The Route and Record-route headers are identical.

>From debug (when alias=domain.ch:5060):

----authentication of INVITE:

Aug 24 14:22:44 server /usr/sbin/kamailio[8588]: NOTICE: <script>: ---------------------- In route(AUTH), just before from_uri==myself ----------------------

Aug 24 14:22:44 server /usr/sbin/kamailio[8588]: DEBUG: <core> [socket_info.c:583]: grep_sock_info - checking if host==us: 10==9 && [domain.ch] == [127.0.0.1] 

Aug 24 14:22:44 server /usr/sbin/kamailio[8588]: DEBUG: <core> [socket_info.c:587]: grep_sock_info - checking if port 5060 (advertise 0) matches port 5060 

Aug 24 14:22:44 server /usr/sbin/kamailio[8588]: DEBUG: <core> [socket_info.c:583]: grep_sock_info - checking if host==us: 10==15 && [domain.ch] == [<IP_ADDRESS_OF_KAMAILIO>] 

Aug 24 14:22:44 server /usr/sbin/kamailio[8588]: DEBUG: <core> [socket_info.c:587]: grep_sock_info - checking if port 5060 (advertise 0) matches port 5060 

Aug 24 14:22:44 server /usr/sbin/kamailio[8588]: DEBUG: <core> [socket_info.c:583]: grep_sock_info - checking if host==us: 10==9 && [domain.ch] == [127.0.0.1] 

Aug 24 14:22:44 server /usr/sbin/kamailio[8588]: DEBUG: <core> [socket_info.c:587]: grep_sock_info - checking if port 5060 (advertise 0) matches port 5060 

Aug 24 14:22:44 server /usr/sbin/kamailio[8588]: DEBUG: <core> [socket_info.c:583]: grep_sock_info - checking if host==us: 10==15 && [domain.ch] == [<IP_ADDRESS_OF_KAMAILIO>] 

Aug 24 14:22:44 server /usr/sbin/kamailio[8588]: DEBUG: <core> [socket_info.c:587]: grep_sock_info - checking if port 5060 (advertise 0) matches port 5060 

Aug 24 14:22:44 server /usr/sbin/kamailio[8588]: NOTICE: <script>: ---------------------- from_uri==myself evaluated as TRUE!! ----------------------

----same dialog, routing of ACK (response to 200 OK for invite):

Aug 24 14:22:47 server /usr/sbin/kamailio[8588]: INFO: <script>: ========== ACK MSG, NEXT function: LOOSE_ROUTE() ============

Aug 24 14:22:47 server /usr/sbin/kamailio[8588]: DEBUG: rr [loose.c:85]: is_preloaded: No 

Aug 24 14:22:47 server /usr/sbin/kamailio[8588]: DEBUG: <core> [socket_info.c:583]: grep_sock_info - checking if host==us: 10==9 && [domain.ch] == [127.0.0.1] 

Aug 24 14:22:47 server /usr/sbin/kamailio[8588]: DEBUG: <core> [socket_info.c:587]: grep_sock_info - checking if port 5060 (advertise 0) matches port 5060 

Aug 24 14:22:47 server /usr/sbin/kamailio[8588]: DEBUG: <core> [socket_info.c:583]: grep_sock_info - checking if host==us: 10==15 && [domain.ch] == [<IP_ADDRESS_OF_KAMAILIO>] 

Aug 24 14:22:47 server /usr/sbin/kamailio[8588]: DEBUG: <core> [socket_info.c:587]: grep_sock_info - checking if port 5060 (advertise 0) matches port 5060 

Aug 24 14:22:47 server /usr/sbin/kamailio[8588]: DEBUG: <core> [socket_info.c:583]: grep_sock_info - checking if host==us: 10==9 && [domain.ch] == [127.0.0.1] 

Aug 24 14:22:47 server /usr/sbin/kamailio[8588]: DEBUG: <core> [socket_info.c:587]: grep_sock_info - checking if port 5060 (advertise 0) matches port 5060 

Aug 24 14:22:47 server /usr/sbin/kamailio[8588]: DEBUG: <core> [socket_info.c:583]: grep_sock_info - checking if host==us: 10==15 && [domain.ch] == [<IP_ADDRESS_OF_KAMAILIO>] 

Aug 24 14:22:47 server /usr/sbin/kamailio[8588]: DEBUG: <core> [socket_info.c:587]: grep_sock_info - checking if port 5060 (advertise 0) matches port 5060 

Aug 24 14:22:47 server /usr/sbin/kamailio[8588]: DEBUG: rr [loose.c:591]: Next hop: 'sip:<IP_ADDRESS_OF_KAMAILIO>;lr=on' is loose router 

Aug 24 14:22:47 server /usr/sbin/kamailio[8588]: DEBUG: rr [loose.c:641]: The last route URI: 'sip:<IP_ADDRESS_OF_KAMAILIO>;lr=on' 

Aug 24 14:22:47 server /usr/sbin/kamailio[8588]: NOTICE: <script>: ============LOOSE_ROUTE RETURNED TRUE ===============

Aug 24 14:22:47 server /usr/sbin/kamailio[8588]: DEBUG: tm [t_lookup.c:1379]: DEBUG: t_newtran: msg id=3 , global msg id=2 , T on entrance=(nil) 

Aug 24 14:22:47 server /usr/sbin/kamailio[8588]: DEBUG: tm [t_lookup.c:527]: t_lookup_request: start searching: hash=15611, isACK=1 

Aug 24 14:22:47 server /usr/sbin/kamailio[8588]: DEBUG: tm [t_lookup.c:485]: DEBUG: RFC3261 transaction matching failed 

Aug 24 14:22:47 server /usr/sbin/kamailio[8588]: DEBUG: tm [t_lookup.c:709]: DEBUG: t_lookup_request: no transaction found 

Aug 24 14:22:47 server /usr/sbin/kamailio[8588]: DEBUG: tm [t_funcs.c:315]: SER: forwarding ACK  statelessly  

Aug 24 14:22:47 server /usr/sbin/kamailio[8588]: DEBUG: <core> [msg_translator.c:206]: check_via_address(<IP_ADDRESS_OF_SBCdevice>, domain.ch, 0) 

Aug 24 14:22:47 server /usr/sbin/kamailio[8588]: DEBUG: <core> [forward.c:609]: Sending: ACK sip:<IP_ADDRESS_OF_KAMAILIO>;lr=on SIP/2.0^M Via: SIP/2.0/UDP <IP_ADDRESS_OF_KAMAILIO>;branch=z9hG4bKcydzigwkX^M Via: SIP/2.0/UDP domain.ch;received=<IP_ADDRESS_OF_SBCdevice>;branch=z9hG4bKac1441389717^M Max-Forwards: 69^M From: "acc2" <sip:acc2@domain.ch>;tag=1c254829012^M To: <sip:acc1@<IP_ADDRESS_OF_KAMAILIO>;user=phone>;tag=1c423881657^M Call-ID: 2547879162482012122242@<IP_ADDRESS_OF_SBCdevice>^M CSeq: 2 ACK^M Contact: <sip:acc2@domain.ch:5060>^M Supported: em,timer,replaces,path,resource-priority^M Allow: REGISTER,OPTIONS,INVITE,ACK,CANCEL,BYE,NOTIFY,PRACK,REFER,INFO,SUBSCRIBE,UPDATE^M User-Agent: SBCdevice Content-Length: 0^M ^M . 

Aug 24 14:22:47 server /usr/sbin/kamailio[8588]: DEBUG: <core> [forward.c:611]: orig. len=590, new_len=636, proto=1 

...

Aug 24 14:22:47 server /usr/sbin/kamailio[8589]: DEBUG: <core> [parser/msg_parser.c:626]:  method:  <ACK> 

Aug 24 14:22:47 server /usr/sbin/kamailio[8589]: DEBUG: <core> [parser/msg_parser.c:628]:  uri:     <sip:<IP_ADDRESS_OF_KAMAILIO>;lr=on> 

Aug 24 14:22:47 server /usr/sbin/kamailio[8589]: DEBUG: <core> [parser/msg_parser.c:630]:  version: <SIP/2.0> 

Aug 24 14:22:47 server /usr/sbin/kamailio[8589]: DEBUG: <core> [parser/parse_via.c:1286]: Found param type 232, <branch> = <z9hG4bKcydzigwkX>; state=16 

Aug 24 14:22:47 server /usr/sbin/kamailio[8589]: DEBUG: <core> [parser/parse_via.c:2561]: end of header reached, state=5 

Aug 24 14:22:47 server /usr/sbin/kamailio[8589]: DEBUG: <core> [parser/msg_parser.c:511]: parse_headers: Via found, flags=2 

Aug 24 14:22:47 server /usr/sbin/kamailio[8589]: DEBUG: <core> [parser/msg_parser.c:513]: parse_headers: this is the first via 

...

Aug 24 14:22:47 server /usr/sbin/kamailio[8589]: DEBUG: sl [sl_funcs.c:396]: DEBUG : sl_filter_ACK: to late to be a local ACK! 

...

Aug 24 14:22:47 server /usr/sbin/kamailio[8589]: DEBUG: sanity [mod_sanity.c:255]: sanity checks result: 1 

Aug 24 14:22:47 server /usr/sbin/kamailio[8589]: DEBUG: siputils [checks.c:106]: totag found 

Aug 24 14:22:47 server /usr/sbin/kamailio[8589]: INFO: <script>: ========== ACK MSG, NEXT function: LOOSE_ROUTE() ============

Aug 24 14:22:47 server /usr/sbin/kamailio[8589]: DEBUG: rr [loose.c:108]: No Route headers found 

Aug 24 14:22:47 server /usr/sbin/kamailio[8589]: DEBUG: rr [loose.c:829]: There is no Route HF 

Aug 24 14:22:47 server /usr/sbin/kamailio[8589]: INFO: <script>: ============LOOSE_ROUTE RETURNED FALSE ===============

When I set alias=server.domain.ch:5060, from_uri==myself returns false (when determining if INVITE should be authenticated,resulting in replying 100 trying instead of 407 Proxy Auth Req) and loose_route() starts returning true and relays the ACK correctly.

I can post more debug from this case also, but I didn't want to spam so much in one message.

If you would like to see it, please let me know.

So .. Shall I consider the loose_route() part fixed and assume that there MUST be a full name (hostname.domain:port) in the alias, when Kamailio is not used as a primary proxy for the domain?

What about the from_uri==myself part?

Martin

______________________________________________________________
> Od: "Klaus Darilion" <klaus.mailinglists@pernau.at>
> Komu: "SIP Router - Kamailio (OpenSER) and SIP Express Router (SER) - Users Mailing List" <sr-users@lists.sip-router.org>
> Dátum: 23.08.2012 15:04
> Predmet: Re: [SR-Users] Possible bug in authentication
>

> CC: miconda@gmail.com

The Route URI (sent by SBC) must be identical to the Record-Route URI
(inserted by Kamailio).

To find out why loose_route returns FALSE increase log-level.
loose_route uses the "ismyself" function to evaluate if the Route header
addresses this Kamailio server. And the "ismyself" is very verbose when
doing this check.

regards
Klaus

On 23.08.2012 13:51, martian@centrum.sk wrote:
> Ok, so .. I have a session border controller device that is a contact
> point for my SIP domain (SRV record in DNS set to its IP). All the
> trafic goes through it and it does things like topology hiding etc.. The
> device forwards the INVITE messages to Kamailio, because of the routing.
>
> The loose_route was working strangely, because it did not behave as
> described in the documentation.
>
> Here is the sip message that it was suppose to pass:
>
> ACK sip:acc1@domain.ch:5060 SIP/2.0
>
> Via: SIP/2.0/UDP domain.ch;branch=z9hG4bKac386033013
>
> Max-Forwards: 70
>
> From: "acc2" <sip:acc2@domain.ch>;tag=1c1749458918
>
> To: <sip:acc1@<IP_ADRESS_OF_KAMAILIO>;user=phone>;tag=1c1892801634
>
> Call-ID: 17494024742382012111116@<IP_ADDRESS_OF_SBC>
>
> CSeq: 2 ACK
>
> Contact: <sip:acc2@domain.ch:5060>
>
> Route: <sip:<IP_ADDRESS_OF_KAMAILIO>;lr=on>
>
> Supported: em,timer,replaces,path,resource-priority
>
> Allow:
> REGISTER,OPTIONS,INVITE,ACK,CANCEL,BYE,NOTIFY,PRACK,REFER,INFO,SUBSCRIBE,UPDATE
>
> User-Agent: SBC_DEVICE
>
> Content-Length: 0
>
> As you can see, there is a Route header and a To_tag .. so the
> loose_route function should return true. But instead, it returned false,
> then t_check_trans() also returned false and the routing logic exited
> (exit;).
>
> This happens when the value of alias is not enclosed in double quotes.
>
> PS.: There is a "-" symbol in the domain name. Can't that be a problem
> causing the need for the double quotes?
>
> PS2: Should there be only a domain name in the alias? or also the
> hostname part? ... for example:   domain.ch:5060 or server.domain.ch:5060
>
> Martin
>
> ______________________________________________________________
>  > Od: "Daniel-Constantin Mierla" <miconda@gmail.com>
>  > Komu: "SIP Router - Kamailio (OpenSER) and SIP Express Router (SER) -
> Users Mailing List" <sr-users@lists.sip-router.org>
>  > Dátum: 23.08.2012 12:21
>  > Predmet: Re: [SR-Users] Possible bug in authentication
>  >
>
> Hello,
>
> On 8/23/12 11:54 AM, martian@centrum.sk <mailto:martian@centrum.sk> wrote:
>
>     Hello to everybody.
>
>     I am currently working with Kamailio 3.3.1 on RedHat.
>
>     The "loose_route" function was not working correctly and I observed
>     some very strange behaviour (not as one described in the
>     documentation of the function).
>
>     I have found that there needs to be a port included in the "alias"
>     variable for the loose_route function to work correctly.
>
>     However, upon adding the port to alias, the INVITE messages were no
>     longer authenticated (Kamailio just accepted them and didn't send
>     proxy-auth header in 407 message).
>
>     My alias:
>
>     alias="domain.ch:5060"
>
>     Examining default routing logic, I found the problem here:
>
>     if (is_method("REGISTER") || from_uri==myself)
>
>     {
>
>     # authenticate requests
>
>     ...
>
>     }
>
>     The "from_uri==myself" was no longer evaluated as true, because
>     there was a port at the end of the alias.
>
>     The FROM Header of the INVITE messages looks like:
>
>     From: "acc1" <sip:acc1@domain.ch>;tag=12345
>
>     ..so .. no port number there.
>
>     Btw, I have fixed this with replacing the "myself" list with my own
>     defined variable MY_DOMAIN.
>
>     #!define MY_DOMAIN ".*@domain.ch" <mailto:.*@domain.ch>
>
>     So now the condition looks like this:
>
>     if (is_method("REGISTER") || from_uri=~MY_DOMAIN)
>
>     {
>
>     ...
>
>     }
>
>     I am not sure if this is a bug that needs to be fixed or not. I am
>     just pointing my finger at it and I hope it will contribute to the
>     development.
>
>     Also, a valid description of this behavior (when using port in
>     alias) would be appreciated.
>
>
> if you enclose the value of the alias parameter in double quotes, then
> it is taken as string value. If you want to set it to a host:port, then
> remove the double quotes:
>
> alias=domain.ch:5060
>
>
> Why do you say the loose_route() was working strangely? Do you add the
> hostname as record-route, not the IP address? Detail more about what you
> think is wrong with record routing/loose routing.
>
>
> Cheers,
> Daniel
>
> -- Daniel-Constantin Mierla -http://www.asipto.comhttp://twitter.com/#!/miconda  -http://www.linkedin.com/in/micondaKamailio Advanced Training, Berlin, Nov 5-8, 2012 -http://asipto.com/u/kat
>
>
>
> _______________________________________________
> SIP Express Router (SER) and Kamailio (OpenSER) - sr-users mailing list
> sr-users@lists.sip-router.org
> http://lists.sip-router.org/cgi-bin/mailman/listinfo/sr-users
>