[asterisk-dev] Peer matching in trunk - matching on contact?
Klaus Darilion
klaus.mailinglists at pernau.at
Wed Sep 2 03:11:17 CDT 2009
Olle E. Johansson schrieb:
> After thinking about this a bit more, I now consider it a bug.
>
> The Contact: header includes the UA's view of how other devices should
> reach it. It might be an RFC1918 address or a public address. In some
> cases, it might be the same as the sender's address, but not all the
> time.
>
> The peer matching is based on IP and port of the sender, the device
> that sent the SIP request to Asterisk. Between the UA and the Asterisk
> server, you might have several proxys.
>
> The sender's IP address and the address in the contact are two very
> different things. We should not match peers on the contact, unless
> it's a new feature. If it's a new feature, it requires a new
> configuration option, not type=peer. And matching on Contact does not
> solve the problem described in the code comment. This code breaks the
> current behaviour of type=peer for TCP sessions and causes new issues.
I second that. A "peer" is known to match on IP:port. If matching is
done on Contact-/Request-URI it should have a new type=...
(type=registration?) definition - otherwise it will cause confusion.
regards
klaus
>
> I'm sorry I missed the commit of this code, but it really needs to go
> away and we need to fix the issue - the IP/port matching on TCP
> sessions, with or without TLS.
>
> /O
>
> 1 sep 2009 kl. 13.25 skrev Olle E. Johansson:
>
>> While maintaining a new branch, I found this addition to the code
>> which surprised me a bit.
>>
>> I think matching based on a header in the SIP message really needs a
>> configuration option to be set, since this is highly insecure.
>>
>> Not saying that matching on ip and port numbers is secure, but relying
>> on the contact header for matching seems even more open for problems.
>>
>> And if it's impossible to match on p->recv when there's a TCP session,
>> why do we do that on the line above? Shouldn't that be disabled?
>>
>> We do need to start the campaign for "No more ugly patching, find a
>> new way of matching devices in chan_sip" - let's call it "Codename
>> Chestnut".
>>
>> /Olle
>> --------------------------
>>
>> /* If the peer is still not found, try the address and port from the
>> * contact header. If the transport type is TCP or
>> TLS it is not possible
>> * to find the peer using p->recv. Because of the way
>> TCP works, the received
>> * packet's destination port will not match the one
>> the peer table is
>> * built with. */
>> if (!peer && (p->socket.type != SIP_TRANSPORT_UDP)) {
>> struct sockaddr_in tmpsin;
>> char contact[SIPBUFSIZE];
>> char *tmp;
>> memcpy(&tmpsin, &p->recv, sizeof(tmpsin));
>> ast_copy_string(contact, get_header(req,
>> "Contact"), sizeof(contact));
>> tmp = get_in_brackets(contact);
>> __set_address_from_contact(tmp, &tmpsin, 1);
>> peer = find_peer(NULL, &tmpsin, TRUE,
>> FINDPEERS, FALSE);
>> }
>>
>>
>> _______________________________________________
>> --Bandwidth and Colocation Provided by http://www.api-digital.com--
>>
>> AstriCon 2009 - October 13 - 15 Phoenix, Arizona
>> Register Now: http://www.astricon.net
>>
>> asterisk-dev mailing list
>> To UNSUBSCRIBE or update options visit:
>> http://lists.digium.com/mailman/listinfo/asterisk-dev
>
> ---
> * Olle E Johansson - oej at edvina.net
> * Cell phone +46 70 593 68 51, Office +46 8 96 40 20, Sweden
>
>
>
>
> _______________________________________________
> --Bandwidth and Colocation Provided by http://www.api-digital.com--
>
> AstriCon 2009 - October 13 - 15 Phoenix, Arizona
> Register Now: http://www.astricon.net
>
> asterisk-dev mailing list
> To UNSUBSCRIBE or update options visit:
> http://lists.digium.com/mailman/listinfo/asterisk-dev
More information about the asterisk-dev
mailing list