Re: [SR-Users] INVITE messages not authenticated (default configuration)?

well, it is really a matter of policy (and not software) what to authenticate and opinions on it can differ. I like the pre-configured options in oob, but that may be very well just because I wrote them :) https://github.com/flowroute/kamailio/blob/master/etc/sip-router-oob.cfg (note it is for sip-router flavor and I'm not sure how far the kamailio merging process has digged into config files -- the logic should be apparent though) I think a simple and reasonable policy is to authenticate *ALL* INVITEs without To-tag (i.e. those that really initiate a call) and ALL REGISTERs that have a served domain in From. It is also worthwhile checking if the digest username corresponds (equals in the simplest caste) the From URI. Otherwise the proxy server could accept an INVITE authenticated by foo(a)bar.com in digest header field and still permit john(a)bar.com in From. Going more relaxed is certainly unsafe. Challenging more can break interoperability. (some phones are silly not to support authentication for BYE, call-forwarding schemes may lead to unexpected domains in URIs, CANCEL/ACK just don't have it, etc.) jiri On 3/7/13 11:20 PM, Paul Belanger wrote: