I don't think this is the problem you think it is. Let's say endpoint A spoofs a To-tag and a Call-ID. So what? The reinvite goes to endpoint B, which says "I don't recognise that"."

Spoofing both would be quite difficult. 

Nevertheless, if this improbable worry consumes you, you can use dialog module tracking and this function:

https://kamailio.org/docs/modules/5.7.x/modules/dialog.html#dialog.f.is_known_dlg


Sent from mobile, apologies for brevity and errors.

On Sep 19, 2023, at 4:52 AM, Benoit Panizzon <benoit.panizzon@imp.ch> wrote:

Hi List

At the moment, we challenge every invite (and re-invite) to make sure
the customer is authenticated.

Now we have one kind of PBX, which never does not authenticate when we
challenge a Re-Invite.

According to the vendor of that PBX's RFC interpretation, answering a
challenge to a re-invite is optional. If that is ignored by the PBX,
then the existing established dialog shall not end.

Unfortunately this causes the session timer to run out.

I am therefore wondering, if there is a safe way not to challenge
re-invites.

A Re-Invite contains a To-Tag. So I could bypass authentication on
presence of a to-Tag. But then, how do I prevent a customer to just set
a spoofed To-Tag to circumvent authentication?

Is there a feasible way?

Mit freundlichen Grüssen

-Benoît Panizzon-
--
I m p r o W a r e   A G    -    Leiter Commerce Kunden
______________________________________________________

Zurlindenstrasse 29             Tel  +41 61 826 93 00
CH-4133 Pratteln                Fax  +41 61 826 93 01
Schweiz                         Web  http://www.imp.ch
______________________________________________________
__________________________________________________________
Kamailio - Users Mailing List - Non Commercial Discussions
To unsubscribe send an email to sr-users-leave@lists.kamailio.org
Important: keep the mailing list in the recipients, do not reply only to the sender!
Edit mailing list options or unsubscribe: