[Serusers] Checking spoofed From headers

[Klaus Darilion]

I do not understand why you do not authenticate the users.

Using existinguser at ourdomain.com is at least as bad as
nonexistinguser at ourdomain.com.

You also have to check that some persons do not misuse existing accounts.

I would never allow any local user to use my SIP proxy without
authentication. (Of course incoming calls are allowed without
authentication).

Allowing outgoing calls without authentication (authentication implies
that only local users are allowed to use the proxy) is a bad thing (the
same like open mail relays.)

regards
klaus

On Mon, April 10, 2006 20:21, sip said:
> Well... my hack seems to work. I'll see if I managed to break anything,
> though. It shouldn't affect reinvites or require using trusted tables as
> other
> machines aren't going to claim they're local users.
>
> The Snom phones will use PKI certs if you want.  But I can't guarantee all
> our
> users will want to buy one. ;)
>
> I'm less interested in checking if the host is local to the proxy, though
> as,
> again, we're an open proxy.  I just want to avoid bob at ourdomain.com  (a
> non-existent user) using the ourdomain.com proxy to send calls through,
> having
> it trace back to us and causing problems.
>
> N.
>
> On Mon, 10 Apr 2006 20:59:14 +0300, Juha Heinanen wrote
>> sip writes:
>>
>>  > Am I going to have to do a search("^From:.*@my.domain.com")) and then
>>  > proxy_authorise and check from... essentially only authenticating
>> users who > claim to be from my system?
>>
>> there is even a function to check if from host is local to your proxy.
>>
>>  > I'll give it a shot. Seems kind of backward, though.
>>
>> another option is to use pki certificates that both UAs can verify, but
>> i haven't seen those implemented in UAs.
>>
>> -- juha
>
> _______________________________________________
> Serusers mailing list
> serusers at lists.iptel.org
> http://lists.iptel.org/mailman/listinfo/serusers
>