[Devel] Processing REGISTER requests

[Dan Pascu]

On Monday 03 October 2005 11:37, Klaus Darilion wrote:
> Hi Dan!
>
> I think this is something that should be addressed. I just want to
> mention, that the matching algorithm should work also in scenarios
> where fix_contact is not used, but fix_natted_register which stores the
> public IP:port in AVPs.

I don't think there's any question about this (that's why I also gave 
examples where the contact was private). However I don't think that we 
should focus on this kind of details right now. What I wanted to focus on 
is the idea that using solely contacts to detect an old register is 
flawed: a contact may change over time for the same UA and a contact may 
be shared by 2 different UA when using private contacts with multiple 
domains.

Here is another example where using contacts only will not only fail to 
detect the old registration, but can also introduce identity theft.
Note: this example shows that there can be problems even when not using 
NAT and the phones have public addresses:

Consider a SIP device that implements mobility and is able to roam WIFI 
hotspots. Let's assume that this phone registers itself for 1 hour. 
Whenever I move into a different hotspot and I receive a new IP address 
the phone will send a new registration request to update it's contact.
Now if I walk on the street with the phone and cross 3 hotspots in 5 
minutes I end up with 3 contacts registered for 1 hour each, even though 
I only have the last IP address. Now someone can use the old IP addresses 
I had and attach to them with a sip phone. That phone doesn't have to 
register (i.e. it doesn't have to know my password to impersonate me). It 
only has to accept calls to myusername at mydomain, since it is already 
marked as registered from that IP address in openser.
If I am called that person can answer in my place and impersonate me, or 
in the least he can know who calls me.

-- 
Dan