Maxim Sobolev writes:
If From doesn't contain a domain the proxy is responsible from then we can't use digest authentication--the sender wouldn't be able to generate proper reply.
In this case the proxy compares To tag with ftag parameter value from it's Route header field. If they are same then the dialog was established using the proxy and we are done -- we can relay the request.
the above is true if dialog was established by local user. in case the dialog was established by foreign user and that foreign user sends another, in-dialog request, then ftag will be equal to from tag.
so i implemented a function that checks if ftag is equal to either from or to tag, but didn't find it very useful after all. such test namely adds very little value to just checking if the request has to tag and dropping the ones that don't and are not send by or to a local user.
It should be relatively easy to do it - upon startup SER can generate some random string and then, when INVITE arrives, calculate one-way hash using this value and some other parameters that must persist during the dialog - e.g. Call-Id, From tag etc, then inserting it as a parameter into the Record-Route field. Then we can always check is the mid-dialog request should be serviced by us.
yes, i too have suggested that we do something like that. this kind of scheme, however, has no protection over faking new requests or replays if someone gets hold of one real request. also, if one gets hold of several real requests, then it would be possible to figure out what the key was unless the key changes often enough. so i have been wondering, if such mechanism is worth implementing.
-- juha