[OpenSIPS-Users] Which SIP messages to challange for authentication?

Wed Jan 20 15:29:39 CET 2010

El Miércoles, 20 de Enero de 2010, opensipslist at encambio.com escribió:
> An mer., janv 20, 2010, Iñaki Baz Castillo schrieb:
> >El Miércoles, 20 de Enero de 2010, opensipslist at encambio.com escribió:
> >> I know that strategies differ according to security needs but...
> >>
> >>   Which SIP messages are typically challenged for authentication?
> >>
> >> Right now we're challenging INVITE, SUBSCRIBE, and NOTIFY, although
> >> it's not clear to me if challenging SUBSCRIBE or NOTIFY is useful.
> >>
> >> Of course ACK and BYE are not challenged, but then there are others
> >> like MESSAGE, INFO, OPTION... whatever. This falls in the gray zone
> >> as far as my understanding of SIP and security go.
> >
> >If you don't challange an *initial* request for authentication then
> >the identity could be spoofed.
> >
> >In the case of dialogs (INVITE, SUBSCRIBE) it's typically just
> >required to chanllenge the initial request forming such dialog
> >(initial INVITE, initial SUBSCRIBE). The rest of requests in-dialog
> >contain to_tag so usually it's not
> >needed to authenticate them.
> 
> Good point. I think I'll change the route script to only challange
> initial requests. I guess a simple
> 
>     if (!has_totag()) {
>         if (!aaa_proxy_authorize("")) {
>             proxy_challenge("", "1");
>             exit;
>         }
>         if (!db_check_from()) {
>             xlog("L_WARN", "$rm: Cheating attempt\n");
>             send_reply("403", "Forbidden");
>             exit;
>         }
>         consume_credentials();
>         # caller authenticated
>     }
> 
> ...near the top of the route script would do the job nicely. Is
> this what you mean in your advice?

Yes, but take into account that REGISTER doesn't use proxy_authorize but 
www_authorize.

-- 
Iñaki Baz Castillo <ibc at aliax.net>