El Miércoles, 20 de Enero de 2010, [email protected] escribió: > An mer., janv 20, 2010, Iñaki Baz Castillo schrieb: > >El Miércoles, 20 de Enero de 2010, [email protected] escribió: > >> I know that strategies differ according to security needs but... > >> > >> Which SIP messages are typically challenged for authentication? > >> > >> Right now we're challenging INVITE, SUBSCRIBE, and NOTIFY, although > >> it's not clear to me if challenging SUBSCRIBE or NOTIFY is useful. > >> > >> Of course ACK and BYE are not challenged, but then there are others > >> like MESSAGE, INFO, OPTION... whatever. This falls in the gray zone > >> as far as my understanding of SIP and security go. > > > >If you don't challange an *initial* request for authentication then > >the identity could be spoofed. > > > >In the case of dialogs (INVITE, SUBSCRIBE) it's typically just > >required to chanllenge the initial request forming such dialog > >(initial INVITE, initial SUBSCRIBE). The rest of requests in-dialog > >contain to_tag so usually it's not > >needed to authenticate them. > > Good point. I think I'll change the route script to only challange > initial requests. I guess a simple > > if (!has_totag()) { > if (!aaa_proxy_authorize("")) { > proxy_challenge("", "1"); > exit; > } > if (!db_check_from()) { > xlog("L_WARN", "$rm: Cheating attempt\n"); > send_reply("403", "Forbidden"); > exit; > } > consume_credentials(); > # caller authenticated > } > > ...near the top of the route script would do the job nicely. Is > this what you mean in your advice?
Yes, but take into account that REGISTER doesn't use proxy_authorize but www_authorize. -- Iñaki Baz Castillo <[email protected]> _______________________________________________ Users mailing list [email protected] http://lists.opensips.org/cgi-bin/mailman/listinfo/users
