[OpenSIPS-Users] Multi-domain and reinvite authentications

Iñaki Baz Castillo ibc at aliax.net
Tue Oct 27 09:35:33 CET 2009


El Martes, 27 de Octubre de 2009, Carlo Dimaggio escribió:
> Il giorno 26/ott/09, alle ore 17:27, Iñaki Baz Castillo ha scritto:
> > El Lunes, 26 de Octubre de 2009, Carlo Dimaggio escribió:
> >> Is there a better implementation?
> >
> > Yes, don't ask for authentication for a re-INVITE :)
> 
> Hi Iñaki,
> 
> Is this the right implementation or a workaround? (in Flavio
> Goncalves' book I see the authentication of re-invites...)
> There could be a security issue without this authentication? (for
> example a custom packet with a fake to_tag and a route header?

Yes, it would be better by requiring auth also for in-dialog requests, but if 
a proxy must do it then it also requires to mantain dialog information (which 
it shouldn't). If not, issues like your wuld occur.

Other example is where Alice calls 200 being 200 an alias for Bob. During the 
call Bob sends a re-INVITE by keeping "200" as From username. The proxy asks 
for authentication so Bobo regenerates the re-INVITE:

  INVITE sip:alice at ip_alice SIP/2.0
  From: sip:200 at domain.org
  WWW-Authorization: Digest username="bob" ...

So the proxy declines this authentication as the From username is different 
than the credentials username (check_from() funciton).



-- 
Iñaki Baz Castillo <ibc at aliax.net>



More information about the Users mailing list