[Spce-user] SIP-Response INJECTION

Klaus Peter v. Friedeburg friedeburg at aco.de
Wed Nov 21 07:08:44 EST 2012


Hi Jon,

1. in sems we have disabled whitelisting for headers at all.
2. I have tested to change the IP Port for the peering-servers to 5070 but it  don't change anything in this behavior. On the side of BT our peer is only configured using UDP. 
3. Our session timers for the Gateway BT are disabled, because it seems to me that only one side should control the sessions.

An Question of the planning update of seems: It is possible to update only sems? Because we have made some customizations in OSS, www-admin and www-csc, so that is difficult to update the hole system. 

          Klaus Peter

> -----Ursprüngliche Nachricht-----
> Von: Jon Bonilla (Manwe) [mailto:jbonilla at sipwise.com]
> Gesendet: Mittwoch, 21. November 2012 12:36
> An: Klaus Peter v. Friedeburg
> Betreff: Re: [Spce-user] SIP-Response INJECTION
> 
> El Wed, 21 Nov 2012 11:00:41 +0100
> "Klaus Peter v. Friedeburg" <friedeburg at aco.de> escribió:
> 
> > Yes right ist BT
> >
> 
> Ok. So first, before trying to disable 100rel in the client device or in the
> spce, we'll try this:
> 
> - Make sure that the headers required for the PRACK to work against Siemens Hiq
>   (bt's servers) are present in the sbc profile:
> 
> sems/etc/ngcp.sbcprofile.conf.customtt.tt2
> 
> -header_list=P-D-Uri,P-Preferred-Identity,P-Asserted-Identity,Privacy,Allow,Supported,P-Out-Socket[%
> IF kamailio.proxy.presence.enable == "yes"
> %],Event,Expires,Subscription-State,Accept[% END %]
> +header_list=P-D-Uri,P-Preferred-Identity,P-Asserted-Identity,Privacy,Allow,Supported,P-Out-Socket[%
> IF kamailio.proxy.presence.enable == "yes"
> %],Event,Expires,Subscription-State,Accept[% END %],Require,RAck
> 
> 
> Please check if "Require and RAck" headers are whitelisted or add them as shown
> to the sbc profile.
> 
> 
> Other considerations regarding this Siemens Hiq behaviour and not related to
> the PRACK stuff:
> 
> - Usually port 5060 is TCP with UDP failback to them. They use 5070 for UDP
>   only and another port for TCP only. I would set the sip trunk to their port
>   5070 to force UDP-only peering.
> 
> - If they start a tcp connection to you (their preferred method) you can have
>   problems if the spce or their server closes the onnection because they
>   firewall everything except port 5060 and you can't re-establish the
>   connection. To make sure that the spce does not close the tcp connection add
>   these parameters to the kamailio-lb configuration file:
> 
> kamailio/lb/kamailio.cfg.customtt.tt2
> 
> +tcp_keepalive=yes
> +tcp_crlf_ping=yes
> +tcp_keepcnt=3
> +tcp_keepidle=10
> +tcp_keepintvl=10
> +tcp_connection_lifetime=3610
> 
>   This won't help you if they close the connection but you will be sure that
>   the spce does not.
> 
> 
> - The session timers for the hiq have a min expires of 1800. If you enable
>   session timers for this gw, make sure you set it at least to 1800 and your
>   ngcp-sems version is up to date (I need to release an updated version with
>   session timer fixes this week, so expect an update soon).
> 
> 
> 
> cheers,
> 
> Jon


More information about the Spce-user mailing list