< Previous by Date	Date Index	Next by Date >
< Previous in Thread	Thread Index	Next in Thread >

Re: [reSIProcate] how to drop incoming packets at the socket (transport) layer

From: Alan Hawrylyshen <alan@xxxxxxxxxx>
Date: Fri, 6 Jan 2006 18:31:07 -0700


On Jan 5, 2006, at 09.30, Justin Matthews wrote:

Hi,
In most cases our app is deployed with known endpoints. In thisscenario we
can make our app drop incoming packets from unknown endpoints.  If the
packets can be dropped at the network layer, they are never parsedand our
app is that much more secure against DoS and other attacks.
It is pretty straightforward to modify the Transport/socket relatedcode todo this, but I am looking for a way in which the resip group wouldaccept amore general pre-screening solution at the socket layer. Oneproposal wouldbe to add a screening class when calling SipStack::addTransport.This classwould be able to screen incoming data directly from a socket basedon thetransport. The implementation of the screening is up to the user,in my
case I would check the incoming IP address and allow or disallow the
processing of the packet.

Any thoughts?

What kind of screening? Are you talking about dropping packets (UDP)that originate from an unknown IP address and port?How would you resolve the inherent conflict between this and REGISTER-based mobility? SIP is not designed to have this particularrestriction, and in any event, I don't think there would be benefitin putting this in the application / stack.

Traditionally, we have strongly resisted the addition of features toreSIProcate that are either out-of-scope or out-of-compliance. Sincethis feature could be trivially abused or misused by developers tobreak interoperability and the end-to-end, peer-to-peer nature of SIPitself, I think you might find the group hesitant to support this idea.

Ideology aside; I feel this would be the responsibility of theoperating system or UDP stack itself. By getting the kernel / OS toperform this operation you will save the context switching overheadthat would be required to get the packet into the software in thefirst place. Double win : the software is less complex and thesolution is more efficient. Even though I am responsible for productsthat could benefit from this proposal, I think that this is not afunction that should be in the SIP stack; it's purely a pre-layer 2 /3 issue, not layer 4, 5 or 7.

I believe there would be APIs and interfaces in all modern OSes toconfigure the software firewall to do this for you.


Counter-thoughts?

Alan Hawrylyshen

Follow-Ups:
- RE: [reSIProcate] how to drop incoming packets at the socket (transport) layer
  - From: Justin Matthews

References:
- [reSIProcate] how to drop incoming packets at the socket (transport) layer
  - From: Justin Matthews

Prev by Date: [reSIProcate] Added new make check target & scripts to run tests
Next by Date: RE: [reSIProcate] how to drop incoming packets at the socket (transport) layer
Previous by thread: [reSIProcate] how to drop incoming packets at the socket (transport) layer
Next by thread: RE: [reSIProcate] how to drop incoming packets at the socket (transport) layer
Index(es):
- Date
- Thread