[Dundi] [RFC] Reliability of contact information
Kevin P. Fleming
kpfleming at starnetworks.us
Thu Dec 9 06:23:40 CST 2004
Mark Spencer wrote:
> Much like the "the ip of the far end is filled in by the next in line",
> this only seems to secure the farthest endpoint. If I am an
> unscrupulous user, I would peer with an entity and then have my evil box
> peer with the one that i'm using, that way as i play with my EID and
> contact info my upstream peer isn't the wiser.
Another thought: isn't this covered by the provisions in the GPA that
say you have to originate calls from the same node you are peering from?
I think this could reasonably be interpreted to say that you can only
originate calls from a node that you can also send queries from, which
would keep you from adding a "evil box" inside your network, since you
cannot _directly_ send queries from that machine (none of your GPA peers
would accept them).
In other words, is it reasonable to enforce a restriction that since you
can only send queries from nodes that you have exchanged RSA keys with
your peers for, that you must only originate calls from those same
peers? That's how I do it in my network, we have multiple Asterisk
servers running IAX on public IPs that _could_ originate calls, but we
don't: our outbound DUNDi calls are all funneled through the same
machine that sends out DUNDi queries.
More information about the Dundi
mailing list