[Asterisk-Dev] Security issue mumblings - SIP
Olle E. Johansson
oej at edvina.net
Mon Nov 7 00:58:47 MST 2005
> In terms of SIP, the modification might be as simple as never sending
> an ACK to a 200, thereby never notifying the remote end that the
> answer is confirmed. How that violation of the SIP spec is handled is
> obviously implementation-defined.
>
Just to cover the Asterisk implementation:
According to specs we have to start listening when we send an SDP and
are able to start sending audio when we get an SDP. I agree that the ACK
would be the time that the call "started" but that's not really
implemented. In Asterisk the call is UP when we get or send a 200 OK.
If the ACK doesn't happen, we will tear the call down, but the audio is
allowed to flow in between the 200 OK (or 180/183 progress with SDP) and
the tear down.
/O
More information about the asterisk-dev
mailing list