[SFtrack] Commented: (XECS-1925) sipXrelay XML-RPC should be secured
[
http://track.sipfoundry.org/browse/XECS-1925?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel#action_33036
]
M. Ranganathan commented on XECS-1925:
--------------------------------------
It should be noted that other parts of sipxbridge use IP address restiction.
For example, sipxbridge restricts inbound requests to originate only from the
sipx proxy servers by looking at the IP address of the inbound request. This
unavoidable because of the way in which sip works. This can only be rectified
by the use of SIP over TLS. Until that is implemented, the relay XML RPC can
also be IP address restricted. It only ever gets contacted by the sipx proxy
server or sipxbridge. The addresses of these are known apriori
My concern is : Even today without HTTPS, the xml RPC http overhead is quite
significant. (I am working on reducing the HTTP overhead.) Adding HTTPS will
worsen the situation. The need for https needs to be carefully evaluated in
light of possible performance impacts.
> sipXrelay XML-RPC should be secured
> -----------------------------------
>
> Key: XECS-1925
> URL: http://track.sipfoundry.org/browse/XECS-1925
> Project: sipXecs
> Issue Type: Improvement
> Components: sipXbridge, sipXproxy
> Environment: 3.11.8
> Reporter: Robert Joly
> Assignee: M. Ranganathan
>
> The sipXrelay component is accepting XML-RPC requests over http which is
> insecure. A safer approach would be to use https and accept connections
> from authorized hosts only. That would prevent malicious users from
> performing DoS on sipXrelay.
--
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators:
http://track.sipfoundry.org/secure/Administrators.jspa
-
For more information on JIRA, see: http://www.atlassian.com/software/jira
