Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

[RESEARCH]: Enhancing ACL effectiveness against spoofing #247

Open
psanders opened this issue Dec 30, 2023 · 1 comment
Open

[RESEARCH]: Enhancing ACL effectiveness against spoofing #247

psanders opened this issue Dec 30, 2023 · 1 comment

Comments

@psanders
Copy link
Member

Is your feature request related to a problem?

Research and validate methods to enhance ACL's resilience to spoofing

Describe the solution you'd like

NA

Describe alternatives you've considered

None

Additional context

In a Kubernetes environment, Routr faces challenges with ACL due to obfuscated IP addresses. IPs are sourced from SIP headers, which are not immune to spoofing.

@psanders
Copy link
Member Author

As of today, I'm restarting this research. The current approach I'm investigating combines the From, Request-URI, Via, Contact, and Route headers.

The idea is to create an algorithm that examines various headers based on a selected policy. The policy will indicate which header(s) to consider. For example, the following ACL mandates using the Contact header as the primary source of trust:

apiVersion: v2beta1
kind: AccessControlList
ref: acl-01
metadata:
  name: Europe ACL
spec:
  headerLookup:
    - ContactHeader
    - RouteHeader
  accessControlList:
    deny:
      - 0.0.0.0/1
    allow:
      - 192.168.1.3/31
      - 127.0.0.1/8
      - 10.111.221.22/31

Since these headers are crucial for delivering SIP messages, this approach seems to be the most reasonable way to implement this feature.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Development

No branches or pull requests

1 participant