On 12/19/2011 02:15 PM, Neel Neelakantan wrote: > See Inline. > > Thanks, > Neel. > >> -----Original Message----- >> From: [email protected] [mailto:sip- >> [email protected]] On Behalf Of Olle E. >> Johansson >> Sent: Friday, December 16, 2011 6:35 AM >> To: [email protected] sip- >> [email protected] >> Subject: [Sip-implementors] Security issue in SIPconnect 1.1? >> >> " >> 15.4.1.3 >> Unknown SIP-PBX Identity >> The SP-SSE MUST issue a 404 Not Found response to a REGISTER request, >> if the Registration AOR of the SIP-PBX is not found in its database. An >> SIP-PBX receiving such a response to a REGISTER request MUST consider >> the Registration attempt to have failed, and notify the SIP-PBX >> administrator if possible through some means. The SIP-PBX SHOULD follow >> the backoff procedures defined previously in Section 15.4.1.1. >> " >> >> > [Neel] > Ideally, if the SP_SSE supports authentication it should send 401 > Unauthorized first to REGISTER. Otherwise, it should send 404 Not Found.
True enough; if an SP-SSE that does not support authentication is exposed to an attacker trying to enumerate AoRs, it will have no choice but to respond differently for valid and invalid AoRs. Of course, such an SP-SSE shouldn't be connected to a network where such attacks are possible, or should be protected via some external mechanism. -- Kevin P. Fleming Digium, Inc. | Director of Software Technologies Jabber: [email protected] | SIP: [email protected] | Skype: kpfleming 445 Jan Davis Drive NW - Huntsville, AL 35806 - USA Check us out at www.digium.com & www.asterisk.org _______________________________________________ Sip-implementors mailing list [email protected] https://lists.cs.columbia.edu/cucslists/listinfo/sip-implementors
