El Martes, 27 de Octubre de 2009, Thomas Gelf escribió: > Carlo Dimaggio wrote: > > Il giorno 26/ott/09, alle ore 17:27, Iñaki Baz Castillo ha scritto: > >> El Lunes, 26 de Octubre de 2009, Carlo Dimaggio escribió: > >>> Is there a better implementation? > >> > >> Yes, don't ask for authentication for a re-INVITE :) > > > > Is this the right implementation or a workaround? (in Flavio > > Goncalves' book I see the authentication of re-invites...) > > There could be a security issue without this authentication? (for > > example a custom packet with a fake to_tag and a route header? > > I would also opt for not authenticating them. An attacker needs > to figure out Call-ID, from- and to-tag and Route headers. Sure, > this is possible if he is able to intercept your SIP traffic, but > in that case you probably have many other problems.
Yes. In case teh attacker intercepts the initial INVITE he would know a nonce which could be valid within some minutes, so the attacker could do things worse than just ending a dialog or spoofing a re-INVITE. > Doing shall make such attacks "difficult enough", and if someone > is able to sniff your SIP traffic and to inject packets (really > easy if using UDP), even authenticating ReINVITEs will not help > you... What we need is further TLS usage :) -- Iñaki Baz Castillo <i...@aliax.net> _______________________________________________ Users mailing list Users@lists.opensips.org http://lists.opensips.org/cgi-bin/mailman/listinfo/users