El Lunes, 19 de Octubre de 2009, Dale Worley escribió: > On Mon, 2009-10-19 at 22:54 +0200, Iñaki Baz Castillo wrote: > > Does it means that a request with From "sip:al...@domain.org" and > > credentials with "username=bob, realm=domain.org" would be accepted by > > sipXecs and routed to the destination? > > This means that bob is spoofing the call originator. > > It is true that one can spoof the call originator. But the philosophy > we take is that the From and To headers (other than in REGISTERs) are > documentation, and not to be taken as reliable.
If my proxy/PBX routes me a call with "From: alice" I would expect that Alice is the originator of the call. If the proxy/PBX allows Bob to spoof the request's originator then I've no way to know that it's been a spoofed call. Under my experience cheking that the From URI matches the credentials username is a good idea and avoids spoofed calls. -- Iñaki Baz Castillo <i...@aliax.net> _______________________________________________ Sip-implementors mailing list Sip-implementors@lists.cs.columbia.edu https://lists.cs.columbia.edu/cucslists/listinfo/sip-implementors
