[Serusers] Proxy_authorize, www_authorize

Nils Ohlmeier nils at ohlmeier.de
Sat Jan 11 18:11:27 CET 2003 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On Saturday 11 January 2003 03:55, Greg Fausak wrote:
> What is the difference between these two functions?

Their are two authorization responses in SIP 401 and 407. In theory you should 
receive 401 for an unauthorized registration, and 407 from a proxy in a chain 
which processes for example your Invite. But i think in practice their is no 
such well defined distinction what you will receive or send.

> Also, when it comes to authentication, I've finally
> got my PSTN secure.  It seems that every request
> that you want guarded must be preceeded by a
> www_authorize(), right?  When I ngrep for the
> packets going back and forth, I see that each INVITE is
> now being authorized....not just the REGISTERs.

Correct.
The easiest and securest way is to authorize everything and to make exceptions 
for special cases (responses for example).
A little bit like firewalling ;) : check only special cases and allow 
everything else, or check everything and open only small holes.

> I was assuming that you logged in and were authorized once, and
> then each request was under that login.  However, I see that
> isn't the case, right???  You *can* make a INVITE request
> without REGISTERing...right?

Please be aware that a registrar and a proxy can be two completly (also 
physical) seperated untis. And each unit can have it's own authorization 
scheme.

A proxy can challenge Invites and Byes, but should not do this with external 
Invites to your local user. Otherwise your your user wouldn't be reachable 
from outside.

If you really want to control each SIP call in your network you should be 
aware that your users and the SIP clients do not have to use your local proxy 
and/or registrar. This means you have to forward every SIP request (and this 
do not have to be only port 5060) by your outgoing router to your local 
proxy.

Regards
  Nils

- -- 
gpg-key: http://www.ohlmeier.org/public_key.asc
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.1 (GNU/Linux)

iD8DBQE+IFBMx8PydbrWykARAvNdAJ9WThl3Z8nfQHe2PywjkXkyufZRJACdGjlo
9E6iaG/Vi9g9q4CmrkNO5rs=
=+1xN
-----END PGP SIGNATURE-----

More information about the sr-users mailing list