[OpenSIPS-Users] Multi-domain and reinvite authentications
Iñaki Baz Castillo
ibc at aliax.net
Tue Oct 27 10:12:16 CET 2009
El Martes, 27 de Octubre de 2009, Thomas Gelf escribió:
> Carlo Dimaggio wrote:
> > Il giorno 26/ott/09, alle ore 17:27, Iñaki Baz Castillo ha scritto:
> >> El Lunes, 26 de Octubre de 2009, Carlo Dimaggio escribió:
> >>> Is there a better implementation?
> >>
> >> Yes, don't ask for authentication for a re-INVITE :)
> >
> > Is this the right implementation or a workaround? (in Flavio
> > Goncalves' book I see the authentication of re-invites...)
> > There could be a security issue without this authentication? (for
> > example a custom packet with a fake to_tag and a route header?
>
> I would also opt for not authenticating them. An attacker needs
> to figure out Call-ID, from- and to-tag and Route headers. Sure,
> this is possible if he is able to intercept your SIP traffic, but
> in that case you probably have many other problems.
Yes. In case teh attacker intercepts the initial INVITE he would know a nonce
which could be valid within some minutes, so the attacker could do things
worse than just ending a dialog or spoofing a re-INVITE.
> Doing shall make such attacks "difficult enough", and if someone
> is able to sniff your SIP traffic and to inject packets (really
> easy if using UDP), even authenticating ReINVITEs will not help
> you...
What we need is further TLS usage :)
--
Iñaki Baz Castillo <ibc at aliax.net>
More information about the Users
mailing list