<html><body style="word-wrap: break-word; -webkit-nbsp-mode: space; -webkit-line-break: after-white-space; "><br><div><div>On Apr 30, 2009, at 12:28 PM, Iņaki Baz Castillo wrote:</div><br class="Apple-interchange-newline"><blockquote type="cite"><div>2009/4/30 Adrian Georgescu <<a href="mailto:ag@ag-projects.com">ag@ag-projects.com</a>>:<br><blockquote type="cite">The more load you have at some moment in time you need to add more servers.<br></blockquote><blockquote type="cite">The curent design allows MP2 to handle several thousands of simultaneous<br></blockquote><blockquote type="cite">sessions. Anyway, far from trying to advocate its load capabilities the<br></blockquote><blockquote type="cite">question we all try to find the answer for is:<br></blockquote><blockquote type="cite"><br></blockquote><blockquote type="cite">With a media relay in the path the accounting works deterministically<br></blockquote><blockquote type="cite">regardless of SIP client behaviour with the penalty of bandwidth utilization<br></blockquote><blockquote type="cite">in the relay location. Do you have another solution that works reliable and<br></blockquote><blockquote type="cite">deterministically in any case (again 100% success) without it?<br></blockquote><br>As I've already explained before:<br><br>Using a SIP transparent B2BUA (instead or behind a proxy) which<br>performs SST on both legs and does accounting when SST expires in some<br>leg or when it receives a correct BYE.</div></blockquote><blockquote type="cite"><div><br>A B2BUA is not vulnerable as a SIP proxy. If a B2BUA receives a BYE it<br>won't route it based on the BYE headers/RURI (risk!!!), </div></blockquote><div><br></div><div>You can use the dialog module to do the same and generate your own correct BYEs instead of relaying them, couldn't you?</div><div><br></div><blockquote type="cite"><div>instead it<br>will generate a new BYE for the other leg => the gateway. Any spoofed<br>BYE sent by an attacker just could get:<br>a) The B2BUA consideres this BYE as invalid so:<br> a.1) The BYE is rejected with "400 XXX" and the call remains active.</div></blockquote><div><br></div><div>You have full control over the reply route and can do all you describe in the proxy, can't you?</div><br><blockquote type="cite"><div> a.2) The B2BUA detects some attack and decides to terminates the<br>call (does acc and sends BYE to gateway).</div></blockquote><div><br></div><div>What can a B2BUA detect that the proxy cannot? You can inspect all headers and perform acc and send BYE from the proxy too.</div><br><blockquote type="cite"><div><br>b) The B2BUA consideres this BYE as valid so terminates the call<br>(does acc and sends BYE to gateway).</div></blockquote><div><br></div><div>So can the proxy, can't he?</div><div><br></div><blockquote type="cite"><div><br>PD: No, I've not this scenario working, it's just theory.<br><br><br>-- <br>Iņaki Baz Castillo<br><<a href="mailto:ibc@aliax.net">ibc@aliax.net</a>><br><br>_______________________________________________<br>Users mailing list<br><a href="mailto:Users@lists.opensips.org">Users@lists.opensips.org</a><br><a href="http://lists.opensips.org/cgi-bin/mailman/listinfo/users">http://lists.opensips.org/cgi-bin/mailman/listinfo/users</a><br></div></blockquote></div><br></body></html>