[OpenSIPS-Users] Which SIP messages to challange for authentication
opensipslist at encambio.com
opensipslist at encambio.com
Wed Jan 20 15:49:04 CET 2010
Hello Iñaki,
An mer., janv 20, 2010, Iñaki Baz Castillo schrieb:
>El Miércoles, 20 de Enero de 2010, opensipslist at encambio.com escribió:
>> An mer., janv 20, 2010, Iñaki Baz Castillo schrieb:
>>>El Miércoles, 20 de Enero de 2010, opensipslist at encambio.com escribió:
>>>> I know that strategies differ according to security needs but...
>>>>
>>>> Which SIP messages are typically challenged for authentication?
>>>>
>>>In the case of dialogs (INVITE, SUBSCRIBE) it's typically just
>>>required to chanllenge the initial request forming such dialog
>>>(initial INVITE, initial SUBSCRIBE). The rest of requests in-dialog
>>>contain to_tag so usually it's not
>>>needed to authenticate them.
>>
>> Good point. I think I'll change the route script to only challange
>> initial requests. I guess a simple
>>
>> if (!has_totag()) {
>> if (!aaa_proxy_authorize("")) {
>> proxy_challenge("", "1");
>> exit;
>> }
>> if (!db_check_from()) {
>> xlog("L_WARN", "$rm: Cheating attempt\n");
>> send_reply("403", "Forbidden");
>> exit;
>> }
>> consume_credentials();
>> # caller authenticated
>> }
>>
>> ...near the top of the route script would do the job nicely. Is
>> this what you mean in your advice?
>
>Yes, but take into account that REGISTER doesn't use
>proxy_authorize but www_authorize.
>
Thanks for the reminder and for the generally good advice.
Regards,
Brian
More information about the Users
mailing list