[asterisk-security] [asterisk-dev] [Code Review] SIP: authenticate OPTIONS requests just like we would an INVITE
Olle E. Johansson
oej at edvina.net
Tue Aug 31 03:17:27 CDT 2010
31 aug 2010 kl. 09.53 skrev Klaus Darilion:
>
>
> On 27.08.2010 21:09, Olle E. Johansson wrote:
>>
>> 27 aug 2010 kl. 21.24 skrev David Vossel:
>>
>>> OPTIONS requests should be treated the same as an INVITE... which includes authentication. This patch adds the ability for incoming out of dialog OPTION requests to be authenticated before providing a response indicating whether an extension is available or not. The authentication routine works the exact same way as it does for incoming INVITEs. This means that if a peer has 'insecure=invite' in their peer definition, the same will be true for the processing of the OPTIONS request.
>>>
>>
>> We should also add an SDP if possible... There are applications out there who "poke" the other end to find out codec support with OPTIONS.
>
> Which codecs SDP should be presented in the SDP? The one's configured of
> the peer sending the OPTIONS request?
It's normal device matching that goes on here, so the same as if the device would
send an INVITE. Which is useful.
>
> btw: I guess if allowguests=yes, then sending the OPTIONS request would
> still work.
Like today, yes.
>
> Further, if (with current behavior) there is no SDP in 200 OK response,
> there is actually no difference in receiving a 200 OK and receiving a
> 401/407. The sender just knows that there is another SIP client on the
> other side.
I think David pointed that out in an earlier mail.
THis way, we not only know that there's a device out there, but can also adopt and check whether or not we can communicate and parse some headers to get some more specific information - will session timers work? Is MESSAGE allowed?
Question for you: Will Kamailio dispatcher accept a 401 message to OPTIONs as "being alive" or will it be an error?
/O
--
_____________________________________________________________________
-- Bandwidth and Colocation Provided by http://www.api-digital.com --
asterisk-dev mailing list
To UNSUBSCRIBE or update options visit:
http://lists.digium.com/mailman/listinfo/asterisk-dev
More information about the asterisk-security
mailing list