[prev in list] [next in list] [prev in thread] [next in thread]
List: asterisk-dev
Subject: Re: [asterisk-dev] Challenging a sendonly INVITE
From: Maxim Sobolev <sobomax () sippysoft ! com>
Date: 2008-01-29 11:05:28
Message-ID: 479F0878.8000006 () sippysoft ! com
[Download RAW message or body]
Johansson Olle E wrote:
> 28 jan 2008 kl. 14.03 skrev SCG2:
>
>> Hi,
>>
>> Is there any circumstance at all where it makes sense to challenge
>> an INVITE which is putting a call on hold?
>>
>> I can find nothing in 3264 that suggests it, but wondered if:
>>
>> Phone A -> Phone B (in doing so phone A may have been authenticated)
>> Phone B later goes to put phone A on hold
>>
>> The only authentication Phone B has had prior to this interaction is
>> the implicit REGISTER challenge response that may have been several
>> minutes ago.
>>
>> Is that good enough?
>>
> I would say that it's up to the implementation when to challenge. You
> can make an assumption here that
> phone B is within a current dialog. B could have authenticated A on
> the first INVITE. Or a proxy between
> A and B could have.
>
> A has the right to authenticate B on the re-invite if it wants to,
> since the music on hold music is licensed
> from ABBA and only authenticated users are allowed to put anyone on
> hold and listen in... :-)
>
> Normally you separate re-invites from initial invites and say that
> since B knows the tags, the caller ID
> and is involved in the call, we'll accept the invite without
> authentication.
There is also a security aspect. Implementation that requires all
requests within a dialog to be authenticated will be more secure.
Especially this is relevant for re-INVITEs, as not challenging them
would allow anybody who can passively sniff the SIP traffic diverting
RTP to his own IP. By issuing two of such re-INVITEs it should be even
possible to add third party (either passive listener or active talker)
into the conversation without two existing parties noticing a thing.
Regards,
--
Maksym Sobolyev
Sippy Software, Inc.
Internet Telephony (VoIP) Experts
T/F: +1-646-651-1110
Web: http://www.sippysoft.com
_______________________________________________
--Bandwidth and Colocation Provided by http://www.api-digital.com--
asterisk-dev mailing list
To UNSUBSCRIBE or update options visit:
http://lists.digium.com/mailman/listinfo/asterisk-dev
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic