[OpenSIPS-Users] Multi-domain and reinvite authentications

Bogdan-Andrei Iancu bogdan at voice-system.ro
Mon Nov 16 16:22:14 CET 2009 

Hi Iñaki,

I'm not sure a proxy needs to keep any dialog persistent info in order 
to auth sequential requests - what it needs is a valid FROM uri (which 
does not change during the dialog).

IMO, a proxy, receiving a requests (initial or sequential) with a FROM 
header pointing to one of the local SIP domains, should perform auth  - 
shortly, if the caller is local subscriber, authenticate him - again, 
only FROM hdr is sufficient.

Regards,
Bogdan

PS: I'm not debating if a proxy should or not do auth for sequential 
requests, but the only fact a proxy does have all the necessary info to 
do it.

Iñaki Baz Castillo wrote:
> El Martes, 27 de Octubre de 2009, Carlo Dimaggio escribió:
>   
>> Il giorno 26/ott/09, alle ore 17:27, Iñaki Baz Castillo ha scritto:
>>     
>>> El Lunes, 26 de Octubre de 2009, Carlo Dimaggio escribió:
>>>       
>>>> Is there a better implementation?
>>>>         
>>> Yes, don't ask for authentication for a re-INVITE :)
>>>       
>> Hi Iñaki,
>>
>> Is this the right implementation or a workaround? (in Flavio
>> Goncalves' book I see the authentication of re-invites...)
>> There could be a security issue without this authentication? (for
>> example a custom packet with a fake to_tag and a route header?
>>     
>
> Yes, it would be better by requiring auth also for in-dialog requests, but if 
> a proxy must do it then it also requires to mantain dialog information (which 
> it shouldn't). If not, issues like your wuld occur.
>
> Other example is where Alice calls 200 being 200 an alias for Bob. During the 
> call Bob sends a re-INVITE by keeping "200" as From username. The proxy asks 
> for authentication so Bobo regenerates the re-INVITE:
>
>   INVITE sip:alice at ip_alice SIP/2.0
>   From: sip:200 at domain.org
>   WWW-Authorization: Digest username="bob" ...
>
> So the proxy declines this authentication as the From username is different 
> than the credentials username (check_from() funciton).
>
>
>
>   


-- 
Bogdan-Andrei Iancu
www.voice-system.ro

More information about the Users mailing list