[sr-dev] why new tcp connection?

Iñaki Baz Castillo ibc at aliax.net
Fri Nov 6 17:41:22 CET 2009 

El Viernes, 6 de Noviembre de 2009, Andrei Pelinescu-Onciul escribió:
> On Nov 06, 2009 at 14:39, I?aki Baz Castillo <ibc at aliax.net> wrote:
> > El Viernes, 6 de Noviembre de 2009, Klaus Darilion escribi?:
> > > Hi Juha!
> > >
> > > Personally I do not like the alias approach. IIRC correctly there were
> > > some security issues with aliases (at least some time ago) and ser does
> > > hand aliases a little bit different then described by IETF to avoid
> > > this issues.
> >
> > Could I know about those security issues? (just a brief description).
> 
> IIRC the original alias draft required to alias also the IP, so for
> example a message from ip: 1.2.3.4 with src_port 1234 and having in via
>  5.6.7.8:5060 would set an alias on the proxy:
>  5.6.7.8:5060->1.2.3.4:1234 which is evidently a security problem (I can
>  use it to redirect someone else's  traffic to me).
> In ser/sr/kamailio the alias will work only for the port, so in the
> above example the alias will be:
> 1.2.3.4:5060->1.2.3.4:1234 and IIRC a message might be logged.

IETF *always* proposes exotic solutions based on user provided information!
Really annoying.

 
> Even using only the port for the alias there can still be problems if
> there are several UACs behind the same NAT that listen on the same port
> (e.g. 5060). All of them would add 5060 in the via and on the proxy
> there would be attempts to set multiple aliases for nat_ip:5060.
> In this case one UAC will also get the requests intended for the others.
> This can also be used on purpose, to intercept the messages of the
> other users behind the same NAT or on the same machine.

I though that the "alias" behavior was different:

- UA adds "alias" in Via (with no value, just an empty parameter).
- Then the proxy does know that it can reuse the existing connection to route 
new requests to this UA.

I don't understand why the user has provide address information. Perhaps I 
read other draft XD


Regards.



-- 
Iñaki Baz Castillo <ibc at aliax.net>

More information about the sr-dev mailing list