I have a questions in regards to SIP Auth, and specifically how Asterisk 13 with PJSIP appears to send Invites.
It seems that the typical Kamailio config sends the SIP auth challenge with the from domain as the auth realm. however in the case of the Asterisk 13 ( PJSIP ) invite, the from domain is an RFC1918 IP address and I would have to use the domain from the request.
What im wanting to know is what the consensus is on where the auth realm comes from. does everyone 100% agree that you send auth using the SIP From header, or is this something that some do Request domain ? What im considering doing is to use the from domain, but if from domain = RFC1918 then use request domain.
Im just after everyone's opinion on how to best handle this invite, from a auth_challenge perspective. ( not so much if the Asterisk 13 PJSIP module is doing the right or wrong thing )
INVITE sip:555111222333@sip.mytestdomain.com:5060 SIP/2.0 Via: SIP/2.0/UDP 180.111.222.333:5060;rport;branch=z9hG4bKPjafb111a9-aaaf-4c9e-b456-748514855a06 From: <sip:555111222333@172.18.90.1
;tag=88317259-052b-4997-bd2e-9c8836e27b47
To: sip:555111222333@sip.netsip.net.au Contact: sip:9d43c8df-6378-4266-89c1-0a0bb0e1d0d1@180.111.222.333:5060 Call-ID: b7da52e2-dfd1-434e-a2c2-b28e1683ce0e
Hello,
There is standards-based support for the notion that the "identity" of the source of an INVITE request is equal to the value of the From URI, much as the To header indicates the AOR to register in a REGISTER request.
However, a digest challenge realm can be whatever you like. The choice of $fd for authentication realm is based on the fact that most UAs will populate the target SIP domain in the domain of From. For instance, most end-user type endpoints, when configured to register and send calls to 'sip.evaristesys.com', will put that domain in the From URI. Some won't, however, and in that case, as your example typifies, they are most apt to use their local IP.
Therefore, you can make the realm whatever you like. You can force it using a static value like 'sip.evaristesys.com'. We commonly use $Ri, the IP address of the server interface on which the request was received, for challenges.
So, I don't know that there is any real consensus or standard behaviour here. Defining the realm is up to the challenging proxy or UAS. Kamailio ships with $fd because it's a reasonable default given what was stated above. You should feel comfortable using whatever realm you like.
Hope that helps,
-- Alex -- Alex Balashov | Principal | Evariste Systems LLC 303 Perimeter Center North, Suite 300 Atlanta, GA 30346 United States
Tel: +1-800-250-5920 (toll-free) / +1-678-954-0671 (direct) Web: http://www.evaristesys.com/, http://www.csrpswitch.com/
Sent from my BlackBerry. Original Message From: jay binks Sent: Thursday, June 4, 2015 02:53 To: Kamailio (SER) - Users Mailing List Reply To: Kamailio (SER) - Users Mailing List Subject: [SR-Users] SIP Auth Realm - From domain or Request domain ?
-
Alex Balashov -
jay binks