On Thu, 2009-03-05 at 14:40 +0100, Nils Ohlmeier wrote: > One thing which is not that obvious but is implictly a requirement for the > attack: the proxies has to challenge in-dialog requests. I do not see a > big benefit in challeging in-dialog requests as these are hopefully > rejected by the remote side if no matching dialog exists. If the UA would > know that his proxy does not challenge in-dialog requests it could simply > ignore the challenge :-)
Except that there are legitimate uses for challenging in-dialog requests: sipX uses it to allow a phone to transfer a caller to any destination that the executing phone has permission to call. The first step of this process is that when the executing phone sends a REFER, the proxy challenges the REFER so that the executing phone attaches its credentials to the REFER. The proxy then analyzes these credentials to determine the user that is responsible for the transfer operation, etc. Without the in-dialog challenge, there is no way for the proxy to determine the user that is responsible for transfer operation. Dale _______________________________________________ Sip mailing list https://www.ietf.org/mailman/listinfo/sip This list is for NEW development of the core SIP Protocol Use [email protected] for questions on current sip Use [email protected] for new developments on the application of sip
