On 24.08.2012 14:41, martian@centrum.sk wrote:
The Route and Record-route headers are identical.
From debug (when alias=domain.ch:5060):
----authentication of INVITE:
Aug 24 14:22:44 server /usr/sbin/kamailio[8588]: NOTICE: <script>: ---------------------- In route(AUTH), just before from_uri==myself ----------------------
Aug 24 14:22:44 server /usr/sbin/kamailio[8588]: DEBUG: <core> [socket_info.c:583]: grep_sock_info - checking if host==us: 10==9 && [domain.ch] == [127.0.0.1]
Aug 24 14:22:44 server /usr/sbin/kamailio[8588]: DEBUG: <core> [socket_info.c:587]: grep_sock_info - checking if port 5060 (advertise 0) matches port 5060
Aug 24 14:22:44 server /usr/sbin/kamailio[8588]: DEBUG: <core> [socket_info.c:583]: grep_sock_info - checking if host==us: 10==15 && [domain.ch] == [<IP_ADDRESS_OF_KAMAILIO>]
Aug 24 14:22:44 server /usr/sbin/kamailio[8588]: DEBUG: <core> [socket_info.c:587]: grep_sock_info - checking if port 5060 (advertise 0) matches port 5060
Aug 24 14:22:44 server /usr/sbin/kamailio[8588]: DEBUG: <core> [socket_info.c:583]: grep_sock_info - checking if host==us: 10==9 && [domain.ch] == [127.0.0.1]
Aug 24 14:22:44 server /usr/sbin/kamailio[8588]: DEBUG: <core> [socket_info.c:587]: grep_sock_info - checking if port 5060 (advertise 0) matches port 5060
Aug 24 14:22:44 server /usr/sbin/kamailio[8588]: DEBUG: <core> [socket_info.c:583]: grep_sock_info - checking if host==us: 10==15 && [domain.ch] == [<IP_ADDRESS_OF_KAMAILIO>]
Aug 24 14:22:44 server /usr/sbin/kamailio[8588]: DEBUG: <core> [socket_info.c:587]: grep_sock_info - checking if port 5060 (advertise 0) matches port 5060
Aug 24 14:22:44 server /usr/sbin/kamailio[8588]: NOTICE: <script>: ---------------------- from_uri==myself evaluated as TRUE!! ----------------------
Is this really a complete log? According to the log uri==myself should return FALSE as the compared strings are never the same.
When I set alias=server.domain.ch:5060, from_uri==myself returns false (when determining if INVITE should be authenticated,resulting in replying 100 trying instead of 407 Proxy Auth Req) and loose_route() starts returning true and relays the ACK correctly.
I can post more debug from this case also, but I didn't want to spam so much in one message.
If you would like to see it, please let me know.
So .. Shall I consider the loose_route() part fixed and assume that there MUST be a full name (hostname.domain:port) in the alias, when Kamailio is not used as a primary proxy for the domain?
No. It is rather simple: domain.ch is not identical to domain.ch:5060 (as the first URI results in NAPTR+SRV lookups and my use another port than 5060).
Thus, if you want that Kamailio detects domain.ch as local domain, add "alias=domain.ch". If you want that Kamailio detects domain.ch:5060 as local domain add alias=domain.ch:5060 (not sure if quotes are needed here).
If you want that Kamailio accepts both domains as local domains, then add both alias.
Regardind loose_route: As Daniel mentioned, the ACK is broken.
regards Klaus
What about the from_uri==myself part?
Martin
Od: "Klaus Darilion" klaus.mailinglists@pernau.at Komu: "SIP Router - Kamailio (OpenSER) and SIP Express Router (SER) -
Users Mailing List" sr-users@lists.sip-router.org
Dátum: 23.08.2012 15:04 Predmet: Re: [SR-Users] Possible bug in authentication
CC: miconda@gmail.com
The Route URI (sent by SBC) must be identical to the Record-Route URI (inserted by Kamailio).
To find out why loose_route returns FALSE increase log-level. loose_route uses the "ismyself" function to evaluate if the Route header addresses this Kamailio server. And the "ismyself" is very verbose when doing this check.
regards Klaus
On 23.08.2012 13:51, martian@centrum.sk wrote:
Ok, so .. I have a session border controller device that is a contact point for my SIP domain (SRV record in DNS set to its IP). All the trafic goes through it and it does things like topology hiding etc.. The device forwards the INVITE messages to Kamailio, because of the routing.
The loose_route was working strangely, because it did not behave as described in the documentation.
Here is the sip message that it was suppose to pass:
ACK sip:acc1@domain.ch:5060 SIP/2.0
Via: SIP/2.0/UDP domain.ch;branch=z9hG4bKac386033013
Max-Forwards: 70
From: "acc2" sip:acc2@domain.ch;tag=1c1749458918
To: <sip:acc1@<IP_ADRESS_OF_KAMAILIO>;user=phone>;tag=1c1892801634
Call-ID: 17494024742382012111116@<IP_ADDRESS_OF_SBC>
CSeq: 2 ACK
Contact: sip:acc2@domain.ch:5060
Route: <sip:<IP_ADDRESS_OF_KAMAILIO>;lr=on>
Supported: em,timer,replaces,path,resource-priority
Allow:
REGISTER,OPTIONS,INVITE,ACK,CANCEL,BYE,NOTIFY,PRACK,REFER,INFO,SUBSCRIBE,UPDATE
User-Agent: SBC_DEVICE
Content-Length: 0
As you can see, there is a Route header and a To_tag .. so the loose_route function should return true. But instead, it returned false, then t_check_trans() also returned false and the routing logic exited (exit;).
This happens when the value of alias is not enclosed in double quotes.
PS.: There is a "-" symbol in the domain name. Can't that be a problem causing the need for the double quotes?
PS2: Should there be only a domain name in the alias? or also the hostname part? ... for example: domain.ch:5060 or server.domain.ch:5060
Martin
Od: "Daniel-Constantin Mierla" miconda@gmail.com Komu: "SIP Router - Kamailio (OpenSER) and SIP Express Router (SER) -
Users Mailing List" sr-users@lists.sip-router.org
Dátum: 23.08.2012 12:21 Predmet: Re: [SR-Users] Possible bug in authentication
Hello,
On 8/23/12 11:54 AM, martian@centrum.sk mailto:martian@centrum.sk
wrote:
Hello to everybody. I am currently working with Kamailio 3.3.1 on RedHat. The "loose_route" function was not working correctly and I observed some very strange behaviour (not as one described in the documentation of the function). I have found that there needs to be a port included in the "alias" variable for the loose_route function to work correctly. However, upon adding the port to alias, the INVITE messages were no longer authenticated (Kamailio just accepted them and didn't send proxy-auth header in 407 message). My alias: alias="domain.ch:5060" Examining default routing logic, I found the problem here: if (is_method("REGISTER") || from_uri==myself) { # authenticate requests ... } The "from_uri==myself" was no longer evaluated as true, because there was a port at the end of the alias. The FROM Header of the INVITE messages looks like: From: "acc1" <sip:acc1@domain.ch>;tag=12345 ..so .. no port number there. Btw, I have fixed this with replacing the "myself" list with my own defined variable MY_DOMAIN. #!define MY_DOMAIN ".*@domain.ch" <mailto:.*@domain.ch> So now the condition looks like this: if (is_method("REGISTER") || from_uri=~MY_DOMAIN) { ... } I am not sure if this is a bug that needs to be fixed or not. I am just pointing my finger at it and I hope it will contribute to the development. Also, a valid description of this behavior (when using port in alias) would be appreciated.
if you enclose the value of the alias parameter in double quotes, then it is taken as string value. If you want to set it to a host:port, then remove the double quotes:
alias=domain.ch:5060
Why do you say the loose_route() was working strangely? Do you add the hostname as record-route, not the IP address? Detail more about what you think is wrong with record routing/loose routing.
Cheers, Daniel
-- Daniel-Constantin Mierla
-http://www.asipto.comhttp://twitter.com/# http://www.asipto.comhttp//twitter.com/!/miconda -http://www.linkedin.com/in/micondaKamailio Advanced Training, Berlin, Nov 5-8, 2012 -http://asipto.com/u/kat
SIP Express Router (SER) and Kamailio (OpenSER) - sr-users mailing list sr-users@lists.sip-router.org http://lists.sip-router.org/cgi-bin/mailman/listinfo/sr-users