The IP address at the SIP
level is found in the VIA header, but if the VIA header contains a SIP URI, it must be
resolved to its IP address prior to continuing on. This requires a query to the Domain
Name Server (DNS) by the P-CSCF.
The ports that are assigned as part of the security association are dedicated to the
subscriber device until it changes its registration. These ports cannot be assigned until
after the subscriber device has been authenticated and registration is complete (see
Figure 6.1). Only six security associations per device can exist at any one time.
This means that the standard SIP ports 5060 and 5061 are not used for authorized
secure communications. These ports are only used for registration and error messages.
If an INVITE is received on port 5060 or 5061, the P-CSCF will discard the message as
unauthorized. This simple security procedure would have prevented many VoIP security
breaches if it had been implemented in VoIP networks today.
To prevent man-in-the-middle attacks, the P-CSCF will check the route taken by the
message as recorded in the RECORD-ROUTE headers. When a subscriber registers
with the network, the RECORD-ROUTE headers are used to create a route list for the
subscriber. This route list is stored in the HSS as part of the subscription??™s registration
and is sent to the S-CSCF as well.
The P-CSCF maintains a record of the route when it receives the 200 OK response to
a REGISTER, and it uses this to verify that any request from the subscriber follows the
same route.
Pages:
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319