[OpenSIPS-Users] Multi-domain and reinvite authentications

Iñaki Baz Castillo ibc at aliax.net
Tue Nov 17 01:43:59 CET 2009


El Lunes, 16 de Noviembre de 2009, Bogdan-Andrei Iancu escribió:
> Hi Iñaki,
> 
> I'm not sure a proxy needs to keep any dialog persistent info in order
> to auth sequential requests - what it needs is a valid FROM uri (which
> does not change during the dialog).
> 
> IMO, a proxy, receiving a requests (initial or sequential) with a FROM
> header pointing to one of the local SIP domains, should perform auth  -
> shortly, if the caller is local subscriber, authenticate him - again,
> only FROM hdr is sufficient.

Hi Bogdan, please let me talk about a *real* example (I issued it) in which 
asking for auth for in-dialog requests is not so easy:


- Alice and Bob with auth users as "alice" and "bob".
- Domain = "domain.org".
- Bob has an alias 200 which becomes "bob" in the proxy.
- Alice calls 200.
- During the call, Bob (which received an initial INVITE with "To: 
sip:200 at domain.org) sends a re-INVITE and keeps the received To as From, so it 
uses "From: sip:200 at domain.org" rather than "From: sip:bob at domain.org".
- The proxy asks for authentication so Bob regenerates the re-INVITE:
    INVITE sip:alice at ip_alice SIP/2.0
    From: sip:200 at domain.org
    WWW-Authorization: Digest username="bob" ...
- So the proxy declines this authentication as the From username "200" is 
different than the credentials username "bob" (check_from() function).

And it's really common this behavior in SIP phones (keeping the received "To" 
as "From" in in-dialog requests).


Regards.


-- 
Iñaki Baz Castillo <ibc at aliax.net>



More information about the Users mailing list