Thanks in advance.
Franz
----- Original Message -----
From: "Bogdan-Andrei IANCU" <iancu(a)fokus.fraunhofer.de>
To: <zolia(a)z1sys.com>
Cc: <serusers(a)lists.iptel.org>
Sent: Wednesday, July 28, 2004 2:12 PM
Subject: Re: [Serusers] account + IP binding
zolia(a)z1sys.com wrote:
hello,
is it possible to do source ip authentication besides normal
www_authorize() for every user account?. This, as i understand, should
prevent from intercepting credentials and later faking sip message to
bypass www_authorization ?
this doesn't work. for each authentication challenge, ser generates an
noun that is kept into memory for a short period of time. So, this kind
of exploit is very limited - only if somebody trys in real time to do it
and in very narrow time window.
IP checking doesn't help you - they can be also spoof. Plus, against
what address you check when the user register for the first time? or if
the user use multiple client in the same time?
bogdan
>Or maybe there are some other counter measures
>against such fraud?
>
>Does src_ip comes directly from ip layer? If so, i could probably use
>
>
to check
with some external database (ie. ser subscriber)?
Antanas
NTT
_______________________________________________
Serusers mailing list
serusers(a)lists.iptel.org
http://lists.iptel.org/mailman/listinfo/serusers
_______________________________________________
Serusers mailing list
serusers(a)lists.iptel.org
http://lists.iptel.org/mailman/listinfo/serusers