[sr-dev] MSRP relay authentication

Peter Dunkley peter.dunkley at crocodile-rcs.com
Thu Oct 25 13:40:34 CEST 2012 

Hi,

I am doing some work on this module right now myself.

I did think of putting a bit of code into the auth module that, where
the method is selected, checks to see if the request is an MSRP one and,
if it is, selects the method using the same mechanism as for
$msrp(method).

I am also looking at the handling of the To-Path: header as I am not
sure that is correct.  If I have two MSRP clients connected to the same
relay my To-Path: header in a SEND will be:

	To-Path: msrps://relay_address:relay_port/foo \			<-- From the Use-Path: in response to _MY_ AUTH
			msrps://relay_address:relay_port/bar \		<-- From the Use-Path: in response to peers AUTH
			msrps://client_address:client_port/wibble	<-- Peer


This is based on RFC 4967 section 5.1 paragraph three:

	... To form the To-Path header for outgoing
	requests, the client takes the list of URIs in the Use-Path header
	after the outermost authentication and appends the list of URIs
	provided in the path attribute in the peer's session description. ...


The example event_route[] in the MSRP README contains the following
logic for SEND handling:

		if($msrp(nexthops)>1)
		{
			msrp_reply("200", "Received");
			msrp_relay();
			exit;
		}
		$var(sessid) = $msrp(sessid);
		if($sht(msrp=>$var(sessid)::srcaddr) == $null)
		{
			# one more hop, but we don't have address in htable
			msrp_reply("481", "No Such Session");
			exit;
		}
		msrp_relay_flags("1");
		msrp_set_dst("$sht(msrp=>$var(sessid)::srcaddr)",
				"$sht(msrp=>$var(sessid)::srcsock)");
		msrp_relay();
		exit;
	}


But I seem to have problems with this as the msrp_relay() when
$msrp(nexthops) > 1 fails (this could be related to my changes for WS
support as it is a problem finding/creating a TCP connection to the next
relay).  However, ideally the MSRP relay should spot that the first two
URIs on the To-Path: are itself and eat them both - setting $msrp(...)
appropriately - rather than looping MSRP requests back to itself.

Also, I think the same handling should be performed for routing REPORT
requests too - so the overall logic of the MSRP event_route[] should be:


        if (msrp_is_reply())
        	msrp_relay();
        else if ($msrp(method) == "AUTH") {
        	...
        } else if ($msrp(method) == "SEND" || $msrp(method) == "REPORT") {
        	...
        } else
        	msrp_reply("501", "Request-method-not-understood");


Regards,

Peter


On Thu, 2012-10-25 at 13:16 +0200, Daniel-Constantin Mierla wrote:

> Hello,
> 
> just remembered about this one ...
> 
> hmm, I would say now that the right method would be AUTH, not MSRP,
> but as you pointed, in SIP and HTTP the method is the first token in
> request. I guess you had no chance to test with some client or look at
> specs to see if they clarify somehow.
> 
> In both cases, the method seems to be static anyhow, either AUTH or
> MSRP (iirc, the authentication is done only for AUTH). Both have the
> same length, so a quick hack would be to replace internally MSRP with
> AUTH for this case. But probably the safest is to extend the auth api
> with a function that takes the method as parameter, which is
> eventually used from inside msrp module.
> 
> Probably before the next release I will put some efforts in this
> module, as the interest on it seems to increase, one of the goals
> being to add an internal hash table to track the connections - it
> should bring some performance improvement versus using htable in
> config...
> 
> Cheers,
> Daniel
> 
> 
> On 10/19/12 3:58 PM, Peter Dunkley wrote:
> 
> > 
> > Hi,
> > 
> > MSRP AUTH requests must be authenticated using HTTP Digest
> > authentication.  Part of the concatenated data when doing this
> > authentication is the method name.  Because of the way MSRP requests
> > are formatted, the part of the request-line that would contain the
> > method name in HTTP or SIP requests is always MSRP.  The MSRP method
> > name (AUTH in this case) is at the end of the request-line.  When
> > Kamailio converts an MSRP request to SIP it has a method name of
> > MSRP.
> > 
> > This means that when Kamailio authenticates an MSRP request it uses
> > "MSRP" as the method name, not the actual MSRP method name (AUTH).
> > 
> > Is this correct?
> > 
> > Should MSRP requests be authenticated with a method name of
> > "MSRP" (which kind-of makes sense as this is the string at the start
> > of the MSRP request line - which is where the method names are in
> > HTTP and SIP) or should the MSRP method name of "AUTH" be used?
> > 
> > If it is the later, does anyone know of an easy way to add this to
> > Kamailio?
> > 
> > Regards,
> > 
> > Peter
> > 
> > -- 
> > Peter Dunkley
> > Technical Director
> > Crocodile RCS Ltd
> > 
> > 
> > 
> > _______________________________________________
> > sr-dev mailing list
> > sr-dev at lists.sip-router.org
> > http://lists.sip-router.org/cgi-bin/mailman/listinfo/sr-dev
> 
> 
> 
> -- 
> Daniel-Constantin Mierla - http://www.asipto.com
> http://twitter.com/#!/miconda - http://www.linkedin.com/in/miconda
> Kamailio Advanced Training, Berlin, Nov 5-8, 2012 - http://asipto.com/u/kat
> Kamailio Advanced Training, Miami, USA, Nov 12-14, 2012 - http://asipto.com/u/katu


-- 
Peter Dunkley
Technical Director
Crocodile RCS Ltd
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.sip-router.org/pipermail/sr-dev/attachments/20121025/bd480767/attachment.htm>

More information about the sr-dev mailing list