sip-12----Page:1
1 2 3 4 5
|
Are “proxies” trusted? What are intermediaries authorized to do? For example, RFC3261 allows only the target domain of a request to retarget More famously, intermediaries can’t modify bodies, etc These fundamental authorization concepts are not explicit in RFC3261 “Everything that is not prevented by mechanism tends to be permitted in practice” The reality is that SIP proxy servers behave as if UACs have no authority to exert any policy controls over the handling of their requests The unenforcability of these restrictions creates security weaknesses for SIP Because we allow for intermediaries, we also allow for attackers |