[asterisk-dev] Summary: SIP, NAT, security concerns, oh my!

Olle E. Johansson oej at edvina.net
Wed Nov 9 14:58:07 CST 2011


9 nov 2011 kl. 21:05 skrev Bruce B:

> I just did an X-Lite register to Asterisk extension and first SIP invite included extension but then Asterisk rejected and asked for authentication to which X-Lite provided password?!
> 
> So, why is there the need to invite without providing authentication in the first place? Why is there a two step to authentication? This really shows a shortcoming of SIP v2.0 RFC when it comes to this type of security implementation.

Bruce,
I suggest you do some reading on challenge-response authentication and HTTP Digest MD5 auth.

To succeed with challenge-response, you need a challenge to respond to. You get that in the first response, the 401 or 407.

/O


More information about the asterisk-dev mailing list