Hi Iñaki, Iñaki Baz Castillo wrote: > El Lunes, 16 de Noviembre de 2009, Bogdan-Andrei Iancu escribió: > >> Hi Iñaki, >> >> I'm not sure a proxy needs to keep any dialog persistent info in order >> to auth sequential requests - what it needs is a valid FROM uri (which >> does not change during the dialog). >> >> IMO, a proxy, receiving a requests (initial or sequential) with a FROM >> header pointing to one of the local SIP domains, should perform auth - >> shortly, if the caller is local subscriber, authenticate him - again, >> only FROM hdr is sufficient. >> > > Hi Bogdan, please let me talk about a *real* example (I issued it) in which > asking for auth for in-dialog requests is not so easy: > > > - Alice and Bob with auth users as "alice" and "bob". > - Domain = "domain.org". > - Bob has an alias 200 which becomes "bob" in the proxy. > - Alice calls 200. > - During the call, Bob (which received an initial INVITE with "To: > sip:2...@domain.org) sends a re-INVITE and keeps the received To as From, so > it > uses "From: sip:2...@domain.org" rather than "From: sip:b...@domain.org". > - The proxy asks for authentication so Bob regenerates the re-INVITE: > INVITE sip:al...@ip_alice SIP/2.0 > From: sip:2...@domain.org > WWW-Authorization: Digest username="bob" ... > - So the proxy declines this authentication as the From username "200" is > different than the credentials username "bob" (check_from() function). > > And it's really common this behavior in SIP phones (keeping the received "To" > as "From" in in-dialog requests). > yes, good example - you are right. It is not only about domains, but usernames also....This might be tricky - the proxy can simply apply the same transformations on the username (from the message) to find out the real user behind it (like 200 hides bob)....otherwise, indeed, some kind of dialog state will be required (either via RR , either via dialog support).
Regards, Bogdan -- Bogdan-Andrei Iancu www.voice-system.ro _______________________________________________ Users mailing list Users@lists.opensips.org http://lists.opensips.org/cgi-bin/mailman/listinfo/users
