I was a little bit too fast with my answer. In most cases the UA is not guilty, e.g. if I reset the phone, or if the phone is behind NAT (the IP of the device is always the same, eg. 192.168.0.2, but the pulic IP changes).
The problem that someones else device may use my old IP address and receives my calls (until the contact expires) can be solved using random ports for SIP instead of the standard port (like Windows MEssenger does). This is IMHO a good solution to prevent attacks - imagine a tool (e.g. a virus which will act also from infected hosts in the LAN) which sends INVITEs to random IP addresses port 5060 - I'm sure a lot of phones in the offices will begin ringing.
Another solution would be to do not accept every calls, but only with the correct request-URI, e.g. klaus.darilion@myip will be accepted, bot myneighbors.name@myip will not be accapted. But the user agent should only verify the username as the IP address in the request-uri will be changed if you are using nathelper to traverse NATs.
regards, Klaus
Tom wrote:
On Thu, 25 Mar 2004, Klaus Darilion wrote:
...
That's a fault of the UA. The UA should un-REGISTER the old contact before registering a new one.
...
Pretty unlikely that a hard phone is going to be able to un-REGISTER. I should be able to unplug my hardphone at the office and take it home, and expect everything to work. But if someone at the office plugs in a new phone, they could get my hardphones old IP. Are there hard phones that have an Un-Register key, so I can explicitly un-register before unplugging?
Tom