[SR-Users] loose_route security
Iñaki Baz Castillo
ibc at aliax.net
Sun Apr 17 13:54:36 CEST 2011
2011/4/17 Juha Heinanen <jh at tutpro.com>:
> if refer does not contain referred-by header, then there is no other
> choice than to refuse it. otherwise (unless you keep call state) you
> don't have any chance to know who sent the refer and what rights the
> sender might have.
Keeping call state within a proxy is not reliable, even using dialog
module. The proxy doesn't check that the RURI of an in-dialog Request
matches the remote target of the existing dialog, neither matches the
Route values in the in-dialog request.
Anyhow I don't think the proxy should do all this stuf.
Depending on our topology we can just ask for authentication for every
in-dialog request (unless it comes from a trusted node as a PSTN gw)
but without trying to check the identity of the in-dialog request
originator. Well, the identity is asserted by the proxy after
authentication success. During an in-dialog request it doesn't matter
the From/To URI value (this is not true in an initial INVITE in which
More information about the sr-users
mailing list