[asterisk-dev] bypass "contactdeny" option with nat=yes

Klaus Darilion klaus.mailinglists at pernau.at
Tue May 11 04:18:20 CDT 2010



Am 04.05.2010 21:49, schrieb Olle E. Johansson:
>
> 4 maj 2010 kl. 21.25 skrev Klaus Darilion:
>
>> Hi!
>>
>> As suggested by the bugtracker manager I post this issue on the mailing
>> list: https://issues.asterisk.org/view.php?id=17276
>>
>> The contactdeny option in sip.conf can be used to prevent that a user
>> registers certain contact IPs. Therefore, the Contact URI is verified.
>>
>> But in case of "nat=yes", the contact URI is not even used for routing,
>> thus it does not make sense to screen the contact URI. IMO it does not
>> even make sense, but it is a bug because if the malicious user sends the
>> requests from a denied IP address (e.g. using src-ip-spoofing) it is
>> possible to bypass this security option.
>>
>> The solution is rather easy - in case of nat=yes the rcvd-address should
>> be screened instead of the Contact URI.
>
> I agree. Contactdeny should be used for what we SAVE in the registry,
> not only what we receive from the devices.

Olle, do you know if peer matching might be affected too? How does 
Asterisk match incoming INVITE if type=peer:

   (source IP:port or contact IP:port) of REGISTER ==
              (source IP:port or contact IP:port) of INVITE  ???

regards
Klaus



More information about the asterisk-dev mailing list