Indeed, of course that way works, but I am pretty sure that Kamailio can intercept and give the right response.

Right now what would be needed is to make a complete SIP Notify with the according digest, using the password picked from the database, and send it back. The answer would be a 200 'OK' .

On Thu, Mar 13, 2014 at 8:26 AM, Pedro Niño <nino.pedro@gmail.com> wrote:

The other (ugly) option, is to remove the auth from the phone, for the Sip Provisioning, but that would leave and open door to a reboot attack without auth needed from any IP. And I dont like that option.

This might not be as bad of an option as you think. If the SPA is behind a stateful firewall then that firewall should allow the NOTIFY from the registrar due to the REGISTER and NAT keep-alive packets opening the firewall, but disallow SIP from any other source. I would recommend verifying that before you deploy it though as I haven't tested it myself.

Corey

_______________________________________________
SIP Express Router (SER) and Kamailio (OpenSER) - sr-users mailing list
sr-users@lists.sip-router.org
http://lists.sip-router.org/cgi-bin/mailman/listinfo/sr-users