[asterisk-bugs] [JIRA] (ASTERISK-27284) Status of RFC 3323 and PJSIP

dtryba (JIRA) noreply at issues.asterisk.org
Tue Sep 26 06:54:07 CDT 2017 

    [ https://issues.asterisk.org/jira/browse/ASTERISK-27284?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=238883#comment-238883 ] 

dtryba commented on ASTERISK-27284:
-----------------------------------

Looking into the RFC 3323/3325 I somehow managed to misread 3325 into thinking it wasn't related to 3323. But https://tools.ietf.org/html/rfc3325#section-9.3 clearly states 

{quote}
This specification adds a new privacy type ("priv-value") to the  Privacy header, defined in https://tools.ietf.org/html/rfc3325#ref-2
{quote}

To the handling of the Privacy header in Asterisk in both chan_sip and pjsip  is clearly lacking any support for RFC 3323. Both channel drivers only respect the "id" value of Privacy. Any combination of "id", "header", "session", "user" and "critical" should result in anonymousness. IMHO this means privacy requests are being violated and this should be a critical bug.

Attached is a patch (against 13.14.1) assuming that if the Privacy header isn't exactly "none", privacy is requested for pjsip (tested below, exact patch for trunk) and chan_sip (untested, trunk has an offset for this patch). 

What is missing in this fix is that the Privacy header on the incoming call leg is retained on the outgoing call leg instead of just simply adding "Privacy: id" when privacy is requested (haven't looked at finding out how to do that).

pjsip.conf for all endpoints:
send_pai  = yes
trust_id_inbound = yes
trust_id_outbound = yes
contact_user=unknown

Request:
{quote}
<--- Received SIP request (936 bytes) from UDP:172.16.0.2:5060 --->
INVITE sip:0402938661 at 10.0.4.217 SIP/2.0
From: "Anonymous" <sip:anonymous at anonymous.invalid>;tag=as7fcb78fa
To: <sip:0402938661 at 10.0.4.217>
Contact: <sip:anonymous at 172.16.0.2:5060>
P-Asserted-Identity: "Example" <sip:0123456789 at example.org>
{quote}

Relayed INVITE:
without Privacy header:
{quote}
<--- Transmitting SIP request (1125 bytes) to UDP:109.235.32.45:5060 --->
INVITE sip:0402938661 at 109.235.32.45;user=phone SIP/2.0
From: "Example" <sip:0123456789 at 10.0.4.217;user=phone>;tag=a440cfd8-96ef-4959-891a-b557b20cc4db
To: <sip:0402938661 at 109.235.32.45;user=phone>
Contact: <sip:unknown at 10.0.4.217:5060>
P-Asserted-Identity: "Example" <sip:0123456789 at 10.0.4.217;user=phone>
{quote}

Privacy: none
{quote}
<--- Transmitting SIP request (1124 bytes) to UDP:109.235.32.45:5060 --->
INVITE sip:0402938661 at 109.235.32.45;user=phone SIP/2.0
From: "Example" <sip:0123456789 at 10.0.4.217;user=phone>;tag=3ac83cc5-2e44-4765-8731-998811ee2c51
To: <sip:0402938661 at 109.235.32.45;user=phone>
Contact: <sip:unknown at 10.0.4.217:5060>
P-Asserted-Identity: "Example" <sip:0123456789 at 10.0.4.217;user=phone>
{quote}

Privacy: id
{quote}
<--- Transmitting SIP request (1145 bytes) to UDP:109.235.32.45:5060 --->
INVITE sip:0402938661 at 109.235.32.45;user=phone SIP/2.0
From: "Anonymous" <sip:anonymous at anonymous.invalid;user=phone>;tag=d4bcf587-48ce-4e8f-9f8d-f695ebd6c4a5
To: <sip:0402938661 at 109.235.32.45;user=phone>
Contact: <sip:unknown at 10.0.4.217:5060>
Privacy: id
P-Asserted-Identity: "Example" <sip:0123456789 at 10.0.4.217;user=phone>
{quote}

Privacy: id;user;critical
{quote}
<--- Transmitting SIP request (1144 bytes) to UDP:109.235.32.45:5060 --->
INVITE sip:0402938661 at 109.235.32.45;user=phone SIP/2.0
From: "Anonymous" <sip:anonymous at anonymous.invalid;user=phone>;tag=8b27dba7-9734-432b-bab0-179287ae2934
To: <sip:0402938661 at 109.235.32.45;user=phone>
Contact: <sip:unknown at 10.0.4.217:5060>
Privacy: id
P-Asserted-Identity: "Example" <sip:0123456789 at 10.0.4.217;user=phone>
{quote}

> Status of RFC 3323 and PJSIP
> ----------------------------
>
>                 Key: ASTERISK-27284
>                 URL: https://issues.asterisk.org/jira/browse/ASTERISK-27284
>             Project: Asterisk
>          Issue Type: Bug
>      Security Level: None
>          Components: Resources/res_pjsip_caller_id
>    Affects Versions: 13.14.1
>            Reporter: dtryba
>            Assignee: Unassigned
>            Severity: Trivial
>         Attachments: ASTERISK-27284.diff
>
>
> My upstream provider complained that Anonymous calls to our endusers got de-anonymized during transit in our platform. These incoming calls have the headers:
> {quote}
> From: "Anonymous" <sip:anonymous at anonymous.invalid>
> {quote}
> and
> {quote}
> Privacy: id;user;critical
> P-Asserted-Identity: "Example" <sip:0123456789 at example.org;user=phone>
> {quote}
> After passing through Asterisk 13.14.x, the Privacy header is removed, PAI is unaffected and From is changed to:
> {quote}
> From: "Example" <sip:0123456789 at example.org;user=phone>
> {quote}
> All involved pjsip endpoints have send_pai, trust_id_inbound and trust_id_outbound set to yes.
> This violates RFC 3233:
> {quote}
> Privacy-hdr  =  "Privacy" HCOLON priv-value *(";" priv-value)
>    priv-value   =   "header" / "session" / "user" / "none" / "critical" / token
> {quote}
> Where:
> {quote}
> critical: The user asserts that the privacy services requested for
> this message are critical, and that therefore, if these privacy
> services cannot be provided by the network, this request should be
> rejected.  Criticality cannot be managed appropriately for
> responses.
> {quote}
> But is RFC 3323 still applicable to SIP? 



--
This message was sent by Atlassian JIRA
(v6.2#6252)

More information about the asterisk-bugs mailing list