Snom 4S User Manual

snom technology AG • 53

[

S N O M

4 S N A T F

I L T E R

]

•

If the packet was already authenticated or internally generated, the

further processing of the packet can start.

•

If the request is a register request and the registration is still valid,

the packet forwarded to the further processing. This behaviour can

be disabled with the “Challenge Refresh Registrations” setting.

•

If the packet belongs to an existing call and is not the initial INVITE,

the packet is forwarded to the further processing. This behaviour

can be disabled with the “Challenge Inside Dialog” setting.

•

If the packet comes from a trusted IP address, the following checks

are performed. If the request comes directly from a UA (there is

exactly one Via header), the packet is forwarded to the further pro-

cessing. In this case the SBC will insert a P-Asserted-Identity head-

er. If the packet contains more than one Via-header, the packet is

only forwarded to the further processing, if the P-Asserted-Identity

header is already present. In this case, the SBC will overwrite the

header with the present value of the From-header.

•

If the request method is ACK or CANCEL, the packet is forwarded

to the further processing. Note that in this case the SBC does not

insert a P-Asserted-Identity header.

•

The SBC then looks at the user and host part of the From-header

of the request URI. If that pair is not present in the authentication

cache, it requests that pair from the application server and stops

processing the request until the answer is available. If during this

request more messages arrive for the same user/host pair, these

requests are queued until the answer from the application server is

available. When the answer from the applications server request is

available, the packet is processed from the beginning of this algo-

rithm again.

•

If the user/host pair is present in the authentication cache, the SBC

will check if the packet contains the correct answer to a challenge.

Note, that typically during the first time of processing a request this

is not the case and the packet gets challenged with a new allocated

nonce. If this check succeeds, the SBC adds a P-Asserted-Identity

header to the request and forwards it for further processing.

•

Otherwise, it will allocate a new nonce and challenge the request.

The nonce represents a question that can only be answered by the

shared secret, the password of that user/host pair. The nonce will

expire after one hour and is deleted when the question is answered

5

.