Hadriel Kaplan wrote:
-----Original Message-----
From: Raphael Coeffic [mailto:[email protected]]
Sent: Monday, March 09, 2009 7:42 AM
That's a good point. Requiring the user to be registered and only
accepting requests from the registered contacts provide a fair-enough
level of security concerning the attack debated. But I am still hoping
that we could find a solution not requiring this kind of measures, which
I would call "user-restricting".
How is it "user-restricting" to require a UA to generate a REGISTER request?
Most humans don't generate the REGISTER request by hand - typically software does it for
them. :)
Forcing registrations is the path that IMS went for, I believe. But if
you want to take advantage of this, you may have to deploy a little more
IMS than you'd like to. This reminds me of some email providers that
require you to connect through POP3 prior to send any message through
SMTP, instead of deploying any secure authentication mechnism.
Maybe just an example: let's say you have a home SIP server, doing the
usual least cost routing. Your least cost router might have something
like 50 different routes. Do you want this box, or maybe your phones to
have 50 running registrations, just for the purpose of having cheap
calls? Well, personaly, I would prefer to just install my certificate on
this box, and use TLS. But as very very few of those PSTN providers do
support TLS, I cannot. By the way, there are already commercial products
supporting this scenario.
Regards,
Raphael.
_______________________________________________
Sip mailing list https://www.ietf.org/mailman/listinfo/sip
This list is for NEW development of the core SIP Protocol
Use [email protected] for questions on current sip
Use [email protected] for new developments on the application of sip
