sip.edu - Re: [sip.edu] Use of DNS SRV for SIP SP** prevention
Subject: SIP in higher education
List archive
- From: Candace Holman <>
- To:
- Subject: Re: [sip.edu] Use of DNS SRV for SIP SP** prevention
- Date: Fri, 21 Jul 2006 16:39:38 -0400
This is great. I think we actually have the start for a cookbook due to Christian's and John's efforts. It would be a shame to have this get lost in the archives.
Dennis - could we do an Internet2 wiki page rather than a cookbook to document the SIP SP** project? I'd like to enter placeholder links to talk about aspects such as the use of various SIP headers and signed values, as well as blacklist integration and Turing tests, tracking other implementation efforts, etc.
Candace
Christian Schlatter wrote:
Candace Holman wrote:
Here is the archived mail that discusses John Todd's idea for use of DNS SRV records for domain-authentication-based SIP spam prevention. The proof of concept Asterisk script is listed at the end of the email. If anyone would like to embellish/optimize the script or apply to SER, please consider posting your efforts back to the SIP.edu mailing list.
https://mail.internet2.edu/wws/arc/sip.edu/2006-07/msg00012.html
I did a quick test using John's script with OpenSER. It can be very easily integrated:
At the end of the script I added
...
# If you are running Asterisk and want to use this script as an AGI,
# just comment out the first "echo" line below and uncomment the
# Asterisk AGI "SET VARIABLE" line to replace it.
#
echo $match
# echo "SET VARIABLE SRVMATCH $match"
fi
# ---- NEW: return value for OpenSER ----
if [ -n "$match" ]; then
exit 0
else
exit -1
fi
# ---------------------------------------
# end
One can then call the script in the OpenSER config like (assuming that the script is at /opt/checksrv):
...
if (!method=="REGISTER") {
# authenticate requests coming from local endpoints
if (from_uri==myself) {
if (!proxy_authorize("unc.edu", "subscriber")) {
proxy_challenge("unc.edu", "0");
exit;
};
} else {
# does the source IP match one of the From URI domain SRV records
# (only done for SIP requests from foreign domains)
if (!exec_msg("/opt/checksrv -v '$fd' '$si' >> /opt/checksrv.log")){
xlog("L_INFO", "checksrv FAILED\n");
# check failed, e.g. send call to IVR
} else {
xlog("L_INFO", "checksrv PASSED\n");
# from uri domain checked
};
};
};
/opt/checksrv.log includes checksrv's output. This only works with OpenSER > 1.0.1 and only _sip._udp SRV records are checked. For better performance the SRV check should be done in an OpenSER C module.
--
Christian
- Use of DNS SRV for SIP SP** prevention, Candace Holman, 07/20/2006
- CID verification, Duane, 07/20/2006
- Re: [sip.edu] CID verification, Christian Schlatter, 07/20/2006
- Re: [sip.edu] CID verification, Duane, 07/20/2006
- Re: [sip.edu] CID verification, Candace Holman, 07/20/2006
- Re: [sip.edu] CID verification, Duane, 07/20/2006
- Re: [sip.edu] CID verification, Candace Holman, 07/20/2006
- Re: [sip.edu] CID verification, Duane, 07/20/2006
- Re: [sip.edu] CID verification, Christian Schlatter, 07/20/2006
- Re: [sip.edu] Use of DNS SRV for SIP SP** prevention, Christian Schlatter, 07/21/2006
- OpenSER and TLS, Kyle Haenfer, 07/21/2006
- Re: [sip.edu] OpenSER and TLS, Candace Holman, 07/21/2006
- Re: [sip.edu] Use of DNS SRV for SIP SP** prevention, Candace Holman, 07/21/2006
- Re: [sip.edu] Use of DNS SRV for SIP SP** prevention, Dennis Baron, 07/24/2006
- Re: [sip.edu] Use of DNS SRV for SIP SP** prevention, Candace Holman, 07/26/2006
- Re: [sip.edu] Use of DNS SRV for SIP SP** prevention, Ben Teitelbaum, 07/26/2006
- Re: [sip.edu] Use of DNS SRV for SIP SP** prevention, Candace Holman, 07/26/2006
- Re: [sip.edu] Use of DNS SRV for SIP SP** prevention, Dennis Baron, 07/24/2006
- OpenSER and TLS, Kyle Haenfer, 07/21/2006
- CID verification, Duane, 07/20/2006
Archive powered by MHonArc 2.6.16.