[SR-Users] loose_route security
Iñaki Baz Castillo
ibc at aliax.net
Sat Apr 16 14:29:27 CEST 2011
2011/4/11 Daniel-Constantin Mierla <miconda at gmail.com>:
> first, skipping authentication for within dialog requests in default
> configuration file comes mainly from the early years when not many sip
> endpoints supported that. But can be done, of course and perhaps it should
> be enabled (or at least added as a #!define option)
I don't think that is a good option. It would break lot of scenarios:
- An incoming INVITEl with RURI sip:alice at domain.org and To URI
sip:200 at domain.org arrives to Kamailio which does lookup and routes
the call to alice.
- The call is established.
- Later alice sends a REFER or a re-INVITE. Note that the request
would contain "From: sip:200 at domain.org" (even if the AoR of alice us
"sip:alice at domain.org". This is because From/To URI are usually
unchanged whithin a dialog.
- Kamailio ask for authentication to such REFER or re-INVITE.
- alice's device adds "Proxy-Authorization: Digest username="alice", .....".
- If Kamailio does "check_from" the request would be rejected (as
"alice" doesn't match "200").
--
Iñaki Baz Castillo
<ibc at aliax.net>
More information about the sr-users
mailing list