fonoster / routr

⚡ The future of programmable SIP servers.
https://routr.io
MIT License
1.42k stars 147 forks source link

[RESEARCH]: Enhancing ACL effectiveness against spoofing #247

Open psanders opened 10 months ago

psanders commented 10 months ago

Is your feature request related to a problem?

Research and validate methods to enhance ACL's resilience to spoofing

Describe the solution you'd like

NA

Describe alternatives you've considered

None

Additional context

In a Kubernetes environment, Routr faces challenges with ACL due to obfuscated IP addresses. IPs are sourced from SIP headers, which are not immune to spoofing.

psanders commented 2 months ago

As of today, I'm restarting this research. The current approach I'm investigating combines the From, Request-URI, Via, Contact, and Route headers.

The idea is to create an algorithm that examines various headers based on a selected policy. The policy will indicate which header(s) to consider. For example, the following ACL mandates using the Contact header as the primary source of trust:

apiVersion: v2beta1
kind: AccessControlList
ref: acl-01
metadata:
  name: Europe ACL
spec:
  headerLookup:
    - ContactHeader
    - RouteHeader
  accessControlList:
    deny:
      - 0.0.0.0/1
    allow:
      - 192.168.1.3/31
      - 127.0.0.1/8
      - 10.111.221.22/31

Since these headers are crucial for delivering SIP messages, this approach seems to be the most reasonable way to implement this feature.