Hello,

normally the UA (callee) has to reject INVITE with To-tag if there is no active dialog for it, that's what 481 response is for.

Anyhow, if you track active calls with dialog module, there is a function that you can use to check if the re-INVITE is part of an active dialog. Or you can keep the relation between call-id and caller/callee in a hash table, which you can store at initial INVITE and check if it exists on re-INVITE. In that way you can make sure that the re-INVITE is after an initial invite.

Further checks can be done on src/dst IPs, re-INVITE comes with contact address in the R-URI, so it should not be the generic subscriber AoR. Route header(s) has to be there, etc. ...

Cheers, Daniel

On 19.09.23 10:31, Benoit Panizzon wrote:

Hi List

At the moment, we challenge every invite (and re-invite) to make sure the customer is authenticated.

Now we have one kind of PBX, which never does not authenticate when we challenge a Re-Invite.

According to the vendor of that PBX's RFC interpretation, answering a challenge to a re-invite is optional. If that is ignored by the PBX, then the existing established dialog shall not end.

Unfortunately this causes the session timer to run out.

I am therefore wondering, if there is a safe way not to challenge re-invites.

A Re-Invite contains a To-Tag. So I could bypass authentication on presence of a to-Tag. But then, how do I prevent a customer to just set a spoofed To-Tag to circumvent authentication?

Is there a feasible way?

Mit freundlichen Grüssen

-Benoît Panizzon-

I m p r o W a r e A G - Leiter Commerce Kunden ______________________________________________________

Zurlindenstrasse 29 Tel +41 61 826 93 00 CH-4133 Pratteln Fax +41 61 826 93 01 Schweiz Web http://www.imp.ch ______________________________________________________ __________________________________________________________ Kamailio - Users Mailing List - Non Commercial Discussions To unsubscribe send an email to sr-users-leave@lists.kamailio.org Important: keep the mailing list in the recipients, do not reply only to the sender! Edit mailing list options or unsubscribe:

I don't think this is the problem you think it is. Let's say endpoint A spoofs a To-tag and a Call-ID. So what? The reinvite goes to endpoint B, which says "I don't recognise that"."

Spoofing both would be quite difficult.

Nevertheless, if this improbable worry consumes you, you can use dialog module tracking and this function:

https://kamailio.org/docs/modules/5.7.x/modules/dialog.html#dialog.f.is_know...

— Sent from mobile, apologies for brevity and errors.

On Sep 19, 2023, at 4:52 AM, Benoit Panizzon benoit.panizzon@imp.ch wrote:

Hi List

At the moment, we challenge every invite (and re-invite) to make sure the customer is authenticated.

Now we have one kind of PBX, which never does not authenticate when we challenge a Re-Invite.

According to the vendor of that PBX's RFC interpretation, answering a challenge to a re-invite is optional. If that is ignored by the PBX, then the existing established dialog shall not end.

Unfortunately this causes the session timer to run out.

I am therefore wondering, if there is a safe way not to challenge re-invites.

A Re-Invite contains a To-Tag. So I could bypass authentication on presence of a to-Tag. But then, how do I prevent a customer to just set a spoofed To-Tag to circumvent authentication?

Is there a feasible way?

Mit freundlichen Grüssen

-Benoît Panizzon-

I m p r o W a r e A G - Leiter Commerce Kunden ______________________________________________________

Zurlindenstrasse 29 Tel +41 61 826 93 00 CH-4133 Pratteln Fax +41 61 826 93 01 Schweiz Web http://www.imp.ch ______________________________________________________ __________________________________________________________ Kamailio - Users Mailing List - Non Commercial Discussions To unsubscribe send an email to sr-users-leave@lists.kamailio.org Important: keep the mailing list in the recipients, do not reply only to the sender! Edit mailing list options or unsubscribe: