Re: [Sip-implementors] Spiraling request

Thu, 08 Dec 2005 08:51:05 -0800 

Dale,
        If the authorization is not consumed and instead passed thru
different domains where the Realms of the originating user/user-name are
exposed, it may open up a security/privacy problem. So it must not be
presented to the UAS for sure. So at the least one of the proxy in the
network (may be the last proxy in this Realm) has to strip it.

May be I am missing something here.

Kasturi  

-----Original Message-----
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Dale R.
Worley
Sent: Thursday, December 08, 2005 8:52 AM
To: Sip-Implementors
Subject: Re: [Sip-implementors] Spiraling request

On Thu, 2005-12-08 at 08:33 -0600, Kasturi Narayanan wrote:
> And also as the name suggests it is a Proxy-Authorization and it needs to
be
> consumed by a proxy before forwarding it to a UAS. So one of the proxies
has
> to consume it. Ideally that will be proxy which challenged the user for
that
> Realm. 

There is no reason that a proxy *needs* to consume a Proxy-Authorization
header.  Like all authorization headers, it is additive -- adding
authorization headers to a request can only increase the number of SIP
agents that are willing to process it.

The whole concept of "consuming" authorization headers (or any other
header) is a Bad Idea and should never be done.

> But if the Proxy is transaction stateful, it will be able to detect that
it
> is a spiraled request and if it had already authorized it based on the
> previous info it can always skip it. 

That depends on the sort of transaction-stateful the proxy implements.
Some proxies (e.g., sipX) are stateful in regard to a request and its
corresponding response, but they do not associate a request and a
spiraled later leg of the request.

There is also the failure mode where two different proxies in a chain
authenticate against the same realm.  If the first proxy "consumes" all
Proxy-Authorization headers for that realm, the second proxy will
*never* pass the request because the UA can never get a Proxy-
Authorization for that realm to it.

Dale


_______________________________________________
Sip-implementors mailing list
[email protected]
https://lists.cs.columbia.edu/mailman/listinfo/sip-implementors


_______________________________________________
Sip-implementors mailing list
[email protected]
https://lists.cs.columbia.edu/mailman/listinfo/sip-implementors

Reply via email to