[RESEARCH]: Enhancing ACL effectiveness against spoofing

[psanders]

Is your feature request related to a problem?

Research and validate methods to enhance ACL's resilience to spoofing

Describe the solution you'd like

NA

Describe alternatives you've considered

None

Additional context

In a Kubernetes environment, Routr faces challenges with ACL due to obfuscated IP addresses. IPs are sourced from SIP headers, which are not immune to spoofing.

[psanders]

As of today, I'm restarting this research. The current approach I'm investigating combines the From, Request-URI, Via, Contact, and Route headers.

The idea is to create an algorithm that examines various headers based on a selected policy. The policy will indicate which header(s) to consider. For example, the following ACL mandates using the Contact header as the primary source of trust:

apiVersion: v2beta1
kind: AccessControlList
ref: acl-01
metadata:
  name: Europe ACL
spec:
  headerLookup:
    - ContactHeader
    - RouteHeader
  accessControlList:
    deny:
      - 0.0.0.0/1
    allow:
      - 192.168.1.3/31
      - 127.0.0.1/8
      - 10.111.221.22/31

Since these headers are crucial for delivering SIP messages, this approach seems to be the most reasonable way to implement this feature.