Browse code

more examples

Jiri Kuthan authored on 04/03/2003 16:15:27
Showing 1 changed files
... ...
@@ -30,6 +30,45 @@ to account dialogs (calls) that are initiated by my own users, how do i
30 30
 know when i see a bye, if it terminates such a call or a call initiated
31 31
 by non-local party?
32 32
 
33
+Jiri: There are actually two issues: decide whether the subsequent BYE needs to
34
+be authenticated, and if so, with what realm. There is no way around it
35
+except keeping dialog state, better in record-routes rather than in
36
+server's memory. If in record-routes, integrity needs to be preserved.
37
+See my sipping posting (2003-03-04):
38
+First of all, as said previously, live with realms from UAC. They
39
+are as trustworthy as user's id -- all is supplied by user and what
40
+really matters is whether the credentials are ok. (And again, forget
41
+interfaces, please.)
42
+
43
+The real questions is whether to authenticate at all, and if so
44
+which realm the server should use to challenge.
45
+
46
+Let me give an example. A proxy maintains a policy which is 
47
+a no relaying: drop requests which neither have my domain 
48
+  in r-uri nor have my domain in From
49
+b verify from: if request originator claims to be a part of
50
+  my domain in From of a request, authenticate
51
+c watch all: sessions are record-routed
52
+
53
+Scenario:
54
+1) a@other calls b@other which gets forwarded to b@mine
55
+2) b@mine sends a BYE, it looks like:
56
+
57
+BYE sip:originator@1.2.3.4
58
+From: b@other
59
+To: a@other
60
+Route: <proxy@mine;lr>
61
+
62
+What will you do now? Well with the policy above you would drop
63
+it (point a). If you are smarter, you will see your Route and
64
+infer "that's my Route, I must have accepted the previous INVITE"
65
+and will not drop it. The questions are now:
66
+- should you authenticate? (remember, you can't authenticate
67
+  request originators from other domains)
68
+- if so, with what realm
69
+- how far can you trust the information in Route (actually, not at all)
70
+
71
+
33 72
 
34 73
 Mike Graff, serusers
35 74
 --------------------