snom technology AG • 53
[ S N O M 4 S N A T F I L T E R ]
• If the packet was already authenticated or internally generated, the
further processing of the packet can start.
• If the request is a register request and the registration is still valid,
the packet forwarded to the further processing. This behaviour can
be disabled with the “Challenge Refresh Registrations” setting.
• If the packet belongs to an existing call and is not the initial INVITE,
the packet is forwarded to the further processing. This behaviour
can be disabled with the “Challenge Inside Dialog” setting.
• If the packet comes from a trusted IP address, the following checks
are performed. If the request comes directly from a UA (there is
exactly one Via header), the packet is forwarded to the further pro
-
cessing. In this case the SBC will insert a P-Asserted-Identity head-
er. If the packet contains more than one Via-header, the packet is
only forwarded to the further processing, if the P-Asserted-Identity
header is already present. In this case, the SBC will overwrite the
header with the present value of the From-header.
• If the request method is ACK or CANCEL, the packet is forwarded
to the further processing. Note that in this case the SBC does not
insert a P-Asserted-Identity header.
• The SBC then looks at the user and host part of the From-header
of the request URI. If that pair is not present in the authentication
cache, it requests that pair from the application server and stops
processing the request until the answer is available. If during this
request more messages arrive for the same user/host pair, these
requests are queued until the answer from the application server is
available. When the answer from the applications server request is
available, the packet is processed from the beginning of this algo
-
rithm again.
• If the user/host pair is present in the authentication cache, the SBC
will check if the packet contains the correct answer to a challenge.
Note, that typically during the first time of processing a request this
is not the case and the packet gets challenged with a new allocated
nonce. If this check succeeds, the SBC adds a P-Asserted-Identity
header to the request and forwards it for further processing.
• Otherwise, it will allocate a new nonce and challenge the request.
The nonce represents a question that can only be answered by the
shared secret, the password of that user/host pair. The nonce will
expire after one hour and is deleted when the question is answered
5.