On Fri, 2008-09-05 at 10:12 -0400, M. Ranganathan wrote:
> On Fri, Sep 5, 2008 at 9:38 AM, Scott Lawrence
> <[EMAIL PROTECTED]> wrote:
> >
> > On Fri, 2008-09-05 at 09:04 -0400, M. Ranganathan wrote:
> >> Why does sipx proxy challenge REFER requests from services that are
> >> known to be co-hosted with it? It could be made more efficient if such
> >> requests were not challenged.
> >
> > It is never appropriate to use a source IP address or port as an
> > authenticator.
>
>
> Yes I would readily agree for a public IP address which is globally
> routable this is a rather weak form of "authentication".
>
> >
> > If we were to use SIP over TLS between components with peer
> > authentication, we could trust the sender, but to add the overhead of
> > doing that for all requests just to avoid challenging a REFER would not
> > be a good tradeoff.
>
>
> Agreed. However, if you are using TCP for signaling and you are
> collocated with the proxy (one can also throw in "AND if you can add
> the ability to listen on localhost to the proxy" ), would challenge
> be necessary?
I stand by my earlier statement, this time with emphasis:
It is NEVER appropriate to use a source IP address or port as an
authenticator.
_______________________________________________
sipx-dev mailing list
[email protected]
List Archive: http://list.sipfoundry.org/archive/sipx-dev
Unsubscribe: http://list.sipfoundry.org/mailman/listinfo/sipx-dev
