Skip to Content.
Sympa Menu

sip.edu - Re: [sip.edu] Use of DNS SRV for SIP SP** prevention

Subject: SIP in higher education

List archive

Re: [sip.edu] Use of DNS SRV for SIP SP** prevention


Chronological Thread 
  • From: Candace Holman <>
  • To:
  • Subject: Re: [sip.edu] Use of DNS SRV for SIP SP** prevention
  • Date: Fri, 21 Jul 2006 16:39:38 -0400

This is great. I think we actually have the start for a cookbook due to Christian's and John's efforts. It would be a shame to have this get lost in the archives.

Dennis - could we do an Internet2 wiki page rather than a cookbook to document the SIP SP** project? I'd like to enter placeholder links to talk about aspects such as the use of various SIP headers and signed values, as well as blacklist integration and Turing tests, tracking other implementation efforts, etc.

Candace

Christian Schlatter wrote:
Candace Holman wrote:
Here is the archived mail that discusses John Todd's idea for use of DNS SRV records for domain-authentication-based SIP spam prevention. The proof of concept Asterisk script is listed at the end of the email. If anyone would like to embellish/optimize the script or apply to SER, please consider posting your efforts back to the SIP.edu mailing list.

https://mail.internet2.edu/wws/arc/sip.edu/2006-07/msg00012.html


I did a quick test using John's script with OpenSER. It can be very easily integrated:

At the end of the script I added

...
# If you are running Asterisk and want to use this script as an AGI,
# just comment out the first "echo" line below and uncomment the
# Asterisk AGI "SET VARIABLE" line to replace it.
#
echo $match
# echo "SET VARIABLE SRVMATCH $match"
fi

# ---- NEW: return value for OpenSER ----
if [ -n "$match" ]; then
exit 0
else
exit -1
fi
# ---------------------------------------

# end

One can then call the script in the OpenSER config like (assuming that the script is at /opt/checksrv):

...
if (!method=="REGISTER") {
# authenticate requests coming from local endpoints
if (from_uri==myself) {
if (!proxy_authorize("unc.edu", "subscriber")) {
proxy_challenge("unc.edu", "0");
exit;
};
} else {
# does the source IP match one of the From URI domain SRV records
# (only done for SIP requests from foreign domains)
if (!exec_msg("/opt/checksrv -v '$fd' '$si' >> /opt/checksrv.log")){
xlog("L_INFO", "checksrv FAILED\n");
# check failed, e.g. send call to IVR
} else {
xlog("L_INFO", "checksrv PASSED\n");
# from uri domain checked
};
};
};

/opt/checksrv.log includes checksrv's output. This only works with OpenSER > 1.0.1 and only _sip._udp SRV records are checked. For better performance the SRV check should be done in an OpenSER C module.

--
Christian




Archive powered by MHonArc 2.6.16.

Top of Page