[VOIPSEC] SIP B2BUA and Digest Authentication using
Dan Wing
dwing at cisco.com
Thu Nov 3 10:46:15 CST 2005
> -----Original Message-----
> From: satyam tyagi [mailto:satyam_tyagi at hotmail.com]
> Sent: Thursday, November 03, 2005 8:35 AM
> To: dwing at cisco.com; Voipsec at voipsa.org
> Subject: RE: [VOIPSEC] SIP B2BUA and Digest Authentication using
>
> Hi Dan,
>
> Yes, but it is still easy to ring the phones, spoofing INVITE
> as SIP server, unless the phone challenges the INVITE.
>
> There are some techniques to use line-id etc (As some snome
> phones do) but not once you know line id again this is possible.
TCP would help. TLS-over-TCP would help even more.
In the absence of that, you could rotate the line-id every few hours (and
re-register), only accept Invites from the same IP address as your SIP proxy
(akin to what a symmetric NAT imposes on its outbound connections), and make
sure the network follows RFC2827 practices (Network Ingress Filtering).
-d
> Satyam
>
>
>
>
>
>
> ________________________________
>
> From: "Dan Wing" <dwing at cisco.com>
> To: "'satyam tyagi'" <satyam_tyagi at hotmail.com>,
> <Voipsec at voipsa.org>
> Subject: RE: [VOIPSEC] SIP B2BUA and Digest
> Authentication using
> Date: Thu, 3 Nov 2005 08:01:08 -0800
> MIME-Version: 1.0
> Received: from sj-iport-5.cisco.com ([171.68.10.87])
> by mc7-f1.hotmail.com with Microsoft SMTPSVC(6.0.3790.211);
> Thu, 3 Nov 2005 08:01:12 -0800
> Received: from sj-core-3.cisco.com ([171.68.223.137])
> by sj-iport-5.cisco.com with ESMTP; 03 Nov 2005 08:01:10 -0800
> Received: from dwingwxp ([10.32.240.195])by
> sj-core-3.cisco.com (8.12.10/8.12.6) with ESMTP id
> jA3G15Wr018942;Thu, 3 Nov 2005 08:01:05 -0800 (PST)
> > That is the case when the SIP server wants to challenge
> > the phone.
> >
> >
> > The other half is when Phone challenges the SIP server.
>
> Authentication-Info allows that mutual authentication.
> See RFC3261 section
> 22.4.
>
> -d
>
>
>
>
>
More information about the Voipsec
mailing list