26 Mar
2004
26 Mar
'04
1:47 p.m.
I was a little bit too fast with my answer. In most cases the UA is not
guilty, e.g. if I reset the phone, or if the phone is behind NAT (the IP
of the device is always the same, eg. 192.168.0.2, but the pulic IP
changes).
The problem that someones else device may use my old IP address and
receives my calls (until the contact expires) can be solved using random
ports for SIP instead of the standard port (like Windows MEssenger
does). This is IMHO a good solution to prevent attacks - imagine a tool
(e.g. a virus which will act also from infected hosts in the LAN) which
sends INVITEs to random IP addresses port 5060 - I'm sure a lot of
phones in the offices will begin ringing.
Another solution would be to do not accept every calls, but only with
the correct request-URI, e.g. klaus.darilion@myip will be accepted, bot
myneighbors.name@myip will not be accapted. But the user agent should
only verify the username as the IP address in the request-uri will be
changed if you are using nathelper to traverse NATs.
regards,
Klaus
Tom wrote:
On Thu, 25 Mar 2004, Klaus Darilion wrote:
...
That's a fault of the UA. The UA should
un-REGISTER the old contact
before registering a new one.
...
Pretty unlikely that a hard phone is going to be able to un-REGISTER. I
should be able to unplug my hardphone at the office and take it home, and
expect everything to work. But if someone at the office plugs in a new
phone, they could get my hardphones old IP. Are there hard phones that
have an Un-Register key, so I can explicitly un-register before
unplugging?
Tom