[prev in list] [next in list] [prev in thread] [next in thread]
List: sip-implementors
Subject: Re: [Sip-implementors] REGISTER without Contact
From: Iñaki_Baz_Castillo <ibc () aliax ! net>
Date: 2009-05-21 9:58:31
Message-ID: cc1f582e0905210258u315df61br543c8a2e38bb59e () mail ! gmail ! com
[Download RAW message or body]
2009/5/21 friend friend <sip_quest@yahoo.co.in>:
> In RFC 3665 :
> Bob sends a register request to the Proxy Server containing no
> Contact headers, indicating the user wishes to query the server for
> the user's current contact list. Since the user already has
> authenticated with the server, the user supplies authentication
> credentials with the request and is not challenged by the server.
> The SIP server validates the user's credentials. The server returns
> a response (200 OK) which includes the user's current registration
> list in Contact headers.
>
> We have an answer for REGISTER(with Credentials) without Contact...
>
>
> But REGISTER (without credentials) without Contact, why do we need to authenticate?
It's really easy. If the registrar doesn't require authentication for
a REGISTER with no Contact, then I could send a spoofed REGISTER with
no Contact and some AoR in the "To" header and I would get all the
registered locations for that AoR. It's just a privacy issue.
--
Iñaki Baz Castillo
<ibc@aliax.net>
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic