Hi, because SIP design an UAC is responsible for setting its "Contact" field in the REGISTER. This can be used to spoof other UAS or gateways location by malicious users.
There are "not very ellegant" solutions for this issue but I'm thinking about forcing a convention: A SIP UAC with AoR "sip:[EMAIL PROTECTED]" SHOULD send a REGISTER with: Contact: <sip:[EMAIL PROTECTED]> and the registrar server SHOULD reject any REGISTER with a "Contact" not respecting this convention for the registering AoR. I set "[EMAIL PROTECTED]" since "[EMAIL PROTECTED]" would not be secure in multidomain enviroments. What could be wrong with this convention? Would it break any feature, SIP extension or rule according to any existing RFC? Thanks for any comment. -- Iñaki Baz Castillo [EMAIL PROTECTED] _______________________________________________ Sip-implementors mailing list [email protected] https://lists.cs.columbia.edu/cucslists/listinfo/sip-implementors
