[OpenSIPS-Users] Multi-domain and reinvite authentications

Thomas Gelf thomas at gelf.net
Tue Oct 27 09:43:12 CET 2009


Carlo Dimaggio wrote:
> Il giorno 26/ott/09, alle ore 17:27, Iñaki Baz Castillo ha scritto:
> 
>> El Lunes, 26 de Octubre de 2009, Carlo Dimaggio escribió:
>>> Is there a better implementation?
>> Yes, don't ask for authentication for a re-INVITE :)
> 
> Is this the right implementation or a workaround? (in Flavio  
> Goncalves' book I see the authentication of re-invites...)
> There could be a security issue without this authentication? (for  
> example a custom packet with a fake to_tag and a route header?

I would also opt for not authenticating them. An attacker needs
to figure out Call-ID, from- and to-tag and Route headers. Sure,
this is possible if he is able to intercept your SIP traffic, but
in that case you probably have many other problems.

Attacks could be a little bit easier if your UAC does not check
all components for correctness. To protect your clients against
such attacks, you could use the dialog module (ignoring the fact
that a proxy should not do so ;-)) and it's validate_dialog()
function.

Doing shall make such attacks "difficult enough", and if someone
is able to sniff your SIP traffic and to inject packets (really
easy if using UDP), even authenticating ReINVITEs will not help
you...

Best regards,
Thomas Gelf

-- 
 mail: thomas at gelf.net
  web: http://thomas.gelf.net/




More information about the Users mailing list