is changed to:
{quote}
From: "Example" <sip:0123456789 at example.org;user=phone>
{quote}

All involved pjsip endpoints have send_pai, trust_id_inbound and trust_id_outbound set to yes.

This violates RFC 3233:
{quote}
Privacy-hdr  =  "Privacy" HCOLON priv-value *(";" priv-value)
   priv-value   =   "header" / "session" / "user" / "none" / "critical" / token
{quote}

Where:
{quote}
critical: The user asserts that the privacy services requested for
this message are critical, and that therefore, if these privacy
services cannot be provided by the network, this request should be
rejected.  Criticality cannot be managed appropriately for
responses.
{quote}

But is RFC 3323 still applicable to SIP? 

  was:
My upstream provider complained that Anonymous calls to our endusers got de-anonymized during transit in our platform. These incoming calls have the headers:
{quote}
From: "Anonymous" <sip:anonymous at anonymous.invalid>
{quote}
and
{quote}
Privacy: id;user;critical
P-Asserted-Identity: "Example" <sip:0123456789 at example.org;user=phone>
{quote}
After passing through Asterisk 13.14.x, the Privacy header is removed, PAI is unaffected and From is changed to:
{quote}
From: "Example" <sip:0123456789 at example.org;user=phone>
{quote}

All involved pjsip endpoints have send_pai, trust_id_inbound and trust_id_outbound set to yes.

This violates RFC 3233:
{quote}
Privacy-hdr  =  "Privacy" HCOLON priv-value *(";" priv-value)
   priv-value   =   "header" / "session" / "user" / "none" / "critical" / token
{quote}

Where:
{quote}
critical: The user asserts that the privacy services requested for
this message are critical, and that therefore, if these privacy
services cannot be provided by the network, this request should be
rejected.  Criticality cannot be managed appropriately for
responses.
{quote}

But is RFC still applicable to SIP?


> Status of RFC 3323 and PJSIP
> ----------------------------
>
>                 Key: ASTERISK-27284
>                 URL: https://issues.asterisk.org/jira/browse/ASTERISK-27284
>             Project: Asterisk
>          Issue Type: Bug
>      Security Level: None
>          Components: Resources/res_pjsip_caller_id
>    Affects Versions: 13.14.1
>            Reporter: dtryba
>            Assignee: Unassigned
>            Severity: Trivial
>
> My upstream provider complained that Anonymous calls to our endusers got de-anonymized during transit in our platform. These incoming calls have the headers:
> {quote}
> From: "Anonymous" <sip:anonymous at anonymous.invalid>
> {quote}
> and
> {quote}
> Privacy: id;user;critical
> P-Asserted-Identity: "Example" <sip:0123456789 at example.org;user=phone>
> {quote}
> After passing through Asterisk 13.14.x, the Privacy header is removed, PAI is unaffected and From is changed to:
> {quote}
> From: "Example" <sip:0123456789 at example.org;user=phone>
> {quote}
> All involved pjsip endpoints have send_pai, trust_id_inbound and trust_id_outbound set to yes.
> This violates RFC 3233:
> {quote}
> Privacy-hdr  =  "Privacy" HCOLON priv-value *(";" priv-value)
>    priv-value   =   "header" / "session" / "user" / "none" / "critical" / token
> {quote}
> Where:
> {quote}
> critical: The user asserts that the privacy services requested for
> this message are critical, and that therefore, if these privacy
> services cannot be provided by the network, this request should be
> rejected.  Criticality cannot be managed appropriately for
> responses.
> {quote}
> But is RFC 3323 still applicable to SIP? 



--
This message was sent by Atlassian JIRA
(v6.2#6252)



More information about the asterisk-bugs mailing list