-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
On Saturday 11 January 2003 03:55, Greg Fausak wrote:
What is the difference between these two functions?
Their are two authorization responses in SIP 401 and 407. In theory you should receive 401 for an unauthorized registration, and 407 from a proxy in a chain which processes for example your Invite. But i think in practice their is no such well defined distinction what you will receive or send.
Also, when it comes to authentication, I've finally got my PSTN secure. It seems that every request that you want guarded must be preceeded by a www_authorize(), right? When I ngrep for the packets going back and forth, I see that each INVITE is now being authorized....not just the REGISTERs.
Correct. The easiest and securest way is to authorize everything and to make exceptions for special cases (responses for example). A little bit like firewalling ;) : check only special cases and allow everything else, or check everything and open only small holes.
I was assuming that you logged in and were authorized once, and then each request was under that login. However, I see that isn't the case, right??? You *can* make a INVITE request without REGISTERing...right?
Please be aware that a registrar and a proxy can be two completly (also physical) seperated untis. And each unit can have it's own authorization scheme.
A proxy can challenge Invites and Byes, but should not do this with external Invites to your local user. Otherwise your your user wouldn't be reachable from outside.
If you really want to control each SIP call in your network you should be aware that your users and the SIP clients do not have to use your local proxy and/or registrar. This means you have to forward every SIP request (and this do not have to be only port 5060) by your outgoing router to your local proxy.
Regards Nils
- -- gpg-key: http://www.ohlmeier.org/public_key.asc