I actually have found an alternate approach that we optionally use in sipwitch. Basically, sipwitch can be set to recognize a "trusted" subnet, and automatically accepts a refresh from any actively registered ua on the trusted subnet(s) without requesting an authentication challenge, so long as the ua refreshes from the same sip port and ip address it originally registered and authenticated from. It will also do the same for invites and other otherwise "authentication challenge" sip requests that can originate from ua's on the trusted subnet(s).
Using this option of course kills any ability to proxy register multiple ua's through another sip server, although this can be solved by recognizing certain id's as explicitly not trustable. However, for most common configurations and use cases, it works very well and does effectively halve sip network traffic :). Michael Giagnocavo wrote: >>> This is >>> because the ua sends it's registration refresh unauthenticated. The >>> registrar will then push back an authentication challenge request so the >>> ua can prove its identity, at which point the ua then repeats the same >>> transaction, but with authentication credentials attached. >> Why does it do that? Every time I do a debug, I see the first request >> denied as unauthorized and then it always comes right back and gets > > Welcome to HTTP Digest authentication. The request has to get challenged to > get a new nonce from the server (so as to mitigate replay attacks). > > You could TLS and auth off of the client cert, except few devices support > that, and you'd have the "overhead" of TCP (which is like bad or something). > > -Michael > > _______________________________________________ > Freeswitch-users mailing list > [email protected] > http://lists.freeswitch.org/mailman/listinfo/freeswitch-users > UNSUBSCRIBE:http://lists.freeswitch.org/mailman/options/freeswitch-users > http://www.freeswitch.org
begin:vcard fn:David Sugar n:Sugar;David org:GNU Telephony email;internet:[email protected] tel;work:+1 609 465 5336 url:http://www.gnutelephony.org version:2.1 end:vcard
_______________________________________________ Freeswitch-users mailing list [email protected] http://lists.freeswitch.org/mailman/listinfo/freeswitch-users UNSUBSCRIBE:http://lists.freeswitch.org/mailman/options/freeswitch-users http://www.freeswitch.org
