[asterisk-dev] Challenging a sendonly INVITE

Maxim Sobolev sobomax at sippysoft.com
Tue Jan 29 05:05:28 CST 2008

Johansson Olle E wrote:
> 28 jan 2008 kl. 14.03 skrev SCG2:
>> Hi,
>> Is there any circumstance at all where it makes sense to challenge  
>> an INVITE which is putting a call on hold?
>> I can find nothing in 3264 that suggests it, but wondered if:
>> Phone A -> Phone B (in doing so phone A may have been authenticated)
>> Phone B later goes to put phone A on hold
>> The only authentication Phone B has had prior to this interaction is  
>> the implicit REGISTER challenge response that may have been several  
>> minutes ago.
>> Is that good enough?
> I would say that it's up to the implementation when to challenge. You  
> can make an assumption here that
> phone B is within a current dialog. B could have authenticated A on  
> the first INVITE. Or a proxy between
> A and B could have.
> A has the right to authenticate B on the re-invite if it wants to,  
> since the music on hold music is licensed
> from ABBA and only authenticated users are allowed to put anyone on  
> hold and listen in... :-)
> Normally you separate re-invites from initial invites and say that  
> since B knows the tags, the caller ID
> and is involved in the call, we'll accept the invite without  
> authentication.

There is also a security aspect. Implementation that requires all 
requests within a dialog to be authenticated will be more secure. 
Especially this is relevant for re-INVITEs, as not challenging them 
would allow anybody who can passively sniff the SIP traffic diverting 
RTP to his own IP. By issuing two of such re-INVITEs it should be even 
possible to add third party (either passive listener or active talker) 
into the conversation without two existing parties noticing a thing.

Maksym Sobolyev
Sippy Software, Inc.
Internet Telephony (VoIP) Experts
T/F: +1-646-651-1110
Web: http://www.sippysoft.com

More information about the asterisk-dev mailing list