Hello to everybody. I am currently working with Kamailio 3.3.1 on RedHat. The "loose_route" function was not working correctly and I observed some very strange behaviour (not as one described in the documentation of the function). I have found that there needs to be a port included in the "alias" variable for the loose_route function to work correctly. However, upon adding the port to alias, the INVITE messages were no longer authenticated (Kamailio just accepted them and didn't send proxy-auth header in 407 message). My alias: alias="domain.ch:5060" Examining default routing logic, I found the problem here: if (is_method("REGISTER") || from_uri==myself) { # authenticate requests ... } The "from_uri==myself" was no longer evaluated as true, because there was a port at the end of the alias. The FROM Header of the INVITE messages looks like: From: "acc1" ;tag=12345 ..so .. no port number there. Btw, I have fixed this with replacing the "myself" list with my own defined variable MY_DOMAIN. #!define MY_DOMAIN ".*@domain.ch" So now the condition looks like this: if (is_method("REGISTER") || from_uri=~MY_DOMAIN) { ... } I am not sure if this is a bug that needs to be fixed or not. I am just pointing my finger at it and I hope it will contribute to the development. Also, a valid description of this behavior (when using port in alias) would be appreciated. Cheers, Martin
Hello,
On 8/23/12 11:54 AM, martian@centrum.sk wrote:
Hello to everybody.
I am currently working with Kamailio 3.3.1 on RedHat.
The "loose_route" function was not working correctly and I observed some very strange behaviour (not as one described in the documentation of the function).
I have found that there needs to be a port included in the "alias" variable for the loose_route function to work correctly.
However, upon adding the port to alias, the INVITE messages were no longer authenticated (Kamailio just accepted them and didn't send proxy-auth header in 407 message).
My alias:
alias="domain.ch:5060"
Examining default routing logic, I found the problem here:
if (is_method("REGISTER") || from_uri==myself)
{
# authenticate requests
...
}
The "from_uri==myself" was no longer evaluated as true, because there was a port at the end of the alias.
The FROM Header of the INVITE messages looks like:
From: "acc1" sip:acc1@domain.ch;tag=12345
..so .. no port number there.
Btw, I have fixed this with replacing the "myself" list with my own defined variable MY_DOMAIN.
#!define MY_DOMAIN ".*@domain.ch"
So now the condition looks like this:
if (is_method("REGISTER") || from_uri=~MY_DOMAIN)
{
...
}
I am not sure if this is a bug that needs to be fixed or not. I am just pointing my finger at it and I hope it will contribute to the development.
Also, a valid description of this behavior (when using port in alias) would be appreciated.
if you enclose the value of the alias parameter in double quotes, then it is taken as string value. If you want to set it to a host:port, then remove the double quotes:
alias=domain.ch:5060
Why do you say the loose_route() was working strangely? Do you add the hostname as record-route, not the IP address? Detail more about what you think is wrong with record routing/loose routing.
Cheers, Daniel
Ok, so .. I have a session border controller device that is a contact point for my SIP domain (SRV record in DNS set to its IP). All the trafic goes through it and it does things like topology hiding etc.. The device forwards the INVITE messages to Kamailio, because of the routing. The loose_route was working strangely, because it did not behave as described in the documentation. Here is the sip message that it was suppose to pass: ACK sip:acc1@domain.ch:5060 SIP/2.0 Via: SIP/2.0/UDP domain.ch;branch=z9hG4bKac386033013 Max-Forwards: 70 From: "acc2" ;tag=1c1749458918 To: ;tag=1c1892801634 Call-ID: 17494024742382012111116@ CSeq: 2 ACK Contact: Route: Supported: em,timer,replaces,path,resource-priority Allow: REGISTER,OPTIONS,INVITE,ACK,CANCEL,BYE,NOTIFY,PRACK,REFER,INFO,SUBSCRIBE,UPDATE User-Agent: SBC_DEVICE Content-Length: 0 As you can see, there is a Route header and a To_tag .. so the loose_route function should return true. But instead, it returned false, then t_check_trans() also returned false and the routing logic exited (exit;). This happens when the value of alias is not enclosed in double quotes. PS.: There is a "-" symbol in the domain name. Can't that be a problem causing the need for the double quotes? PS2: Should there be only a domain name in the alias? or also the hostname part? ... for example: domain.ch:5060 or server.domain.ch:5060 Martin ______________________________________________________________
Od: "Daniel-Constantin Mierla" Komu: "SIP Router - Kamailio (OpenSER) and SIP Express Router (SER) - Users Mailing List" Dátum: 23.08.2012 12:21 Predmet: Re: [SR-Users] Possible bug in authentication
Hello,
On 8/23/12 11:54 AM, martian@centrum.sk wrote:Hello to everybody. I am currently working with Kamailio 3.3.1 on RedHat. The "loose_route" function was not working correctly and I observed some very strange behaviour (not as one described in the documentation of the function). I have found that there needs to be a port included in the "alias" variable for the loose_route function to work correctly. However, upon adding the port to alias, the INVITE messages were no longer authenticated (Kamailio just accepted them and didn't send proxy-auth header in 407 message). My alias: alias="domain.ch:5060" Examining default routing logic, I found the problem here: if (is_method("REGISTER") || from_uri==myself) { # authenticate requests ... } The "from_uri==myself" was no longer evaluated as true, because there was a port at the end of the alias. The FROM Header of the INVITE messages looks like: From: "acc1" ;tag=12345 ..so .. no port number there. Btw, I have fixed this with replacing the "myself" list with my own defined variable MY_DOMAIN. #!define MY_DOMAIN ".*@domain.ch" So now the condition looks like this: if (is_method("REGISTER") || from_uri=~MY_DOMAIN) { ... } I am not sure if this is a bug that needs to be fixed or not. I am just pointing my finger at it and I hope it will contribute to the development. Also, a valid description of this behavior (when using port in alias) would be appreciated.
if you enclose the value of the alias parameter in double quotes, then it is taken as string value. If you want to set it to a host:port, then remove the double quotes:
alias=domain.ch:5060
Why do you say the loose_route() was working strangely? Do you add the hostname as record-route, not the IP address? Detail more about what you think is wrong with record routing/loose routing.
Cheers, Daniel
-- Daniel-Constantin Mierla - http://www.asipto.comhttp://twitter.com/#!/miconda - http://www.linkedin.com/in/micondaKamailio Advanced Training, Berlin, Nov 5-8, 2012 - http://asipto.com/u/kat
The Route URI (sent by SBC) must be identical to the Record-Route URI (inserted by Kamailio).
To find out why loose_route returns FALSE increase log-level. loose_route uses the "ismyself" function to evaluate if the Route header addresses this Kamailio server. And the "ismyself" is very verbose when doing this check.
regards Klaus
On 23.08.2012 13:51, martian@centrum.sk wrote:
Ok, so .. I have a session border controller device that is a contact point for my SIP domain (SRV record in DNS set to its IP). All the trafic goes through it and it does things like topology hiding etc.. The device forwards the INVITE messages to Kamailio, because of the routing.
The loose_route was working strangely, because it did not behave as described in the documentation.
Here is the sip message that it was suppose to pass:
ACK sip:acc1@domain.ch:5060 SIP/2.0
Via: SIP/2.0/UDP domain.ch;branch=z9hG4bKac386033013
Max-Forwards: 70
From: "acc2" sip:acc2@domain.ch;tag=1c1749458918
To: <sip:acc1@<IP_ADRESS_OF_KAMAILIO>;user=phone>;tag=1c1892801634
Call-ID: 17494024742382012111116@<IP_ADDRESS_OF_SBC>
CSeq: 2 ACK
Contact: sip:acc2@domain.ch:5060
Route: <sip:<IP_ADDRESS_OF_KAMAILIO>;lr=on>
Supported: em,timer,replaces,path,resource-priority
Allow: REGISTER,OPTIONS,INVITE,ACK,CANCEL,BYE,NOTIFY,PRACK,REFER,INFO,SUBSCRIBE,UPDATE
User-Agent: SBC_DEVICE
Content-Length: 0
As you can see, there is a Route header and a To_tag .. so the loose_route function should return true. But instead, it returned false, then t_check_trans() also returned false and the routing logic exited (exit;).
This happens when the value of alias is not enclosed in double quotes.
PS.: There is a "-" symbol in the domain name. Can't that be a problem causing the need for the double quotes?
PS2: Should there be only a domain name in the alias? or also the hostname part? ... for example: domain.ch:5060 or server.domain.ch:5060
Martin
Od: "Daniel-Constantin Mierla" miconda@gmail.com Komu: "SIP Router - Kamailio (OpenSER) and SIP Express Router (SER) -
Users Mailing List" sr-users@lists.sip-router.org
Dátum: 23.08.2012 12:21 Predmet: Re: [SR-Users] Possible bug in authentication
Hello,
On 8/23/12 11:54 AM, martian@centrum.sk mailto:martian@centrum.sk wrote:
Hello to everybody. I am currently working with Kamailio 3.3.1 on RedHat. The "loose_route" function was not working correctly and I observed some very strange behaviour (not as one described in the documentation of the function). I have found that there needs to be a port included in the "alias" variable for the loose_route function to work correctly. However, upon adding the port to alias, the INVITE messages were no longer authenticated (Kamailio just accepted them and didn't send proxy-auth header in 407 message). My alias: alias="domain.ch:5060" Examining default routing logic, I found the problem here: if (is_method("REGISTER") || from_uri==myself) { # authenticate requests ... } The "from_uri==myself" was no longer evaluated as true, because there was a port at the end of the alias. The FROM Header of the INVITE messages looks like: From: "acc1" <sip:acc1@domain.ch>;tag=12345 ..so .. no port number there. Btw, I have fixed this with replacing the "myself" list with my own defined variable MY_DOMAIN. #!define MY_DOMAIN ".*@domain.ch" <mailto:.*@domain.ch> So now the condition looks like this: if (is_method("REGISTER") || from_uri=~MY_DOMAIN) { ... } I am not sure if this is a bug that needs to be fixed or not. I am just pointing my finger at it and I hope it will contribute to the development. Also, a valid description of this behavior (when using port in alias) would be appreciated.if you enclose the value of the alias parameter in double quotes, then it is taken as string value. If you want to set it to a host:port, then remove the double quotes:
alias=domain.ch:5060
Why do you say the loose_route() was working strangely? Do you add the hostname as record-route, not the IP address? Detail more about what you think is wrong with record routing/loose routing.
Cheers, Daniel
-- Daniel-Constantin Mierla -http://www.asipto.comhttp://twitter.com/#!/miconda -http://www.linkedin.com/in/micondaKamailio Advanced Training, Berlin, Nov 5-8, 2012 -http://asipto.com/u/kat
SIP Express Router (SER) and Kamailio (OpenSER) - sr-users mailing list sr-users@lists.sip-router.org http://lists.sip-router.org/cgi-bin/mailman/listinfo/sr-users
The Route and Record-route headers are identical.
From debug (when alias=domain.ch:5060):
----authentication of INVITE: Aug 24 14:22:44 server /usr/sbin/kamailio[8588]: NOTICE: : ---------------------- In route(AUTH), just before from_uri==myself ---------------------- Aug 24 14:22:44 server /usr/sbin/kamailio[8588]: DEBUG: [socket_info.c:583]: grep_sock_info - checking if host==us: 10==9 && [domain.ch] == [127.0.0.1] Aug 24 14:22:44 server /usr/sbin/kamailio[8588]: DEBUG: [socket_info.c:587]: grep_sock_info - checking if port 5060 (advertise 0) matches port 5060 Aug 24 14:22:44 server /usr/sbin/kamailio[8588]: DEBUG: [socket_info.c:583]: grep_sock_info - checking if host==us: 10==15 && [domain.ch] == [] Aug 24 14:22:44 server /usr/sbin/kamailio[8588]: DEBUG: [socket_info.c:587]: grep_sock_info - checking if port 5060 (advertise 0) matches port 5060 Aug 24 14:22:44 server /usr/sbin/kamailio[8588]: DEBUG: [socket_info.c:583]: grep_sock_info - checking if host==us: 10==9 && [domain.ch] == [127.0.0.1] Aug 24 14:22:44 server /usr/sbin/kamailio[8588]: DEBUG: [socket_info.c:587]: grep_sock_info - checking if port 5060 (advertise 0) matches port 5060 Aug 24 14:22:44 server /usr/sbin/kamailio[8588]: DEBUG: [socket_info.c:583]: grep_sock_info - checking if host==us: 10==15 && [domain.ch] == [] Aug 24 14:22:44 server /usr/sbin/kamailio[8588]: DEBUG: [socket_info.c:587]: grep_sock_info - checking if port 5060 (advertise 0) matches port 5060 Aug 24 14:22:44 server /usr/sbin/kamailio[8588]: NOTICE: : ---------------------- from_uri==myself evaluated as TRUE!! ---------------------- ----same dialog, routing of ACK (response to 200 OK for invite): Aug 24 14:22:47 server /usr/sbin/kamailio[8588]: INFO: : ========== ACK MSG, NEXT function: LOOSE_ROUTE() ============ Aug 24 14:22:47 server /usr/sbin/kamailio[8588]: DEBUG: rr [loose.c:85]: is_preloaded: No Aug 24 14:22:47 server /usr/sbin/kamailio[8588]: DEBUG: [socket_info.c:583]: grep_sock_info - checking if host==us: 10==9 && [domain.ch] == [127.0.0.1] Aug 24 14:22:47 server /usr/sbin/kamailio[8588]: DEBUG: [socket_info.c:587]: grep_sock_info - checking if port 5060 (advertise 0) matches port 5060 Aug 24 14:22:47 server /usr/sbin/kamailio[8588]: DEBUG: [socket_info.c:583]: grep_sock_info - checking if host==us: 10==15 && [domain.ch] == [] Aug 24 14:22:47 server /usr/sbin/kamailio[8588]: DEBUG: [socket_info.c:587]: grep_sock_info - checking if port 5060 (advertise 0) matches port 5060 Aug 24 14:22:47 server /usr/sbin/kamailio[8588]: DEBUG: [socket_info.c:583]: grep_sock_info - checking if host==us: 10==9 && [domain.ch] == [127.0.0.1] Aug 24 14:22:47 server /usr/sbin/kamailio[8588]: DEBUG: [socket_info.c:587]: grep_sock_info - checking if port 5060 (advertise 0) matches port 5060 Aug 24 14:22:47 server /usr/sbin/kamailio[8588]: DEBUG: [socket_info.c:583]: grep_sock_info - checking if host==us: 10==15 && [domain.ch] == [] Aug 24 14:22:47 server /usr/sbin/kamailio[8588]: DEBUG: [socket_info.c:587]: grep_sock_info - checking if port 5060 (advertise 0) matches port 5060 Aug 24 14:22:47 server /usr/sbin/kamailio[8588]: DEBUG: rr [loose.c:591]: Next hop: 'sip:;lr=on' is loose router Aug 24 14:22:47 server /usr/sbin/kamailio[8588]: DEBUG: rr [loose.c:641]: The last route URI: 'sip:;lr=on' Aug 24 14:22:47 server /usr/sbin/kamailio[8588]: NOTICE: : ============LOOSE_ROUTE RETURNED TRUE =============== Aug 24 14:22:47 server /usr/sbin/kamailio[8588]: DEBUG: tm [t_lookup.c:1379]: DEBUG: t_newtran: msg id=3 , global msg id=2 , T on entrance=(nil) Aug 24 14:22:47 server /usr/sbin/kamailio[8588]: DEBUG: tm [t_lookup.c:527]: t_lookup_request: start searching: hash=15611, isACK=1 Aug 24 14:22:47 server /usr/sbin/kamailio[8588]: DEBUG: tm [t_lookup.c:485]: DEBUG: RFC3261 transaction matching failed Aug 24 14:22:47 server /usr/sbin/kamailio[8588]: DEBUG: tm [t_lookup.c:709]: DEBUG: t_lookup_request: no transaction found Aug 24 14:22:47 server /usr/sbin/kamailio[8588]: DEBUG: tm [t_funcs.c:315]: SER: forwarding ACK statelessly Aug 24 14:22:47 server /usr/sbin/kamailio[8588]: DEBUG: [msg_translator.c:206]: check_via_address(, domain.ch, 0) Aug 24 14:22:47 server /usr/sbin/kamailio[8588]: DEBUG: [forward.c:609]: Sending: ACK sip:;lr=on SIP/2.0^M Via: SIP/2.0/UDP ;branch=z9hG4bKcydzigwkX^M Via: SIP/2.0/UDP domain.ch;received=;branch=z9hG4bKac1441389717^M Max-Forwards: 69^M From: "acc2" ;tag=1c254829012^M To: ;tag=1c423881657^M Call-ID: 2547879162482012122242@^M CSeq: 2 ACK^M Contact: ^M Supported: em,timer,replaces,path,resource-priority^M Allow: REGISTER,OPTIONS,INVITE,ACK,CANCEL,BYE,NOTIFY,PRACK,REFER,INFO,SUBSCRIBE,UPDATE^M User-Agent: SBCdevice Content-Length: 0^M ^M . Aug 24 14:22:47 server /usr/sbin/kamailio[8588]: DEBUG: [forward.c:611]: orig. len=590, new_len=636, proto=1 ... Aug 24 14:22:47 server /usr/sbin/kamailio[8589]: DEBUG: [parser/msg_parser.c:626]: method: Aug 24 14:22:47 server /usr/sbin/kamailio[8589]: DEBUG: [parser/msg_parser.c:628]: uri: Aug 24 14:22:47 server /usr/sbin/kamailio[8589]: DEBUG: [parser/msg_parser.c:630]: version: Aug 24 14:22:47 server /usr/sbin/kamailio[8589]: DEBUG: [parser/parse_via.c:1286]: Found param type 232, = ; state=16 Aug 24 14:22:47 server /usr/sbin/kamailio[8589]: DEBUG: [parser/parse_via.c:2561]: end of header reached, state=5 Aug 24 14:22:47 server /usr/sbin/kamailio[8589]: DEBUG: [parser/msg_parser.c:511]: parse_headers: Via found, flags=2 Aug 24 14:22:47 server /usr/sbin/kamailio[8589]: DEBUG: [parser/msg_parser.c:513]: parse_headers: this is the first via ... Aug 24 14:22:47 server /usr/sbin/kamailio[8589]: DEBUG: sl [sl_funcs.c:396]: DEBUG : sl_filter_ACK: to late to be a local ACK! ... Aug 24 14:22:47 server /usr/sbin/kamailio[8589]: DEBUG: sanity [mod_sanity.c:255]: sanity checks result: 1 Aug 24 14:22:47 server /usr/sbin/kamailio[8589]: DEBUG: siputils [checks.c:106]: totag found Aug 24 14:22:47 server /usr/sbin/kamailio[8589]: INFO: : ========== ACK MSG, NEXT function: LOOSE_ROUTE() ============ Aug 24 14:22:47 server /usr/sbin/kamailio[8589]: DEBUG: rr [loose.c:108]: No Route headers found Aug 24 14:22:47 server /usr/sbin/kamailio[8589]: DEBUG: rr [loose.c:829]: There is no Route HF Aug 24 14:22:47 server /usr/sbin/kamailio[8589]: INFO: : ============LOOSE_ROUTE RETURNED FALSE =============== When I set alias=server.domain.ch:5060, from_uri==myself returns false (when determining if INVITE should be authenticated,resulting in replying 100 trying instead of 407 Proxy Auth Req) and loose_route() starts returning true and relays the ACK correctly. I can post more debug from this case also, but I didn't want to spam so much in one message. If you would like to see it, please let me know. So .. Shall I consider the loose_route() part fixed and assume that there MUST be a full name (hostname.domain:port) in the alias, when Kamailio is not used as a primary proxy for the domain? What about the from_uri==myself part? Martin ______________________________________________________________
Od: "Klaus Darilion" Komu: "SIP Router - Kamailio (OpenSER) and SIP Express Router (SER) - Users Mailing List" Dátum: 23.08.2012 15:04 Predmet: Re: [SR-Users] Possible bug in authentication
CC: miconda@gmail.com
The Route URI (sent by SBC) must be identical to the Record-Route URI (inserted by Kamailio).
To find out why loose_route returns FALSE increase log-level. loose_route uses the "ismyself" function to evaluate if the Route header addresses this Kamailio server. And the "ismyself" is very verbose when doing this check.
regards Klaus
On 23.08.2012 13:51, martian@centrum.sk wrote:
Ok, so .. I have a session border controller device that is a contact point for my SIP domain (SRV record in DNS set to its IP). All the trafic goes through it and it does things like topology hiding etc.. The device forwards the INVITE messages to Kamailio, because of the routing.
The loose_route was working strangely, because it did not behave as described in the documentation.
Here is the sip message that it was suppose to pass:
ACK sip:acc1@domain.ch:5060 SIP/2.0
Via: SIP/2.0/UDP domain.ch;branch=z9hG4bKac386033013
Max-Forwards: 70
From: "acc2" ;tag=1c1749458918
To: ;tag=1c1892801634
Call-ID: 17494024742382012111116@
CSeq: 2 ACK
Contact:
Route:
Supported: em,timer,replaces,path,resource-priority
Allow: REGISTER,OPTIONS,INVITE,ACK,CANCEL,BYE,NOTIFY,PRACK,REFER,INFO,SUBSCRIBE,UPDATE
User-Agent: SBC_DEVICE
Content-Length: 0
As you can see, there is a Route header and a To_tag .. so the loose_route function should return true. But instead, it returned false, then t_check_trans() also returned false and the routing logic exited (exit;).
This happens when the value of alias is not enclosed in double quotes.
PS.: There is a "-" symbol in the domain name. Can't that be a problem causing the need for the double quotes?
PS2: Should there be only a domain name in the alias? or also the hostname part? ... for example: domain.ch:5060 or server.domain.ch:5060
Martin
> Od: "Daniel-Constantin Mierla" > Komu: "SIP Router - Kamailio (OpenSER) and SIP Express Router (SER) - Users Mailing List" > Dátum: 23.08.2012 12:21 > Predmet: Re: [SR-Users] Possible bug in authentication >
Hello,
On 8/23/12 11:54 AM, martian@centrum.sk wrote:
Hello to everybody.
I am currently working with Kamailio 3.3.1 on RedHat.
The "loose_route" function was not working correctly and I observed some very strange behaviour (not as one described in the documentation of the function).
I have found that there needs to be a port included in the "alias" variable for the loose_route function to work correctly.
However, upon adding the port to alias, the INVITE messages were no longer authenticated (Kamailio just accepted them and didn't send proxy-auth header in 407 message).
My alias:
alias="domain.ch:5060"
Examining default routing logic, I found the problem here:
if (is_method("REGISTER") || from_uri==myself)
{
# authenticate requests
...
}
The "from_uri==myself" was no longer evaluated as true, because there was a port at the end of the alias.
The FROM Header of the INVITE messages looks like:
From: "acc1" ;tag=12345
..so .. no port number there.
Btw, I have fixed this with replacing the "myself" list with my own defined variable MY_DOMAIN.
#!define MY_DOMAIN ".*@domain.ch"
So now the condition looks like this:
if (is_method("REGISTER") || from_uri=~MY_DOMAIN)
{
...
}
I am not sure if this is a bug that needs to be fixed or not. I am just pointing my finger at it and I hope it will contribute to the development.
Also, a valid description of this behavior (when using port in alias) would be appreciated.
if you enclose the value of the alias parameter in double quotes, then it is taken as string value. If you want to set it to a host:port, then remove the double quotes:
alias=domain.ch:5060
Why do you say the loose_route() was working strangely? Do you add the hostname as record-route, not the IP address? Detail more about what you think is wrong with record routing/loose routing.
Cheers, Daniel
-- Daniel-Constantin Mierla -http://www.asipto.comhttp://twitter.com/#!/miconda -http://www.linkedin.com/in/micondaKamailio Advanced Training, Berlin, Nov 5-8, 2012 -http://asipto.com/u/kat
SIP Express Router (SER) and Kamailio (OpenSER) - sr-users mailing list sr-users@lists.sip-router.org http://lists.sip-router.org/cgi-bin/mailman/listinfo/sr-users
On 24.08.2012 14:41, martian@centrum.sk wrote:
The Route and Record-route headers are identical.
From debug (when alias=domain.ch:5060):
----authentication of INVITE:
Aug 24 14:22:44 server /usr/sbin/kamailio[8588]: NOTICE: <script>: ---------------------- In route(AUTH), just before from_uri==myself ----------------------
Aug 24 14:22:44 server /usr/sbin/kamailio[8588]: DEBUG: <core> [socket_info.c:583]: grep_sock_info - checking if host==us: 10==9 && [domain.ch] == [127.0.0.1]
Aug 24 14:22:44 server /usr/sbin/kamailio[8588]: DEBUG: <core> [socket_info.c:587]: grep_sock_info - checking if port 5060 (advertise 0) matches port 5060
Aug 24 14:22:44 server /usr/sbin/kamailio[8588]: DEBUG: <core> [socket_info.c:583]: grep_sock_info - checking if host==us: 10==15 && [domain.ch] == [<IP_ADDRESS_OF_KAMAILIO>]
Aug 24 14:22:44 server /usr/sbin/kamailio[8588]: DEBUG: <core> [socket_info.c:587]: grep_sock_info - checking if port 5060 (advertise 0) matches port 5060
Aug 24 14:22:44 server /usr/sbin/kamailio[8588]: DEBUG: <core> [socket_info.c:583]: grep_sock_info - checking if host==us: 10==9 && [domain.ch] == [127.0.0.1]
Aug 24 14:22:44 server /usr/sbin/kamailio[8588]: DEBUG: <core> [socket_info.c:587]: grep_sock_info - checking if port 5060 (advertise 0) matches port 5060
Aug 24 14:22:44 server /usr/sbin/kamailio[8588]: DEBUG: <core> [socket_info.c:583]: grep_sock_info - checking if host==us: 10==15 && [domain.ch] == [<IP_ADDRESS_OF_KAMAILIO>]
Aug 24 14:22:44 server /usr/sbin/kamailio[8588]: DEBUG: <core> [socket_info.c:587]: grep_sock_info - checking if port 5060 (advertise 0) matches port 5060
Aug 24 14:22:44 server /usr/sbin/kamailio[8588]: NOTICE: <script>: ---------------------- from_uri==myself evaluated as TRUE!! ----------------------
Is this really a complete log? According to the log uri==myself should return FALSE as the compared strings are never the same.
When I set alias=server.domain.ch:5060, from_uri==myself returns false (when determining if INVITE should be authenticated,resulting in replying 100 trying instead of 407 Proxy Auth Req) and loose_route() starts returning true and relays the ACK correctly.
I can post more debug from this case also, but I didn't want to spam so much in one message.
If you would like to see it, please let me know.
So .. Shall I consider the loose_route() part fixed and assume that there MUST be a full name (hostname.domain:port) in the alias, when Kamailio is not used as a primary proxy for the domain?
No. It is rather simple: domain.ch is not identical to domain.ch:5060 (as the first URI results in NAPTR+SRV lookups and my use another port than 5060).
Thus, if you want that Kamailio detects domain.ch as local domain, add "alias=domain.ch". If you want that Kamailio detects domain.ch:5060 as local domain add alias=domain.ch:5060 (not sure if quotes are needed here).
If you want that Kamailio accepts both domains as local domains, then add both alias.
Regardind loose_route: As Daniel mentioned, the ACK is broken.
regards Klaus
What about the from_uri==myself part?
Martin
Od: "Klaus Darilion" klaus.mailinglists@pernau.at Komu: "SIP Router - Kamailio (OpenSER) and SIP Express Router (SER) -
Users Mailing List" sr-users@lists.sip-router.org
Dátum: 23.08.2012 15:04 Predmet: Re: [SR-Users] Possible bug in authentication
CC: miconda@gmail.com
The Route URI (sent by SBC) must be identical to the Record-Route URI (inserted by Kamailio).
To find out why loose_route returns FALSE increase log-level. loose_route uses the "ismyself" function to evaluate if the Route header addresses this Kamailio server. And the "ismyself" is very verbose when doing this check.
regards Klaus
On 23.08.2012 13:51, martian@centrum.sk wrote:
Ok, so .. I have a session border controller device that is a contact point for my SIP domain (SRV record in DNS set to its IP). All the trafic goes through it and it does things like topology hiding etc.. The device forwards the INVITE messages to Kamailio, because of the routing.
The loose_route was working strangely, because it did not behave as described in the documentation.
Here is the sip message that it was suppose to pass:
ACK sip:acc1@domain.ch:5060 SIP/2.0
Via: SIP/2.0/UDP domain.ch;branch=z9hG4bKac386033013
Max-Forwards: 70
From: "acc2" sip:acc2@domain.ch;tag=1c1749458918
To: <sip:acc1@<IP_ADRESS_OF_KAMAILIO>;user=phone>;tag=1c1892801634
Call-ID: 17494024742382012111116@<IP_ADDRESS_OF_SBC>
CSeq: 2 ACK
Contact: sip:acc2@domain.ch:5060
Route: <sip:<IP_ADDRESS_OF_KAMAILIO>;lr=on>
Supported: em,timer,replaces,path,resource-priority
Allow:
REGISTER,OPTIONS,INVITE,ACK,CANCEL,BYE,NOTIFY,PRACK,REFER,INFO,SUBSCRIBE,UPDATE
User-Agent: SBC_DEVICE
Content-Length: 0
As you can see, there is a Route header and a To_tag .. so the loose_route function should return true. But instead, it returned false, then t_check_trans() also returned false and the routing logic exited (exit;).
This happens when the value of alias is not enclosed in double quotes.
PS.: There is a "-" symbol in the domain name. Can't that be a problem causing the need for the double quotes?
PS2: Should there be only a domain name in the alias? or also the hostname part? ... for example: domain.ch:5060 or server.domain.ch:5060
Martin
Od: "Daniel-Constantin Mierla" miconda@gmail.com Komu: "SIP Router - Kamailio (OpenSER) and SIP Express Router (SER) -
Users Mailing List" sr-users@lists.sip-router.org
Dátum: 23.08.2012 12:21 Predmet: Re: [SR-Users] Possible bug in authentication
Hello,
On 8/23/12 11:54 AM, martian@centrum.sk mailto:martian@centrum.sk
wrote:
Hello to everybody. I am currently working with Kamailio 3.3.1 on RedHat. The "loose_route" function was not working correctly and I observed some very strange behaviour (not as one described in the documentation of the function). I have found that there needs to be a port included in the "alias" variable for the loose_route function to work correctly. However, upon adding the port to alias, the INVITE messages were no longer authenticated (Kamailio just accepted them and didn't send proxy-auth header in 407 message). My alias: alias="domain.ch:5060" Examining default routing logic, I found the problem here: if (is_method("REGISTER") || from_uri==myself) { # authenticate requests ... } The "from_uri==myself" was no longer evaluated as true, because there was a port at the end of the alias. The FROM Header of the INVITE messages looks like: From: "acc1" <sip:acc1@domain.ch>;tag=12345 ..so .. no port number there. Btw, I have fixed this with replacing the "myself" list with my own defined variable MY_DOMAIN. #!define MY_DOMAIN ".*@domain.ch" <mailto:.*@domain.ch> So now the condition looks like this: if (is_method("REGISTER") || from_uri=~MY_DOMAIN) { ... } I am not sure if this is a bug that needs to be fixed or not. I am just pointing my finger at it and I hope it will contribute to the development. Also, a valid description of this behavior (when using port in alias) would be appreciated.if you enclose the value of the alias parameter in double quotes, then it is taken as string value. If you want to set it to a host:port, then remove the double quotes:
alias=domain.ch:5060
Why do you say the loose_route() was working strangely? Do you add the hostname as record-route, not the IP address? Detail more about what you think is wrong with record routing/loose routing.
Cheers, Daniel
-- Daniel-Constantin Mierla
-http://www.asipto.comhttp://twitter.com/# http://www.asipto.comhttp//twitter.com/!/miconda -http://www.linkedin.com/in/micondaKamailio Advanced Training, Berlin, Nov 5-8, 2012 -http://asipto.com/u/kat
SIP Express Router (SER) and Kamailio (OpenSER) - sr-users mailing list sr-users@lists.sip-router.org http://lists.sip-router.org/cgi-bin/mailman/listinfo/sr-users
The ACK was indeed broken. The problem was at the SBC, where I did not expect it. Everything works as it should. Thank you very much for your help. Martin ______________________________________________________________
Od: "Klaus Darilion" Komu: Dátum: 28.08.2012 09:36 Predmet: Re: [SR-Users] Possible bug in authentication
CC: "SIP Router - Kamailio (OpenSER) and SIP Express Router (SER) - Users Mailing List", miconda@gmail.com
On 24.08.2012 14:41, martian@centrum.sk wrote:
The Route and Record-route headers are identical.
From debug (when alias=domain.ch:5060):
----authentication of INVITE:
Aug 24 14:22:44 server /usr/sbin/kamailio[8588]: NOTICE: : ---------------------- In route(AUTH), just before from_uri==myself ----------------------
Aug 24 14:22:44 server /usr/sbin/kamailio[8588]: DEBUG: [socket_info.c:583]: grep_sock_info - checking if host==us: 10==9 && [domain.ch] == [127.0.0.1]
Aug 24 14:22:44 server /usr/sbin/kamailio[8588]: DEBUG: [socket_info.c:587]: grep_sock_info - checking if port 5060 (advertise 0) matches port 5060
Aug 24 14:22:44 server /usr/sbin/kamailio[8588]: DEBUG: [socket_info.c:583]: grep_sock_info - checking if host==us: 10==15 && [domain.ch] == []
Aug 24 14:22:44 server /usr/sbin/kamailio[8588]: DEBUG: [socket_info.c:587]: grep_sock_info - checking if port 5060 (advertise 0) matches port 5060
Aug 24 14:22:44 server /usr/sbin/kamailio[8588]: DEBUG: [socket_info.c:583]: grep_sock_info - checking if host==us: 10==9 && [domain.ch] == [127.0.0.1]
Aug 24 14:22:44 server /usr/sbin/kamailio[8588]: DEBUG: [socket_info.c:587]: grep_sock_info - checking if port 5060 (advertise 0) matches port 5060
Aug 24 14:22:44 server /usr/sbin/kamailio[8588]: DEBUG: [socket_info.c:583]: grep_sock_info - checking if host==us: 10==15 && [domain.ch] == []
Aug 24 14:22:44 server /usr/sbin/kamailio[8588]: DEBUG: [socket_info.c:587]: grep_sock_info - checking if port 5060 (advertise 0) matches port 5060
Aug 24 14:22:44 server /usr/sbin/kamailio[8588]: NOTICE: : ---------------------- from_uri==myself evaluated as TRUE!! ----------------------
Is this really a complete log? According to the log uri==myself should return FALSE as the compared strings are never the same.
When I set alias=server.domain.ch:5060, from_uri==myself returns false (when determining if INVITE should be authenticated,resulting in replying 100 trying instead of 407 Proxy Auth Req) and loose_route() starts returning true and relays the ACK correctly.
I can post more debug from this case also, but I didn't want to spam so much in one message.
If you would like to see it, please let me know.
So .. Shall I consider the loose_route() part fixed and assume that there MUST be a full name (hostname.domain:port) in the alias, when Kamailio is not used as a primary proxy for the domain?
No. It is rather simple: domain.ch is not identical to domain.ch:5060 (as the first URI results in NAPTR+SRV lookups and my use another port than 5060).
Thus, if you want that Kamailio detects domain.ch as local domain, add "alias=domain.ch". If you want that Kamailio detects domain.ch:5060 as local domain add alias=domain.ch:5060 (not sure if quotes are needed here).
If you want that Kamailio accepts both domains as local domains, then add both alias.
Regardind loose_route: As Daniel mentioned, the ACK is broken.
regards Klaus
What about the from_uri==myself part?
Martin
> Od: "Klaus Darilion" > Komu: "SIP Router - Kamailio (OpenSER) and SIP Express Router (SER) - Users Mailing List" > Dátum: 23.08.2012 15:04 > Predmet: Re: [SR-Users] Possible bug in authentication >
> CC: miconda@gmail.com
The Route URI (sent by SBC) must be identical to the Record-Route URI (inserted by Kamailio).
To find out why loose_route returns FALSE increase log-level. loose_route uses the "ismyself" function to evaluate if the Route header addresses this Kamailio server. And the "ismyself" is very verbose when doing this check.
regards Klaus
On 23.08.2012 13:51, martian@centrum.sk wrote: > Ok, so .. I have a session border controller device that is a contact > point for my SIP domain (SRV record in DNS set to its IP). All the > trafic goes through it and it does things like topology hiding etc.. The > device forwards the INVITE messages to Kamailio, because of the routing. > > The loose_route was working strangely, because it did not behave as > described in the documentation. > > Here is the sip message that it was suppose to pass: > > ACK sip:acc1@domain.ch:5060 SIP/2.0 > > Via: SIP/2.0/UDP domain.ch;branch=z9hG4bKac386033013 > > Max-Forwards: 70 > > From: "acc2" ;tag=1c1749458918 > > To: ;tag=1c1892801634 > > Call-ID: 17494024742382012111116@ > > CSeq: 2 ACK > > Contact: > > Route: > > Supported: em,timer,replaces,path,resource-priority > > Allow: > REGISTER,OPTIONS,INVITE,ACK,CANCEL,BYE,NOTIFY,PRACK,REFER,INFO,SUBSCRIBE,UPDATE > > User-Agent: SBC_DEVICE > > Content-Length: 0 > > As you can see, there is a Route header and a To_tag .. so the > loose_route function should return true. But instead, it returned false, > then t_check_trans() also returned false and the routing logic exited > (exit;). > > This happens when the value of alias is not enclosed in double quotes. > > PS.: There is a "-" symbol in the domain name. Can't that be a problem > causing the need for the double quotes? > > PS2: Should there be only a domain name in the alias? or also the > hostname part? ... for example: domain.ch:5060 or server.domain.ch:5060 > > Martin > > ______________________________________________________________ > > Od: "Daniel-Constantin Mierla" > > Komu: "SIP Router - Kamailio (OpenSER) and SIP Express Router (SER) - > Users Mailing List" > > Dátum: 23.08.2012 12:21 > > Predmet: Re: [SR-Users] Possible bug in authentication > > > > Hello, > > On 8/23/12 11:54 AM, martian@centrum.sk wrote: > > Hello to everybody. > > I am currently working with Kamailio 3.3.1 on RedHat. > > The "loose_route" function was not working correctly and I observed > some very strange behaviour (not as one described in the > documentation of the function). > > I have found that there needs to be a port included in the "alias" > variable for the loose_route function to work correctly. > > However, upon adding the port to alias, the INVITE messages were no > longer authenticated (Kamailio just accepted them and didn't send > proxy-auth header in 407 message). > > My alias: > > alias="domain.ch:5060" > > Examining default routing logic, I found the problem here: > > if (is_method("REGISTER") || from_uri==myself) > > { > > # authenticate requests > > ... > > } > > The "from_uri==myself" was no longer evaluated as true, because > there was a port at the end of the alias. > > The FROM Header of the INVITE messages looks like: > > From: "acc1" ;tag=12345 > > ..so .. no port number there. > > Btw, I have fixed this with replacing the "myself" list with my own > defined variable MY_DOMAIN. > > #!define MY_DOMAIN ".*@domain.ch" > > So now the condition looks like this: > > if (is_method("REGISTER") || from_uri=~MY_DOMAIN) > > { > > ... > > } > > I am not sure if this is a bug that needs to be fixed or not. I am > just pointing my finger at it and I hope it will contribute to the > development. > > Also, a valid description of this behavior (when using port in > alias) would be appreciated. > > > if you enclose the value of the alias parameter in double quotes, then > it is taken as string value. If you want to set it to a host:port, then > remove the double quotes: > > alias=domain.ch:5060 > > > Why do you say the loose_route() was working strangely? Do you add the > hostname as record-route, not the IP address? Detail more about what you > think is wrong with record routing/loose routing. > > > Cheers, > Daniel > > -- Daniel-Constantin Mierla -http://www.asipto.comhttp://twitter.com/# !/miconda -http://www.linkedin.com/in/micondaKamailio Advanced Training, Berlin, Nov 5-8, 2012 -http://asipto.com/u/kat > > > > _______________________________________________ > SIP Express Router (SER) and Kamailio (OpenSER) - sr-users mailing list > sr-users@lists.sip-router.org > http://lists.sip-router.org/cgi-bin/mailman/listinfo/sr-users >
Hello,
On 8/23/12 1:51 PM, martian@centrum.sk wrote:
Ok, so .. I have a session border controller device that is a contact point for my SIP domain (SRV record in DNS set to its IP). All the trafic goes through it and it does things like topology hiding etc.. The device forwards the INVITE messages to Kamailio, because of the routing.
The loose_route was working strangely, because it did not behave as described in the documentation.
Here is the sip message that it was suppose to pass:
ACK sip:acc1@domain.ch:5060 SIP/2.0
Via: SIP/2.0/UDP domain.ch;branch=z9hG4bKac386033013
Max-Forwards: 70
From: "acc2" sip:acc2@domain.ch;tag=1c1749458918
To: <sip:acc1@<IP_ADRESS_OF_KAMAILIO>;user=phone>;tag=1c1892801634
Call-ID: 17494024742382012111116@<IP_ADDRESS_OF_SBC>
CSeq: 2 ACK
Contact: sip:acc2@domain.ch:5060
Route: <sip:<IP_ADDRESS_OF_KAMAILIO>;lr=on>
Supported: em,timer,replaces,path,resource-priority
Allow: REGISTER,OPTIONS,INVITE,ACK,CANCEL,BYE,NOTIFY,PRACK,REFER,INFO,SUBSCRIBE,UPDATE
User-Agent: SBC_DEVICE
Content-Length: 0
As you can see, there is a Route header and a To_tag .. so the loose_route function should return true. But instead, it returned false, then t_check_trans() also returned false and the routing logic exited (exit;).
if this is an ACK for a 200 ok and domain.ch is the domain of Kamailio, then the ACK is broken. The r-uri should be the contact address of callee (contact address from 200ok). The reason can be that the sbc changed the contact in 200 ok or the r-uri. Also, it could be that the UA is the broken device.
This happens when the value of alias is not enclosed in double quotes.
PS.: There is a "-" symbol in the domain name. Can't that be a problem causing the need for the double quotes?
No, '-' in the hostname is valid. If it would not be valid, kamailio will not start, alias value is checked at startup.
PS2: Should there be only a domain name in the alias? or also the hostname part? ... for example: domain.ch:5060 or server.domain.ch:5060
Alias value has pretty much same format as for listen, like 'protocol:address:port'. protocol and port are option, address can be IP or hostname. So
alias=domain.ch:5060
is valid.
Cheers, Daniel
Martin
Od: "Daniel-Constantin Mierla" miconda@gmail.com Komu: "SIP Router - Kamailio (OpenSER) and SIP Express Router (SER)
- Users Mailing List" sr-users@lists.sip-router.org
Dátum: 23.08.2012 12:21 Predmet: Re: [SR-Users] Possible bug in authentication
Hello,
On 8/23/12 11:54 AM, martian@centrum.sk mailto:martian@centrum.sk wrote:
Hello to everybody. I am currently working with Kamailio 3.3.1 on RedHat. The "loose_route" function was not working correctly and I observed some very strange behaviour (not as one described in the documentation of the function). I have found that there needs to be a port included in the "alias" variable for the loose_route function to work correctly. However, upon adding the port to alias, the INVITE messages were no longer authenticated (Kamailio just accepted them and didn't send proxy-auth header in 407 message). My alias: alias="domain.ch:5060" Examining default routing logic, I found the problem here: if (is_method("REGISTER") || from_uri==myself) { # authenticate requests ... } The "from_uri==myself" was no longer evaluated as true, because there was a port at the end of the alias. The FROM Header of the INVITE messages looks like: From: "acc1" <sip:acc1@domain.ch>;tag=12345 ..so .. no port number there. Btw, I have fixed this with replacing the "myself" list with my own defined variable MY_DOMAIN. #!define MY_DOMAIN ".*@domain.ch" <mailto:.*@domain.ch> So now the condition looks like this: if (is_method("REGISTER") || from_uri=~MY_DOMAIN) { ... } I am not sure if this is a bug that needs to be fixed or not. I am just pointing my finger at it and I hope it will contribute to the development. Also, a valid description of this behavior (when using port in alias) would be appreciated.if you enclose the value of the alias parameter in double quotes, then it is taken as string value. If you want to set it to a host:port, then remove the double quotes:
alias=domain.ch:5060
Why do you say the loose_route() was working strangely? Do you add the hostname as record-route, not the IP address? Detail more about what you think is wrong with record routing/loose routing.
Cheers, Daniel
-- Daniel-Constantin Mierla -http://www.asipto.comhttp://twitter.com/#!/miconda http://twitter.com/#%21/miconda -http://www.linkedin.com/in/micondaKamailio Advanced Training, Berlin, Nov 5-8, 2012 -http://asipto.com/u/kat
-
Daniel-Constantin Mierla -
Klaus Darilion -
martian@centrum.sk