Re: [Sip] verification of diversion header (draft-levy)

[Cullen Jennings <fluffy@cisco.com>]

On 9/4/03 9:47 AM, "Juha Heinanen" <jh@tutpro.com> wrote:

> according to draft-levy-sip-diversion-06.txt, an UAS can include a
> diversion header in 302 reply.  how can the proxy or UAC verify that the
> uri included the diversion header really belongs to the user of the UAS?
> 
> security section of draft-levy doesn't mentions any problems related to
> faked uri in the diversion header, but they can be very serious, e.g.,
> cause someone else pay for the call diverted to an expensive pstn
> number.
> 
> -- juha
>

Agreed - I don't think it can. It part of the end to middle authentication
problem. This problem has been brought up before - I think the History
requirements include requirements to be able to solve this problem.

Cullen


_______________________________________________
Sip mailing list  https://www1.ietf.org/mailman/listinfo/sip
This list is for NEW development of the core SIP Protocol
Use sip-implementors@cs.columbia.edu for questions on current sip
Use sipping@ietf.org for new developments on the application of sip