[Serusers] www_challange and proxy_challange

Klaus Darilion klaus.mailinglists at pernau.at
Wed Aug 24 09:31:47 CEST 2005 

If the proxy is the endpoint of the request, it should use www_auth.
If the proxy is an intermediate hop, it should use proxy_auth.

Thus, usually you use:
- www_auth for REGISTER
- proxy_auth for INVITE, BYE, MESSAGE, ...

I'm little bit unsure how to challange PUBLISH and SUBSCRIBE as they 
might be terminated in the proxy (pa module) or in the client (end2end 
presence).


My personal opinion: authentication of out-of-dialog messages is a must. 
authentication of in-dialog requests should be relaxed due to broken 
clients.

regards
klaus


Chris St Denis wrote:
> Seems pointless to challenge an ACK.
> 
> Anyway, with ACK and BYE are they supposed to get proxy or www challenge?
> 
> -----Original Message-----
> From: Klaus Darilion [mailto:klaus.mailinglists at pernau.at] 
> Sent: Tuesday, August 23, 2005 3:25 PM
> To: Chris St Denis
> Cc: 'Thomas Britis'; serusers at lists.iptel.org
> Subject: Re: [Serusers] www_challange and proxy_challange
> 
> 
> 
> Chris St Denis wrote:
> 
> 
>>www_authorize/www_challenge should be used in register. 
>>proxy_authorize/proxy_challenge in invite.
>>
>>I don't see any need for the www_authorize in invite and I don't think any
>>messages other than register and invite support authentication.
> 
> 
> All SIP messages except CANCEL can be challenged. But due to broken SIP 
> clients it is sometimes better to not authenticate BYE and ACK.
> 
> regards
> klaus
> 
>>-----Original Message-----
>>From: serusers-bounces at iptel.org [mailto:serusers-bounces at lists.iptel.org] On
>>Behalf Of Thomas Britis
>>Sent: Tuesday, August 23, 2005 12:16 PM
>>To: serusers at lists.iptel.org
>>Subject: [Serusers] www_challange and proxy_challange
>>
>>Hi all,
>>
>>	Is it sane to use:
>>
>>if (uri==myself) {
>>	if (method=="REGISTER") {
>>		if (!www_authorize("", "subscriber")) {
>>			www_challenge("", "0");
>>			break;
>>		};
>>	} else {
>>		if (!www_authorize("", "subscriber")) {
>>			if (!proxy_authorize("", "subscriber")) {
>>				proxy_challenge("", "0");
>>				break;
>>			};
>>		};
>>	};
>>};
>>
>>	Or anything here appears to be wrong ?
>>
>>	Thank you.
> 
> 
>

More information about the sr-users mailing list