On 01/11/2012 07:11 AM, Sandro wrote: > Hello all. > > I have a theoretical question about call admitting and security. > > Let's say we have two clients A&B (phones or softphones) and a > proxy/registrar. > Clients register themselves on the registrar with authentication (http > digest). > This is, i think, the most normal scenario. > > Proxy authenticates incoming (from the clients) calls, this means invite > messages, with the same registrar credentials, and this gives it a certain > degree of security. > > What happens for clients? > I mean, how can a client "authorize/authenticate" a call coming from the > proxy and become sure it's is *really* coming from its proxy? > > Let's say for example that a "C" malicious client/proxy is sending INVITEs > to A. > How can A recognize that these INVITEs are not related to the REGISTER > "session" to the proxy?
There is no perfect method to do this, but one very common method is for the UA that REGISTERs to include a randomly-generated token in the Contact URI that it supplies to the registrar; incoming INVITEs generated by UAs that obtained the Contact URI from that registrar will then include that token, and the receiving UA can 'trust' that the INVITE was generated by a UA that was authorized by the registrar to do so. This can easily be sniffed by a third party if the SIP signaling is not secured, of course. -- Kevin P. Fleming Digium, Inc. | Director of Software Technologies Jabber: [email protected] | SIP: [email protected] | Skype: kpfleming 445 Jan Davis Drive NW - Huntsville, AL 35806 - USA Check us out at www.digium.com & www.asterisk.org _______________________________________________ Sip-implementors mailing list [email protected] https://lists.cs.columbia.edu/cucslists/listinfo/sip-implementors
