[Serusers] Checking spoofed From headers

sip sip at arcdiv.com
Tue Apr 11 00:57:16 CEST 2006 

It was originally for use with some of our internal UAs which don't handle
authentication properly.... and I was simply too lazy to set up the
authentication with trust tables. 

I know. Slackness coming back to bite me in the ass. But it's fixed now. 

N.


On Mon, 10 Apr 2006 23:46:30 +0200 (CEST), Klaus Darilion wrote
> I do not understand why you do not authenticate the users.
> 
> Using existinguser at ourdomain.com is at least as bad as
> nonexistinguser at ourdomain.com.
> 
> You also have to check that some persons do not misuse existing accounts.
> 
> I would never allow any local user to use my SIP proxy without
> authentication. (Of course incoming calls are allowed without
> authentication).
> 
> Allowing outgoing calls without authentication (authentication 
> implies that only local users are allowed to use the proxy) is a bad 
> thing (the same like open mail relays.)
> 
> regards
> klaus
> 
> On Mon, April 10, 2006 20:21, sip said:
> > Well... my hack seems to work. I'll see if I managed to break anything,
> > though. It shouldn't affect reinvites or require using trusted tables as
> > other
> > machines aren't going to claim they're local users.
> >
> > The Snom phones will use PKI certs if you want.  But I can't guarantee all
> > our
> > users will want to buy one. ;)
> >
> > I'm less interested in checking if the host is local to the proxy, though
> > as,
> > again, we're an open proxy.  I just want to avoid bob at ourdomain.com  (a
> > non-existent user) using the ourdomain.com proxy to send calls through,
> > having
> > it trace back to us and causing problems.
> >
> > N.
> >
> > On Mon, 10 Apr 2006 20:59:14 +0300, Juha Heinanen wrote
> >> sip writes:
> >>
> >>  > Am I going to have to do a search("^From:.*@my.domain.com")) and then
> >>  > proxy_authorise and check from... essentially only authenticating
> >> users who > claim to be from my system?
> >>
> >> there is even a function to check if from host is local to your proxy.
> >>
> >>  > I'll give it a shot. Seems kind of backward, though.
> >>
> >> another option is to use pki certificates that both UAs can verify, but
> >> i haven't seen those implemented in UAs.
> >>
> >> -- juha
> >
> > _______________________________________________
> > Serusers mailing list
> > serusers at lists.iptel.org
> > http://lists.iptel.org/mailman/listinfo/serusers
> >

More information about the sr-users mailing list