[OpenSIPS-Users] Which SIP messages to challange for authentication?

Iñaki Baz Castillo ibc at aliax.net
Wed Jan 20 14:24:25 CET 2010


El Miércoles, 20 de Enero de 2010, opensipslist at encambio.com escribió:
> Hello list,
> 
> I know that strategies differ according to security needs but...
> 
>   Which SIP messages are typically challenged for authentication?
> 
> Right now we're challenging INVITE, SUBSCRIBE, and NOTIFY, although
> it's not clear to me if challenging SUBSCRIBE or NOTIFY is useful.
> 
> Of course ACK and BYE are not challenged, but then there are others
> like MESSAGE, INFO, OPTION... whatever. This falls in the gray zone
> as far as my understanding of SIP and security go.

If you don't challange an *initial* request for authentication then the 
identity could be spoofed.

In the case of dialogs (INVITE, SUBSCRIBE) it's typically just required to 
chanllenge the initial request forming such dialog (initial INVITE, initial 
SUBSCRIBE). The rest of requests in-dialog contain to_tag so usually it's not 
needed to authenticate them.

-- 
Iñaki Baz Castillo <ibc at aliax.net>



More information about the Users mailing list