[SR-Users] Possible bug in authentication

Thu Aug 23 13:51:49 CEST 2012

Ok, so .. I have a session border controller device that is a contact point for my SIP domain (SRV record in DNS set to its IP). All the trafic goes through it and it does things like topology hiding etc.. The device forwards the INVITE messages to Kamailio, because of the routing. 

The loose_route was working strangely, because it did not behave as described in the documentation.
Here is the sip message that it was suppose to pass:

ACK sip:acc1 at domain.ch:5060 SIP/2.0
Via: SIP/2.0/UDP domain.ch;branch=z9hG4bKac386033013
Max-Forwards: 70
From: "acc2" ;tag=1c1749458918
To: ;tag=1c1892801634
Call-ID: 17494024742382012111116@
CSeq: 2 ACK
Contact: 
Route: 
Supported: em,timer,replaces,path,resource-priority
Allow: REGISTER,OPTIONS,INVITE,ACK,CANCEL,BYE,NOTIFY,PRACK,REFER,INFO,SUBSCRIBE,UPDATE
User-Agent: SBC_DEVICE
Content-Length: 0

As you can see, there is a Route header and a To_tag .. so the loose_route function should return true. But instead, it returned false, then t_check_trans() also returned false and the routing logic exited (exit;).

This happens when the value of alias is not enclosed in double quotes.

PS.: There is a "-" symbol in the domain name. Can't that be a problem causing the need for the double quotes?
PS2: Should there be only a domain name in the alias? or also the hostname part? ... for example:   domain.ch:5060 or server.domain.ch:5060

Martin

______________________________________________________________
> Od: "Daniel-Constantin Mierla" 
> Komu: "SIP Router - Kamailio (OpenSER) and SIP Express Router (SER) - Users Mailing List" 
> Dátum: 23.08.2012 12:21
> Predmet: Re: [SR-Users] Possible bug in authentication
>
Hello,

On 8/23/12 11:54 AM, martian at centrum.sk wrote:Hello to everybody.
I am currently working with Kamailio 3.3.1 on RedHat.
The "loose_route" function was not working correctly and I observed some very strange behaviour (not as one described in the documentation of the function).
I have found that there needs to be a port included in the "alias" variable for the loose_route function to work correctly.
However, upon adding the port to alias, the INVITE messages were no longer authenticated (Kamailio just accepted them and didn't send proxy-auth header in 407 message).

My alias:

alias="domain.ch:5060"

Examining default routing logic, I found the problem here:

if (is_method("REGISTER") || from_uri==myself)
{
 # authenticate requests
 ...
}

The "from_uri==myself" was no longer evaluated as true, because there was a port at the end of the alias.
The FROM Header of the INVITE messages looks like:

From: "acc1" ;tag=12345

..so .. no port number there.

Btw, I have fixed this with replacing the "myself" list with my own defined variable MY_DOMAIN.

#!define MY_DOMAIN ".*@domain.ch"

So now the condition looks like this:

if (is_method("REGISTER") || from_uri=~MY_DOMAIN)
{
...
}

I am not sure if this is a bug that needs to be fixed or not. I am just pointing my finger at it and I hope it will contribute to the development.
Also, a valid description of this behavior (when using port in alias) would be appreciated.

 if you enclose the value of the alias parameter in double quotes, then it is taken as string value. If you want to set it to a host:port, then remove the double quotes:

alias=domain.ch:5060

 Why do you say the loose_route() was working strangely? Do you add the hostname as record-route, not the IP address? Detail more about what you think is wrong with record routing/loose routing.

 Cheers,
 Daniel

-- Daniel-Constantin Mierla - http://www.asipto.comhttp://twitter.com/#!/miconda - http://www.linkedin.com/in/micondaKamailio Advanced Training, Berlin, Nov 5-8, 2012 - http://asipto.com/u/kat
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.sip-router.org/pipermail/sr-users/attachments/20120823/4eb17fa9/attachment-0001.htm>