>>>>> I??aki Baz Castillo <[EMAIL PROTECTED]> wrote: > The request matches a transaction if:
> 1. the branch parameter in the request is equal to the one in the > top Via header field of the request that created the > transaction, and > 2. the sent-by value in the top Via of the request is equal to the > one in the request that created the transaction, and > The "security" offered by point 2 (matching the sent-by) is really > inefficient. I understand you, but please don't name it "security". Transaction matching rules don't give real security, they protect against non-intentional collisions. > So, don't you think that point 2 of 17.2.3 should just dissapear since > it just offers false security? Instead of this I'd prefer to read > something as: > 2. the source address of the request is equal to the source > address of the > request that created the transaction. This have some sense (but we shall say again - not in security context). Imagine two different NATs and two agents behind them, both on address 192.168.1.1, and with monotonic branch numeration (z9hG4bK1, z9hG4bK2, z9hG4bK3...) If rule is "compare sent-by", their branches will mix. Correct matching shall take all four known identifiers (sent-by.host, sent-by.port, received, rport), and I'm unsure it was really correct to drop all another identifiers from matching (according to RFC2543); as minimum, we can add call-id, from_tag and CSeq number to matching, because none other rule allows to change them inside transaction. -- Valentin Nechayev PortaOne Inc., Software Engineer mailto:[EMAIL PROTECTED] _______________________________________________ Sip-implementors mailing list [email protected] https://lists.cs.columbia.edu/cucslists/listinfo/sip-implementors
