[Kamailio-Users] SIP Digest Access Authentication RELAY survey

Klaus Darilion klaus.mailinglists at pernau.at
Thu Jan 15 10:48:53 CET 2009


IIRC to solve this issue completely the UAC should never send 
credentials to unknown parties - only to its SIP proxy (some clients 
have a "force outbound proxy" feature which does the same). Then the SIP 
proxy can remove credentials before forwarding to other parties.

As soon as a client send messages (with credentials) directly to other 
parties there is nothing you can do on the proxy side.

regards
klaus

Victor Pascual Ávila schrieb:
> Hi,
> excuse me if this message is not directly related to Kamailio.
> 
> I'm just wondering if folks could share with me if (and how) they have
> prevented the "SIP Digest Access Authentication RELAY" in their
> networks (and what worked for them or not).
> NAT boxes reduce dramatically the scenarios for a successful attack.
> Otherwise, some might be mitigating the attack by means of forcing UAs
> to use outbound proxies while others might be reducing the attack
> incentives by means of message integrity.
> 
> Any comment would be appreciated,




More information about the Users mailing list