[prev in list] [next in list] [prev in thread] [next in thread] 

List:       sip-implementors
Subject:    Re: [Sip-implementors] REGISTER without Contact
From:       Iñaki_Baz_Castillo <ibc () aliax ! net>
Date:       2009-05-21 9:58:31
Message-ID: cc1f582e0905210258u315df61br543c8a2e38bb59e () mail ! gmail ! com
[Download RAW message or body]

2009/5/21 friend friend <sip_quest@yahoo.co.in>:
> In RFC 3665 :
>        Bob sends a register request to the Proxy Server containing no
>    Contact headers, indicating the user wishes to query the server for
>    the user's current contact list.  Since the user already has
>    authenticated with the server, the user supplies authentication
>    credentials with the request and is not challenged by the server.
>    The SIP server validates the user's credentials.  The server returns
>    a response (200 OK) which includes the user's current registration
>    list in Contact headers.
>
> We have an answer for REGISTER(with Credentials) without Contact...
>
>
> But REGISTER (without credentials) without Contact, why do we need to authenticate?

It's really easy. If the registrar doesn't require authentication for
a REGISTER with no Contact, then I could send a spoofed REGISTER with
no Contact and some AoR in the "To" header and I would get all the
registered locations for that AoR. It's just a privacy issue.


-- 
Iñaki Baz Castillo
<ibc@aliax.net>


[prev in list] [next in list] [prev in thread] [next in thread]