[Serusers] uri==myself check and record_route()
Jan Janak
jan at iptel.org
Thu Oct 23 15:50:37 CEST 2003
On 23-10 15:29, Jan Janak wrote:
> To prevent replay attacks, the hash would have to be calculated also
> over To tag. The hash should contain To tag because it is generated by
> remote party and thus the possible "attacker" can't predict it's
> value.
>
> This also means we would have to update the Record-Route header
> field when processing 200 OK, which complicates things a bit.
>
> If we don't add To tag, then it would be really easy to use same hash
> for other requests as well provided that you use the same From tag.
I am silly, this is, of course, not going to work because callee would
receive hash without to tag.
Jan.
More information about the sr-users
mailing list