[Serusers] uri==myself check and record_route()

Juha Heinanen jh at tutpro.com
Thu Oct 23 13:21:46 CEST 2003


Maxim Sobolev writes:

 > >   - If From doesn't contain a domain the proxy is responsible from then
 > >     we can't use digest authentication--the sender wouldn't be able to
 > >     generate proper reply.
 > > 
 > >     In this case the proxy compares To tag with ftag parameter value
 > >     from it's Route header field. If they are same then the dialog was
 > >     established using the proxy and we are done -- we can relay the
 > >     request.

the above is true if dialog was established by local user.  in case the
dialog was established by foreign user and that foreign user sends
another, in-dialog request, then ftag will be equal to from tag.

so i implemented a function that checks if ftag is equal to either from
or to tag, but didn't find it very useful after all.  such test namely
adds very little value to just checking if the request has to tag and
dropping the ones that don't and are not send by or to a local user.

 > It should be relatively easy to do it - upon startup SER can generate 
 > some random string and then, when INVITE arrives, calculate one-way hash 
 > using this value and some other parameters that must persist during the 
 > dialog - e.g. Call-Id, From tag etc, then inserting it as a parameter 
 > into the Record-Route field. Then we can always check is the mid-dialog 
 > request should be serviced by us.

yes, i too have suggested that we do something like that.  this kind of
scheme, however, has no protection over faking new requests or replays
if someone gets hold of one real request.  also, if one gets hold of
several real requests, then it would be possible to figure out what the
key was unless the key changes often enough.  so i have been wondering,
if such mechanism is worth implementing.

-- juha




More information about the sr-users mailing list