Discussion:
[SR-Users] How to uniquely identify SIP WS / WSS endpoint
Muhammad Shahzad
2014-08-22 00:26:08 UTC
Permalink
Sorry for putting this question on both dev and user mailing lists, as it
is a rather theoretical question and i hope some SIP guru on either mail
list will answer.

For non-WS endpoints which use TCP or UDP for SIP transport, each upstream
request has top most VIA header pointing to the previous hop which
forwarded the request to current hop while each downstream request has top
most VIA header pointing to next hop to which it will be forwarded from
current hop.

But for WS endpoints, the top most VIA has dummy static value, so there is
no way to identify who sent this request or to whom the reply is going to.

Please note that i am not specifically interested in network address of
remote endpoint (though VIA header is suppose to provide it), i only need
to match requests and responses from / to a specific device using SIP v2.0
standard.

Any help is highly appreciated.

Thank you.
Vitaliy Aleksandrov
2014-08-25 10:24:38 UTC
Permalink
Post by Muhammad Shahzad
Sorry for putting this question on both dev and user mailing lists, as
it is a rather theoretical question and i hope some SIP guru on either
mail list will answer.
For non-WS endpoints which use TCP or UDP for SIP transport, each
upstream request has top most VIA header pointing to the previous hop
which forwarded the request to current hop while each downstream
request has top most VIA header pointing to next hop to which it will
be forwarded from current hop.
But for WS endpoints, the top most VIA has dummy static value, so
there is no way to identify who sent this request or to whom the reply
is going to.
Please note that i am not specifically interested in network address
of remote endpoint (though VIA header is suppose to provide it), i
only need to match requests and responses from / to a specific device
using SIP v2.0 standard.
Any help is highly appreciated.
Thank you.
Can you provide an example of scenario you want to create ?
Do you want to understand how transaction and dialog matching works in SIP ?
Muhammad Shahzad
2014-08-25 11:42:19 UTC
Permalink
Not really, the main context of this question is in reference to this
thread,

https://www.mail-archive.com/sr-users-cR8azDVoa3IcDhw6gZKtMWD2FQJk+8+***@public.gmane.org/msg19962.html

A patched to allow network IO intercept in kamailio corex module was add to
trunk as discussed in this thread,

https://www.mail-archive.com/sr-users-cR8azDVoa3IcDhw6gZKtMWD2FQJk+8+***@public.gmane.org/msg20183.html

Currently i am able to compress / decompress entire sip message coming from
or going to remote endpoint in kamailio server. It works fine. Now i want
to try ITV encryption algorithm for this on-wire data.

https://github.com/mshary/itv

For this i need to keep track of remote endpoint. At this low level, i only
have raw data received from or being transmitted to remote UA, without even
the remote socket address, so i have no choice but to look at this raw data
to determine the identity of remote endpoint. For non-WS transport, i can
easily look at topmost VIA and extract network address to use as "unique
identification" of endpoint who sent the data or would receive the data.
However, for WS transport this topmost VIA is useless static constant
string. So VIA checking is pointless (all remote endpoints will or may have
same top most VIA).

So i was thinking if there is another way to do it? I thought of using
GRUU, but it is not always present, especially in SIP replies.

Thank you.
Post by Vitaliy Aleksandrov
Post by Muhammad Shahzad
Sorry for putting this question on both dev and user mailing lists, as it
is a rather theoretical question and i hope some SIP guru on either mail
list will answer.
For non-WS endpoints which use TCP or UDP for SIP transport, each
upstream request has top most VIA header pointing to the previous hop which
forwarded the request to current hop while each downstream request has top
most VIA header pointing to next hop to which it will be forwarded from
current hop.
But for WS endpoints, the top most VIA has dummy static value, so there
is no way to identify who sent this request or to whom the reply is going
to.
Please note that i am not specifically interested in network address of
remote endpoint (though VIA header is suppose to provide it), i only need
to match requests and responses from / to a specific device using SIP v2.0
standard.
Any help is highly appreciated.
Thank you.
Can you provide an example of scenario you want to create ?
Do you want to understand how transaction and dialog matching works in SIP
?
_______________________________________________
SIP Express Router (SER) and Kamailio (OpenSER) - sr-users mailing list
http://lists.sip-router.org/cgi-bin/mailman/listinfo/sr-users
Vitaliy Aleksandrov
2014-08-25 12:23:27 UTC
Permalink
When kamailio processes a request script writer can check if there any
Route header or valid R-URI or R-URI alias parameter to determine the
destination. You can check it manually maybe reusing kamailio sip parser.

As you've already said to find a destination where kamailio is going to
send a reply you can parse via header or its "received" and "rport"
parameters. Even when via doesn't have valid destination (ws/wss
transport) it has correct "received" and "rport" parameters which
kamailio adds during a request processing.

"Via" header in INVITE received from WSS client and forwarded to a
destination looks like this:
"Via: SIP/2.0/WSS
df7jal23ls0d.invalid;received=1.2.3.4;branch=z9hG4bKTp9lzCApgHsdbRUrFcZ4XTCI49EZbbDf;rport=37213"
Post by Muhammad Shahzad
Not really, the main context of this question is in reference to this
thread,
A patched to allow network IO intercept in kamailio corex module was
add to trunk as discussed in this thread,
Currently i am able to compress / decompress entire sip message coming
from or going to remote endpoint in kamailio server. It works fine.
Now i want to try ITV encryption algorithm for this on-wire data.
https://github.com/mshary/itv
For this i need to keep track of remote endpoint. At this low level, i
only have raw data received from or being transmitted to remote UA,
without even the remote socket address, so i have no choice but to
look at this raw data to determine the identity of remote endpoint.
For non-WS transport, i can easily look at topmost VIA and extract
network address to use as "unique identification" of endpoint who sent
the data or would receive the data. However, for WS transport this
topmost VIA is useless static constant string. So VIA checking is
pointless (all remote endpoints will or may have same top most VIA).
So i was thinking if there is another way to do it? I thought of using
GRUU, but it is not always present, especially in SIP replies.
Thank you.
On Mon, Aug 25, 2014 at 3:24 PM, Vitaliy Aleksandrov
Sorry for putting this question on both dev and user mailing
lists, as it is a rather theoretical question and i hope some
SIP guru on either mail list will answer.
For non-WS endpoints which use TCP or UDP for SIP transport,
each upstream request has top most VIA header pointing to the
previous hop which forwarded the request to current hop while
each downstream request has top most VIA header pointing to
next hop to which it will be forwarded from current hop.
But for WS endpoints, the top most VIA has dummy static value,
so there is no way to identify who sent this request or to
whom the reply is going to.
Please note that i am not specifically interested in network
address of remote endpoint (though VIA header is suppose to
provide it), i only need to match requests and responses from
/ to a specific device using SIP v2.0 standard.
Any help is highly appreciated.
Thank you.
Can you provide an example of scenario you want to create ?
Do you want to understand how transaction and dialog matching
works in SIP ?
_______________________________________________
SIP Express Router (SER) and Kamailio (OpenSER) - sr-users mailing
list
http://lists.sip-router.org/cgi-bin/mailman/listinfo/sr-users
_______________________________________________
SIP Express Router (SER) and Kamailio (OpenSER) - sr-users mailing list
http://lists.sip-router.org/cgi-bin/mailman/listinfo/sr-users
Muhammad Shahzad
2014-08-25 13:11:41 UTC
Permalink
OK, this is interesting. However, i think the received parameter and rport
are added by kamailio, so it can only be checked for outgoing messages,
these will still be unavailable in incoming messages. Is this correct or
they will be available in every incoming messages too (except of course the
the very first incoming messages)?

Looking at RFC7118, it says the WS VIA header domain part will contain
"random string" followed by ".invalid" to make it a correct domain name.
This may provide some uniqueness, though this random string may not
necessarily be unique as well.

Thank you.
Post by Vitaliy Aleksandrov
When kamailio processes a request script writer can check if there any
Route header or valid R-URI or R-URI alias parameter to determine the
destination. You can check it manually maybe reusing kamailio sip parser.
As you've already said to find a destination where kamailio is going to
send a reply you can parse via header or its "received" and "rport"
parameters. Even when via doesn't have valid destination (ws/wss transport)
it has correct "received" and "rport" parameters which kamailio adds during
a request processing.
"Via" header in INVITE received from WSS client and forwarded to a
"Via: SIP/2.0/WSS
df7jal23ls0d.invalid;received=1.2.3.4;branch=z9hG4bKTp9lzCApgHsdbRUrFcZ4XTCI49EZbbDf;rport=37213"
Not really, the main context of this question is in reference to this
thread,
A patched to allow network IO intercept in kamailio corex module was add
to trunk as discussed in this thread,
Currently i am able to compress / decompress entire sip message coming
from or going to remote endpoint in kamailio server. It works fine. Now i
want to try ITV encryption algorithm for this on-wire data.
https://github.com/mshary/itv
For this i need to keep track of remote endpoint. At this low level, i
only have raw data received from or being transmitted to remote UA, without
even the remote socket address, so i have no choice but to look at this raw
data to determine the identity of remote endpoint. For non-WS transport, i
can easily look at topmost VIA and extract network address to use as
"unique identification" of endpoint who sent the data or would receive the
data. However, for WS transport this topmost VIA is useless static constant
string. So VIA checking is pointless (all remote endpoints will or may have
same top most VIA).
So i was thinking if there is another way to do it? I thought of using
GRUU, but it is not always present, especially in SIP replies.
Thank you.
On Mon, Aug 25, 2014 at 3:24 PM, Vitaliy Aleksandrov <
Post by Vitaliy Aleksandrov
Post by Muhammad Shahzad
Sorry for putting this question on both dev and user mailing lists, as
it is a rather theoretical question and i hope some SIP guru on either mail
list will answer.
For non-WS endpoints which use TCP or UDP for SIP transport, each
upstream request has top most VIA header pointing to the previous hop which
forwarded the request to current hop while each downstream request has top
most VIA header pointing to next hop to which it will be forwarded from
current hop.
But for WS endpoints, the top most VIA has dummy static value, so there
is no way to identify who sent this request or to whom the reply is going
to.
Please note that i am not specifically interested in network address of
remote endpoint (though VIA header is suppose to provide it), i only need
to match requests and responses from / to a specific device using SIP v2.0
standard.
Any help is highly appreciated.
Thank you.
Can you provide an example of scenario you want to create ?
Do you want to understand how transaction and dialog matching works in
SIP ?
_______________________________________________
SIP Express Router (SER) and Kamailio (OpenSER) - sr-users mailing list
http://lists.sip-router.org/cgi-bin/mailman/listinfo/sr-users
_______________________________________________
_______________________________________________
SIP Express Router (SER) and Kamailio (OpenSER) - sr-users mailing list
http://lists.sip-router.org/cgi-bin/mailman/listinfo/sr-users
Klaus Darilion
2014-09-02 14:22:04 UTC
Permalink
Not sure what you trying to do, but the Via header is for transactions.
It may be different for every transaction. Thus, if you need transaction
matching (requests to responses) then you are fine and should use purely
the branch id.

If you want to match messages from one transaction to messages from
another transaction (e.g. dialog matching or matching multiple dialogs
from the same user) then the Via is probably the wrong choice. Please
also note, that the user can put any data into the Via header and this
may confuse your application if you blindly trusts all the data in the
Via header.

For matching dialogs you should use call-id and tags (or use the dialog
module).

For matching requests from a certain user agent: I think there is no
reliable way - GRUU may work if available.

But as you are talking about encryption it is more "peer" related then
user-agent related. I say "peer" as the peer may be another proxy with
several user agents behind. To identify peers you should use the data
from the transport: IP, port, protocol. That should be unique for a
peer. For received messages it should be simple to extract them, for
sending, the data should be available too (e.g. in DURI or some
references to a TCP connection).

regards
Klaus
Post by Muhammad Shahzad
Sorry for putting this question on both dev and user mailing lists, as
it is a rather theoretical question and i hope some SIP guru on either
mail list will answer.
For non-WS endpoints which use TCP or UDP for SIP transport, each
upstream request has top most VIA header pointing to the previous hop
which forwarded the request to current hop while each downstream request
has top most VIA header pointing to next hop to which it will be
forwarded from current hop.
But for WS endpoints, the top most VIA has dummy static value, so there
is no way to identify who sent this request or to whom the reply is
going to.
Please note that i am not specifically interested in network address of
remote endpoint (though VIA header is suppose to provide it), i only
need to match requests and responses from / to a specific device using
SIP v2.0 standard.
Any help is highly appreciated.
Thank you.
_______________________________________________
sr-dev mailing list
http://lists.sip-router.org/cgi-bin/mailman/listinfo/sr-dev
Muhammad Shahzad
2014-09-03 01:09:16 UTC
Permalink
Thank you so much for your informative response.

Yes the "peer" may be correct term in this sense as i am trying to identify
"devices" (SIP UAs or Proxy) that are directly connected to Kamailio via
SIP signalling (i.e. there is no other intermediate SIP device [SIP UA or
Proxy] in the middle). That is why top most VIA header looks interesting as
it has peer network address that can be used to identify that peer uniquely
for both incoming and outgoing SIP requests and responses.

However, this works perfectly fine ONLY for TCP, TLS and UDP transports.
For WS and WSS, there is no network address, just some random string, which
is not guaranteed to be unique in peer context.

Anyways for the moment the only workaround i see fit for the situation is
to modify WS client code such that i generates this random string uniquely
(e.g. something like GUID used by Windows OS or UUID generated by libuuid
in Linux).

Any other suggestions are warmly welcome.

Thank you.
Post by Klaus Darilion
Not sure what you trying to do, but the Via header is for transactions.
It may be different for every transaction. Thus, if you need transaction
matching (requests to responses) then you are fine and should use purely
the branch id.
If you want to match messages from one transaction to messages from
another transaction (e.g. dialog matching or matching multiple dialogs
from the same user) then the Via is probably the wrong choice. Please
also note, that the user can put any data into the Via header and this
may confuse your application if you blindly trusts all the data in the
Via header.
For matching dialogs you should use call-id and tags (or use the dialog
module).
For matching requests from a certain user agent: I think there is no
reliable way - GRUU may work if available.
But as you are talking about encryption it is more "peer" related then
user-agent related. I say "peer" as the peer may be another proxy with
several user agents behind. To identify peers you should use the data
from the transport: IP, port, protocol. That should be unique for a
peer. For received messages it should be simple to extract them, for
sending, the data should be available too (e.g. in DURI or some
references to a TCP connection).
regards
Klaus
Post by Muhammad Shahzad
Sorry for putting this question on both dev and user mailing lists, as
it is a rather theoretical question and i hope some SIP guru on either
mail list will answer.
For non-WS endpoints which use TCP or UDP for SIP transport, each
upstream request has top most VIA header pointing to the previous hop
which forwarded the request to current hop while each downstream request
has top most VIA header pointing to next hop to which it will be
forwarded from current hop.
But for WS endpoints, the top most VIA has dummy static value, so there
is no way to identify who sent this request or to whom the reply is
going to.
Please note that i am not specifically interested in network address of
remote endpoint (though VIA header is suppose to provide it), i only
need to match requests and responses from / to a specific device using
SIP v2.0 standard.
Any help is highly appreciated.
Thank you.
_______________________________________________
sr-dev mailing list
http://lists.sip-router.org/cgi-bin/mailman/listinfo/sr-dev
_______________________________________________
SIP Express Router (SER) and Kamailio (OpenSER) - sr-users mailing list
http://lists.sip-router.org/cgi-bin/mailman/listinfo/sr-users
Klaus Darilion
2014-09-03 09:48:25 UTC
Permalink
Post by Muhammad Shahzad
Thank you so much for your informative response.
Yes the "peer" may be correct term in this sense as i am trying to
identify "devices" (SIP UAs or Proxy) that are directly connected to
Kamailio via SIP signalling (i.e. there is no other intermediate SIP
device [SIP UA or Proxy] in the middle). That is why top most VIA header
looks interesting as it has peer network address that can be used to
identify that peer uniquely for both incoming and outgoing SIP requests
and responses.
However, this works perfectly fine ONLY for TCP, TLS and UDP transports.
For WS and WSS, there is no network address, just some random string,
which is not guaranteed to be unique in peer context.
Anyways for the moment the only workaround i see fit for the situation
is to modify WS client code such that i generates this random string
uniquely (e.g. something like GUID used by Windows OS or UUID generated
by libuuid in Linux).
Any other suggestions are warmly welcome.
I disagree. IMO it is a bad choice to rely on the Via header. Your
software should use only data which is generated locally (and thus
trustworthy). The Via header is generated by the peer and may be false
or manipulated, and it does not serve your needs. Thus, instead of
changing clients to add data tot he Via header you should look for
another option.

For example, when a client uses outbound and GRUU, Kamailio also has to
map some identifiers to transport connections. Thus, I guess there is
already some code in Kamailio.

Another method, as stated in my previous email, is the IP:port:proto.
But not extracted from the Via header, but extracted from the transport
layer (e.g. $si, $sp, $proto, ....)


regards
Klaus

Loading...