On Sat, Mar 7, 2009 at 9:45 PM, Hadriel Kaplan <[email protected]> wrote: > > >> -----Original Message----- >> From: Jan Janak [mailto:[email protected]] >> Sent: Saturday, March 07, 2009 2:51 PM >> >> I am not sure I understand how accepting/not-accepting INVITEs from >> non-registered contacts makes it different, could you elaborate? > > Assume Bob is bad, Alice is the victim. > The setup for the attack is such that Bob sends an INVITE to/through Alice's > domain, pretending to be Alice. Alice's domain challenges the INVITE, which > Bob passes on to Alice, and using her challenge-response Bob > challenge-responds to Alice's domain. Right? > > I am arguing that in common practice (in my particular market space, anyway), > Alice's domain wouldn't accept Bob's spoofed INVITE to begin with. Because > it requires Bob's UA to actually be Registered as Alice in order to send in > an INVITE pretending to be Alice.
As an example: what would proxy.com check upon receipt of Bob's spoofed INVITE over UDP (forging packet source ip and port)? Thanks! -- Victor Pascual Ávila _______________________________________________ Sip mailing list https://www.ietf.org/mailman/listinfo/sip This list is for NEW development of the core SIP Protocol Use [email protected] for questions on current sip Use [email protected] for new developments on the application of sip
