[OpenSIPS-Users] Multi-domain and reinvite authentications
bogdan at voice-system.ro
Mon Nov 16 16:28:28 CET 2009
Iñaki Baz Castillo wrote:
> El Martes, 27 de Octubre de 2009, Thomas Gelf escribió:
>> Carlo Dimaggio wrote:
>>> Il giorno 26/ott/09, alle ore 17:27, Iñaki Baz Castillo ha scritto:
>>>> El Lunes, 26 de Octubre de 2009, Carlo Dimaggio escribió:
>>>>> Is there a better implementation?
>>>> Yes, don't ask for authentication for a re-INVITE :)
>>> Is this the right implementation or a workaround? (in Flavio
>>> Goncalves' book I see the authentication of re-invites...)
>>> There could be a security issue without this authentication? (for
>>> example a custom packet with a fake to_tag and a route header?
>> I would also opt for not authenticating them. An attacker needs
>> to figure out Call-ID, from- and to-tag and Route headers. Sure,
>> this is possible if he is able to intercept your SIP traffic, but
>> in that case you probably have many other problems.
> Yes. In case teh attacker intercepts the initial INVITE he would know a nonce
> which could be valid within some minutes, so the attacker could do things
> worse than just ending a dialog or spoofing a re-INVITE.
This is exactly the scenario the "nonce protection" mechanism was added
in 1.4 - once used, a nonce (and response) will not be later accepted by
opensips (even if correct).
>> Doing shall make such attacks "difficult enough", and if someone
>> is able to sniff your SIP traffic and to inject packets (really
>> easy if using UDP), even authenticating ReINVITEs will not help
> What we need is further TLS usage :)
I think if you do proper authentication and some strict dialog checking
(using the dialog module), you can prevent package injection during the
dialogs (even if the dialog info is exposed on network level).
More information about the Users