Shikhar,
Indeed it is possible to include an 'Authorization' header in the INVITE (or
'Proxy-Authorization' if you want). However, this header would not contain a
challenge but rather a response to a previous challenge (i.e. credentials of
the SoftSwitch). The SIP phone could then insert an Authentication-Info
header in its 2xx response to get mutual authentication.
The problem is: where does the initial challenge come from? With digest
authentication the digest is calculated based on the nonce that comes back
from the server (in a 401/407 response with a
WWW-Authenticate/Proxy-Authenticate header). The SoftSwitch initially has no
such thing, although I suppose you could define something based on random
material present in the request (e.g. via branch, call-id) and the shared
secret between the phone and the softswitch. I am no security expert though,
there are probably issues with replay attacks and the likes
The point is: all of the above would not be standard SIP. How is the SIP
phone supposed to know that it should use an Authorization header (and how
it should construct it), the SoftSwitch can ignore its response but cannot
indicate a failure (except perhaps in ACK, but again this would not be
standard)
It may be interesting to raise this question on the SIPPING mailinglist, it
sounds like a reasonable use case for response authentication (request
authentication is defined)
Regards,
jeroen
----- Original Message -----
From: "Shikhar Sarkar" <[EMAIL PROTECTED]>
To: <[email protected]>
Sent: Thursday, October 13, 2005 9:33 PM
Subject: RE: [Sip-implementors] Authenticating an incoming SIP call
Vimal,
I mean the case say (just an example) Alice is calling Bob,
ISDN IAM Invite
Alice---------SS7---------->Softswitch------------>SIP phone(Bob)
Now if the Softswitch wants to authenticate Bob as a valid user for this
call, how to do it using SIP? [Assume Bob is already registered with the
Softswitch, but the Softswitch wants to authenticate Bob per call]
I think I am missing something very fundamental. Otherwise, I suppose this
is the most basic question for any telecom guy.
Shikhar
-----Original Message-----
From: vimal srivastava [mailto:[EMAIL PROTECTED]
Sent: Thursday, October 13, 2005 3:18 PM
To: [EMAIL PROTECTED]; [email protected]
Subject: RE: [Sip-implementors] Authenticating an incoming SIP call
you mean to say proxy is sending one invite to a UAC? and Proxy wants to
challenge this UAC also?
UAC--------INVITE------------> PROXY-------------------INVITE----------UAS
Proxy can challenge only UAC not UAS.
UAS can challenge proxy as well as UAC
this is how it works.
now UAC can include authorization header in the invite itself so that it
does not receive 401 from UAS or 407 from proxy
thats what i meant.
cheers!!
From: "Shikhar Sarkar" <[EMAIL PROTECTED]>
To: <[email protected]>
Subject: RE: [Sip-implementors] Authenticating an incoming SIP call
Date: Thu, 13 Oct 2005 14:15:27 -0400
Vimal,
Did you get my question? I am talking about an incoming call scenario when
say the SIP proxy sends Invite to the SIP client (e.g. my SIP phone). The
SIP proxy wants to challenge the SIP client to make sure the call is not
delivered to a fake entity. How does your comment fit in this scenario?
Or I am missing some basic understanding? Please help.
Shikhar
-----Original Message-----
From: vimal srivastava [mailto:[EMAIL PROTECTED]
Sent: Thursday, October 13, 2005 1:54 PM
To: [EMAIL PROTECTED]; [email protected]
Subject: RE: [Sip-implementors] Authenticating an incoming SIP call
yes, registration alone does not suffice. in the invite you should include
authorization header. if you dont then, you can be challenged by 401 or
407. more over you might end up encoding multiple authorization header
for
different nodes in between :)
cheers
From: "Shikhar Sarkar" <[EMAIL PROTECTED]>
To: <[email protected]>
Subject: RE: [Sip-implementors] Authenticating an incoming SIP call
Date: Thu, 13 Oct 2005 13:01:39 -0400
Guys,
This discussion is going interesting. One group of people responded saying
"Yes possible", and the other said "It's not". The end result is that I am
very confused now.
I am trying to figure out a way in which I can challenge the SIP endpoint
before delivering a call to it. The endpoint has already registered and
passed authentication. But, when delivering an incoming call, if I want
additionally to make sure that the call is not delivered to a spoofer, is
there a way to authenticate the user? I am talking about something similar
that happens in the cellular world.
Shikhar
-----Original Message-----
From: Asheesh Joshi [mailto:[EMAIL PROTECTED]
Sent: Thursday, October 13, 2005 1:57 AM
To: 'Shikhar Sarkar'; [email protected]
Subject: RE: [Sip-implementors] Authenticating an incoming SIP call
Yes... Authentication challenge can happen for any request except
CANCEL and ACK
Authentication mechanism is the Digest Authentication.
-----Original Message-----
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Shikhar
Sarkar
Sent: Thursday, October 13, 2005 4:25 AM
To: [email protected]
Subject: [Sip-implementors] Authenticating an incoming SIP call
Guys,
Is there a way to authenticate a SIP user for incoming call scenario such
as:
IAM Invite
SS7----------->Softswitch------------->WiFi SIP device
The WiFi SIP device of course has already registered with Softswitch. But
is
that enough to assume that there is no clone/eavesdropper? I am wondering
why I always see 401/407 challenges always opposite to the direction of
Invite. Is there a way to include Authentication challenge in the Invite
itself?
Please throw some light.
Shikhar
_______________________________________________
Sip-implementors mailing list
[email protected]
http://lists.cs.columbia.edu/mailman/listinfo/sip-implementors
_______________________________________________
Sip-implementors mailing list
[email protected]
http://lists.cs.columbia.edu/mailman/listinfo/sip-implementors
_______________________________________________
Sip-implementors mailing list
[email protected]
http://lists.cs.columbia.edu/mailman/listinfo/sip-implementors
_______________________________________________
Sip-implementors mailing list
[email protected]
http://lists.cs.columbia.edu/mailman/listinfo/sip-implementors
_______________________________________________
Sip-implementors mailing list
[email protected]
http://lists.cs.columbia.edu/mailman/listinfo/sip-implementors
