Open psanders opened 10 months ago
As of today, I'm restarting this research. The current approach I'm investigating combines the From, Request-URI, Via, Contact, and Route headers.
The idea is to create an algorithm that examines various headers based on a selected policy. The policy will indicate which header(s) to consider. For example, the following ACL mandates using the Contact header as the primary source of trust:
apiVersion: v2beta1
kind: AccessControlList
ref: acl-01
metadata:
name: Europe ACL
spec:
headerLookup:
- ContactHeader
- RouteHeader
accessControlList:
deny:
- 0.0.0.0/1
allow:
- 192.168.1.3/31
- 127.0.0.1/8
- 10.111.221.22/31
Since these headers are crucial for delivering SIP messages, this approach seems to be the most reasonable way to implement this feature.
Is your feature request related to a problem?
Research and validate methods to enhance ACL's resilience to spoofing
Describe the solution you'd like
NA
Describe alternatives you've considered
None
Additional context
In a Kubernetes environment, Routr faces challenges with ACL due to obfuscated IP addresses. IPs are sourced from SIP headers, which are not immune to spoofing.