[Devel] Processing REGISTER requests
Dan Pascu
dan at ag-projects.com
Tue Oct 4 16:31:18 CEST 2005
On Monday 03 October 2005 11:37, Klaus Darilion wrote:
> Hi Dan!
>
> I think this is something that should be addressed. I just want to
> mention, that the matching algorithm should work also in scenarios
> where fix_contact is not used, but fix_natted_register which stores the
> public IP:port in AVPs.
I don't think there's any question about this (that's why I also gave
examples where the contact was private). However I don't think that we
should focus on this kind of details right now. What I wanted to focus on
is the idea that using solely contacts to detect an old register is
flawed: a contact may change over time for the same UA and a contact may
be shared by 2 different UA when using private contacts with multiple
domains.
Here is another example where using contacts only will not only fail to
detect the old registration, but can also introduce identity theft.
Note: this example shows that there can be problems even when not using
NAT and the phones have public addresses:
Consider a SIP device that implements mobility and is able to roam WIFI
hotspots. Let's assume that this phone registers itself for 1 hour.
Whenever I move into a different hotspot and I receive a new IP address
the phone will send a new registration request to update it's contact.
Now if I walk on the street with the phone and cross 3 hotspots in 5
minutes I end up with 3 contacts registered for 1 hour each, even though
I only have the last IP address. Now someone can use the old IP addresses
I had and attach to them with a sip phone. That phone doesn't have to
register (i.e. it doesn't have to know my password to impersonate me). It
only has to accept calls to myusername at mydomain, since it is already
marked as registered from that IP address in openser.
If I am called that person can answer in my place and impersonate me, or
in the least he can know who calls me.
--
Dan
More information about the Devel
mailing list