[sr-dev] where is s proxy_challenge function?

Iñaki Baz Castillo ibc at aliax.net
Thu Jul 1 21:50:11 CEST 2010 

2010/7/1 Jan Janak <jan at ryngle.com>:
> On Thu, Jul 1, 2010 at 3:31 PM, Iñaki Baz Castillo <ibc at aliax.net> wrote:
>> 2010/7/1 Juha Heinanen <jh at tutpro.com>:
>>>> if (!proxy_authenticate("$fd.digest_realm", "credentials")) {
>>
>> What is $fd.digest_realm ?
>
> A variable containing the string to be used as realm in digest
> authentication. In most circumstances its value is retrieved from the
> database (domain_attrs table).

So, if for example the From domain is "example.org" then SER would
search for the realm corresponding to the domain "example.org" (which
could be the domain itself or any other token), am I right?

I like it, more than the "subscriber" table and the "auth_db" module
of Kamailio. Let me explain why:

- Imagine a Kamailio in multidomain mode.

- A phone "sip:alice at example.org" sends an INVITE with "From:
sip:anonymous at invalid-domain.org" (so the user requests for privacy).

- The INVITE doesn't have a "P-Preferred-Identity:
<sip:alice at example.org>" (it doesn't implement RFC 3325).

- So, how could Kamailio ask for authentication? which realm to use?
there is no string in the INVITE identyfing the domain the originator
belongs to, so...


The only solution for this issue would be using the same realm for
every users and domain of the proxy,  but in Kamailio this is not
possible if "calculate_ha1" (in "auth_db") is 0 because Kamailio takes
the realm of the request to look for the corresponding user using such
realm as domain.

With SER the above problem would be solved by using the same realm for
all the users and domains, but with a constrain: the "username" field
of the creedentials generated by the user should be a full URI
"sip:alice at example.org" (or perhaps also "alice at example.org"), so the
auth module would parse the username and domain from the credentials
"username" field.

In a future I would like to talk about the credentials username field
format (just SIP username, username at domain or sip:username at domain) in
a future. IMHO in a multidomain system phones should authenticate
themself by using the whole AoR (including the "sip:" schema) in the
"username" field of the credentials.


Regards.


-- 
Iñaki Baz Castillo
<ibc at aliax.net>

More information about the sr-dev mailing list