[jitsi-dev] SIP Via/Contact headers have wrong IP address on multhomed Mac


#1

I just upgraded from old Jitsi 2.4 to Jitsi 2.6 on a MacOS 10.8
system. It's multihomed, generally with two relevant interfaces:

   10.x.x.x -- my default route
   192.168.x.x -- interface that I use to connect to
    my SIP proxy. which is also on 192.168.x.x
   
With 2.6, I can no longer connect to my SIP proxy.

Looking at Wireshark traces, it seems pretty obvious what's going
wrong. Instead of using the 192.168.x.x IP address in the SIP Via/
Contact headers, it uses the 10.x.x.x IP. The SIP proxy tries to
talk back to an address it can't reach, and things break. Here's
the relevant snippet from the SIP REGISTER:

        Via: SIP/2.0/UDP 10.15.1.12:5060;branch=z9hG4bK-363434-1cca539def6ea5efee291fa779dff38e
            Sent-by Address: 10.15.1.12
        Contact: "MJO" <sip:mjo@10.15.1.12:5060;transport=udp;registering_acc=switchvox-1_XXXXXXXX_com>;expires=600
            Contact URI: sip:mjo@10.15.1.12:5060;transport=udp;registering_acc=switchvox-1_XXXXXXXX_com
                Contact URI Host Part: 10.15.1.12

I don't know of any way to hardcode that within Jitsi, nor should I
really have to. Leaking IP addresses that have nothing to do with the
connection is a minor security issue (as well as totally breaking my
SIP service :frowning: ).

I tried to use the mailing list search in the hopes of finding this,
but it don't seem to work very well for me. The swish-e Title/Body
mailing list search doesn't give results.

Thanks,
-Mike

···

--
Michael J. O'Connor mjo@dojo.mi.org
=--==--==--==--==--==--==--==--==--==--==--==--==--==--==--==--==--==--==--=
"When a measure becomes a target, it ceases to be a good measure." -Strathern


#2

Hey Mike,

···

On 2.02.15 3:42, Mike O'Connor wrote:

I just upgraded from old Jitsi 2.4 to Jitsi 2.6 on a MacOS 10.8
system. It's multihomed, generally with two relevant interfaces:

   10.x.x.x -- my default route
   192.168.x.x -- interface that I use to connect to
    my SIP proxy. which is also on 192.168.x.x
  
With 2.6, I can no longer connect to my SIP proxy.

Looking at Wireshark traces, it seems pretty obvious what's going
wrong. Instead of using the 192.168.x.x IP address in the SIP Via/
Contact headers, it uses the 10.x.x.x IP. The SIP proxy tries to
talk back to an address it can't reach, and things break. Here's
the relevant snippet from the SIP REGISTER:

         Via: SIP/2.0/UDP 10.15.1.12:5060;branch=z9hG4bK-363434-1cca539def6ea5efee291fa779dff38e
             Sent-by Address: 10.15.1.12
         Contact: "MJO" <sip:mjo@10.15.1.12:5060;transport=udp;registering_acc=switchvox-1_XXXXXXXX_com>;expires=600
             Contact URI: sip:mjo@10.15.1.12:5060;transport=udp;registering_acc=switchvox-1_XXXXXXXX_com
                 Contact URI Host Part: 10.15.1.12

I don't know of any way to hardcode that within Jitsi, nor should I
really have to. Leaking IP addresses that have nothing to do with the
connection is a minor security issue (as well as totally breaking my
SIP service :frowning: ).

I tried to use the mailing list search in the hopes of finding this,
but it don't seem to work very well for me. The swish-e Title/Body
mailing list search doesn't give results.

Via and Contact addresses are rarely used by SIP proxies because they break NAT traversal. Most modern SIP proxies would just use the source address for the datagram or TCP connection that they are responding to.

Is this proxy under your control? Have you been able to confirm that addressing is indeed the cause of the problem or is this an assumption?

Emil

--
https://jitsi.org


#3

I just upgraded from old Jitsi 2.4 to Jitsi 2.6 on a MacOS 10.8
system. It's multihomed, generally with two relevant interfaces:

   10.x.x.x -- my default route
   192.168.x.x -- interface that I use to connect to
    my SIP proxy. which is also on 192.168.x.x

With 2.6, I can no longer connect to my SIP proxy.

Looking at Wireshark traces, it seems pretty obvious what's going
wrong. Instead of using the 192.168.x.x IP address in the SIP Via/
Contact headers, it uses the 10.x.x.x IP. The SIP proxy tries to
talk back to an address it can't reach, and things break. Here's
the relevant snippet from the SIP REGISTER:

        Via: SIP/2.0/UDP 10.15.1.12:5060;branch=z9hG4bK-363434-
1cca539def6ea5efee291fa779dff38e
            Sent-by Address: 10.15.1.12
        Contact: "MJO"
<sip:mjo@10.15.1.12:5060;transport=udp;registering_acc=switchvox-
1_XXXXXXXX_com>;expires=600
            Contact URI:
sip:mjo@10.15.1.12:5060;transport=udp;registering_acc=switchvox-
1_XXXXXXXX_com
                Contact URI Host Part: 10.15.1.12

I don't know of any way to hardcode that within Jitsi, nor should I
really have to. Leaking IP addresses that have nothing to do with the
connection is a minor security issue (as well as totally breaking my
SIP service :frowning: ).

We're asking the OS to give us the source IP for the one we will connect to.
I'm not aware of any changes related to that code. Given that you can
apparently reach 192.168.x network through your 10.x network I'm not sure if
this really is a failure.

I tried to use the mailing list search in the hopes of finding this,
but it don't seem to work very well for me. The swish-e Title/Body
mailing list search doesn't give results.

There's likely no result because we haven't heard of such a problem before.

Thanks,
-Mike

Ingo


#4

:Hey Mike,
:
:On 2.02.15 3:42, Mike O'Connor wrote:
:>I just upgraded from old Jitsi 2.4 to Jitsi 2.6 on a MacOS 10.8
:>system. It's multihomed, generally with two relevant interfaces:
:>
:> 10.x.x.x -- my default route
:> 192.168.x.x -- interface that I use to connect to
:> my SIP proxy. which is also on 192.168.x.x
:>
:>With 2.6, I can no longer connect to my SIP proxy.
:>
:>Looking at Wireshark traces, it seems pretty obvious what's going
:>wrong. Instead of using the 192.168.x.x IP address in the SIP Via/
:>Contact headers, it uses the 10.x.x.x IP. The SIP proxy tries to
:>talk back to an address it can't reach, and things break. Here's
:>the relevant snippet from the SIP REGISTER:
:>
:> Via: SIP/2.0/UDP
:> 10.15.1.12:5060;branch=z9hG4bK-363434-1cca539def6ea5efee291fa779dff38e
:> Sent-by Address: 10.15.1.12
:> Contact: "MJO"
:> <sip:mjo@10.15.1.12:5060;transport=udp;registering_acc=switchvox-1_XXXXXXXX_com>;expires=600
:> Contact URI:
:> sip:mjo@10.15.1.12:5060;transport=udp;registering_acc=switchvox-1_XXXXXXXX_com
:> Contact URI Host Part: 10.15.1.12
:>
:>
:>I don't know of any way to hardcode that within Jitsi, nor should I
:>really have to. Leaking IP addresses that have nothing to do with the
:>connection is a minor security issue (as well as totally breaking my
:>SIP service :frowning: ).
:>
:>I tried to use the mailing list search in the hopes of finding this,
:>but it don't seem to work very well for me. The swish-e Title/Body
:>mailing list search doesn't give results.
:
:Via and Contact addresses are rarely used by SIP proxies because they
:break NAT traversal. Most modern SIP proxies would just use the source
:address for the datagram or TCP connection that they are responding to.

The proxy is siproxd, which hasn't been touched for years (either
in its community on on the server it runs on). This all just worked
before upgrading to current Jitsi. With the old Jitsi I had been using
(2.2.4603) and am using again as a workaround, the Via and Connect
headers are being emitted with the proper IP by Jitsi.

:Is this proxy under your control?

I have some measure of control over the proxy, but it runs on an old
platform and I'm not the only user (just the only user using Jitsi).

:Have you been able to confirm that
:addressing is indeed the cause of the problem or is this an assumption?

Yes. I see the proxy sending REGISTER events to the right 192.168 IP,
then attempting to reply back to 10.5.1.12 (in the above example) which
isn't on that network. If I believe Wireshark's protocol debugging,
Via and Connect are the only places where that wrong IP is exposed to
the SIP proxy and beyond.

Just the fact that Jitsi's emitting stuff with other IPs of the system
could be construed as a low-level security issue/information leak --
CVEs have been issued for less. :wink:

Make sense?
-Mike

···

--
Michael J. O'Connor mjo@dojo.mi.org
=--==--==--==--==--==--==--==--==--==--==--==--==--==--==--==--==--==--==--=
"No reward is worth this." -Han Solo


#5

Could be related to the change of the JVM version, although I do not know how exactly. See http://lists.jitsi.org/pipermail/dev/2014-November/022689.html

Boris

···

On 04/02/15 11:21, Ingo Bauersachs wrote:

I just upgraded from old Jitsi 2.4 to Jitsi 2.6 on a MacOS 10.8
system. It's multihomed, generally with two relevant interfaces:

   10.x.x.x -- my default route
   192.168.x.x -- interface that I use to connect to
    my SIP proxy. which is also on 192.168.x.x

With 2.6, I can no longer connect to my SIP proxy.

Looking at Wireshark traces, it seems pretty obvious what's going
wrong. Instead of using the 192.168.x.x IP address in the SIP Via/
Contact headers, it uses the 10.x.x.x IP. The SIP proxy tries to
talk back to an address it can't reach, and things break. Here's
the relevant snippet from the SIP REGISTER:

         Via: SIP/2.0/UDP 10.15.1.12:5060;branch=z9hG4bK-363434-
1cca539def6ea5efee291fa779dff38e
             Sent-by Address: 10.15.1.12
         Contact: "MJO"
<sip:mjo@10.15.1.12:5060;transport=udp;registering_acc=switchvox-
1_XXXXXXXX_com>;expires=600
             Contact URI:
sip:mjo@10.15.1.12:5060;transport=udp;registering_acc=switchvox-
1_XXXXXXXX_com
                 Contact URI Host Part: 10.15.1.12

I don't know of any way to hardcode that within Jitsi, nor should I
really have to. Leaking IP addresses that have nothing to do with the
connection is a minor security issue (as well as totally breaking my
SIP service :frowning: ).

We're asking the OS to give us the source IP for the one we will connect to.
I'm not aware of any changes related to that code. Given that you can
apparently reach 192.168.x network through your 10.x network I'm not sure if
this really is a failure.