| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Sun, 14 Nov 2010 09:59:35 +0100 From: Eric Dumazet <eric.dumazet@...il.com> To: Kevin Cernekee <cernekee@...il.com> Cc: Patrick McHardy <kaber@...sh.net>, "David S. Miller" <davem@...emloft.net>, Alexey Kuznetsov <kuznet@....inr.ac.ru>, "Pekka Savola (ipv6)" <pekkas@...core.fi>, James Morris <jmorris@...ei.org>, Hideaki YOSHIFUJI <yoshfuji@...ux-ipv6.org>, netfilter-devel@...r.kernel.org, netfilter@...r.kernel.org, coreteam@...filter.org, linux-kernel@...r.kernel.org, netdev@...r.kernel.org Subject: Re: [PATCH/RFC] netfilter: nf_conntrack_sip: Handle quirky Cisco phones Le dimanche 14 novembre 2010 à 00:32 -0800, Kevin Cernekee a écrit : > Most SIP devices use a source port of 5060/udp on SIP requests, so the > response automatically comes back to port 5060: > > phone_ip:5060 -> proxy_ip:5060 REGISTER > proxy_ip:5060 -> phone_ip:5060 100 Trying > > The newer Cisco IP phones, however, use a randomly chosen high source > port for the SIP request but expect the response on port 5060: > > phone_ip:49173 -> proxy_ip:5060 REGISTER > proxy_ip:5060 -> phone_ip:5060 100 Trying > > Standard Linux NAT, with or without nf_nat_sip, will send the reply back > to port 49173, not 5060: > > phone_ip:49173 -> proxy_ip:5060 REGISTER > proxy_ip:5060 -> phone_ip:49173 100 Trying > > But the phone is not listening on 49173, so it will never see the reply. > > This issue was seen on a Cisco CP-7965G, firmware 8-5(3). It appears > to be a well-known problem on 7941 and newer: > > http://www.voip-info.org/wiki/view/Standalone+Cisco+7941%252F7961+without+a+local+PBX > > Search for "Connecting to the outside world" > > I contacted Cisco support and they were not amenable to changing the > behavior. It appears to be RFC3261-compliant, as the "Sent-by port" > field in the request specifies 5060: > There is a difference between being RFC compliant, and being usable. Most SIP sotfwares I know will break with such a stupid CISCO behavior. > 18.2.2 Sending Responses > > The server transport uses the value of the top Via header field in > order to determine where to send a response. It MUST follow the > following process: > > ... > > o Otherwise (for unreliable unicast transports), if the top Via > has a "received" parameter, the response MUST be sent to the > address in the "received" parameter, using the port indicated > in the "sent-by" value, or using port 5060 if none is specified > explicitly. If this fails, for example, elicits an ICMP "port > unreachable" response, the procedures of Section 5 of [4] > SHOULD be used to determine where to send the response. > > This patch modifies nf_*_sip to work around this quirk, by rewriting > the response port to 5060 when the following conditions are met: > > - User-Agent starts with "Cisco" > > - Incoming TTL was exactly 64 (meaning that our system is the phone's > local router, not an intermediate router) > This seems a hack to me, sorry. How many different vendors will switch to "Cisco" broken way, and we have to patch over and over ? I would like to get an exact SIP exchange to make sure their is not another way to handle this without adding a "Cisco" string somewhere... Please provide a pcap or tcpdump -A Thanks -- To unsubscribe from this list: send the line "unsubscribe netdev" in the body of a message to majordomo@...r.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
Powered by blists - more mailing lists