Hello all. I have a theoretical question about call admitting and security.
Let's say we have two clients A&B (phones or softphones) and a proxy/registrar. Clients register themselves on the registrar with authentication (http digest). This is, i think, the most normal scenario. Proxy authenticates incoming (from the clients) calls, this means invite messages, with the same registrar credentials, and this gives it a certain degree of security. What happens for clients? I mean, how can a client "authorize/authenticate" a call coming from the proxy and become sure it's is *really* coming from its proxy? Let's say for example that a "C" malicious client/proxy is sending INVITEs to A. How can A recognize that these INVITEs are not related to the REGISTER "session" to the proxy? I think this can be done checking/filtering on IP addresses. But there are no other ways? I mean something textual like Dialog-ID or Call-ID but negotiated during registration? Better, can be registration used like an authorization "provider", meaning that i accept only coming from the proxy/registrar where i am registered? There are best practices or documentation about that? Thank you. _______________________________________________ Sip-implementors mailing list [email protected] https://lists.cs.columbia.edu/cucslists/listinfo/sip-implementors
