El Martes, 27 de Octubre de 2009, Carlo Dimaggio escribió: > Il giorno 26/ott/09, alle ore 17:27, Iñaki Baz Castillo ha scritto: > > El Lunes, 26 de Octubre de 2009, Carlo Dimaggio escribió: > >> Is there a better implementation? > > > > Yes, don't ask for authentication for a re-INVITE :) > > Hi Iñaki, > > Is this the right implementation or a workaround? (in Flavio > Goncalves' book I see the authentication of re-invites...) > There could be a security issue without this authentication? (for > example a custom packet with a fake to_tag and a route header?
Yes, it would be better by requiring auth also for in-dialog requests, but if a proxy must do it then it also requires to mantain dialog information (which it shouldn't). If not, issues like your wuld occur. Other example is where Alice calls 200 being 200 an alias for Bob. During the call Bob sends a re-INVITE by keeping "200" as From username. The proxy asks for authentication so Bobo regenerates the re-INVITE: INVITE sip:al...@ip_alice SIP/2.0 From: sip:2...@domain.org WWW-Authorization: Digest username="bob" ... So the proxy declines this authentication as the From username is different than the credentials username (check_from() funciton). -- Iñaki Baz Castillo <i...@aliax.net> _______________________________________________ Users mailing list Users@lists.opensips.org http://lists.opensips.org/cgi-bin/mailman/listinfo/users
