[OpenSIPS-Users] Which SIP messages to challange for authentication?

Wed Jan 20 15:09:47 CET 2010

An mer., janv 20, 2010, Iñaki Baz Castillo schrieb:
>El Miércoles, 20 de Enero de 2010, opensipslist at encambio.com escribió:
>> I know that strategies differ according to security needs but...
>>
>>   Which SIP messages are typically challenged for authentication?
>>
>> Right now we're challenging INVITE, SUBSCRIBE, and NOTIFY, although
>> it's not clear to me if challenging SUBSCRIBE or NOTIFY is useful.
>>
>> Of course ACK and BYE are not challenged, but then there are others
>> like MESSAGE, INFO, OPTION... whatever. This falls in the gray zone
>> as far as my understanding of SIP and security go.
>
>If you don't challange an *initial* request for authentication then
>the identity could be spoofed.
>
>In the case of dialogs (INVITE, SUBSCRIBE) it's typically just
>required to chanllenge the initial request forming such dialog
>(initial INVITE, initial SUBSCRIBE). The rest of requests in-dialog
>contain to_tag so usually it's not 
>needed to authenticate them.
>
Good point. I think I'll change the route script to only challange
initial requests. I guess a simple

    if (!has_totag()) {
        if (!aaa_proxy_authorize("")) {
            proxy_challenge("", "1");
            exit;
        }
        if (!db_check_from()) {
            xlog("L_WARN", "$rm: Cheating attempt\n");
            send_reply("403", "Forbidden");
            exit;
        }
        consume_credentials();
        # caller authenticated
    }

...near the top of the route script would do the job nicely. Is
this what you mean in your advice?

Brian