[SR-Users] Possible bug in authentication

Daniel-Constantin Mierla miconda at gmail.com
Fri Aug 24 23:02:26 CEST 2012 

Hello,

On 8/23/12 1:51 PM, martian at centrum.sk wrote:
>
> Ok, so .. I have a session border controller device that is a contact 
> point for my SIP domain (SRV record in DNS set to its IP). All the 
> trafic goes through it and it does things like topology hiding etc.. 
> The device forwards the INVITE messages to Kamailio, because of the 
> routing.
>
> The loose_route was working strangely, because it did not behave as 
> described in the documentation.
>
> Here is the sip message that it was suppose to pass:
>
> ACK sip:acc1 at domain.ch:5060 SIP/2.0
>
> Via: SIP/2.0/UDP domain.ch;branch=z9hG4bKac386033013
>
> Max-Forwards: 70
>
> From: "acc2" <sip:acc2 at domain.ch>;tag=1c1749458918
>
> To: <sip:acc1@<IP_ADRESS_OF_KAMAILIO>;user=phone>;tag=1c1892801634
>
> Call-ID: 17494024742382012111116@<IP_ADDRESS_OF_SBC>
>
> CSeq: 2 ACK
>
> Contact: <sip:acc2 at domain.ch:5060>
>
> Route: <sip:<IP_ADDRESS_OF_KAMAILIO>;lr=on>
>
> Supported: em,timer,replaces,path,resource-priority
>
> Allow: 
> REGISTER,OPTIONS,INVITE,ACK,CANCEL,BYE,NOTIFY,PRACK,REFER,INFO,SUBSCRIBE,UPDATE
>
> User-Agent: SBC_DEVICE
>
> Content-Length: 0
>
> As you can see, there is a Route header and a To_tag .. so the 
> loose_route function should return true. But instead, it returned 
> false, then t_check_trans() also returned false and the routing logic 
> exited (exit;).
>
if this is an ACK for a 200 ok and domain.ch is the domain of Kamailio, 
then the ACK is broken. The r-uri should be the contact address of 
callee (contact address from 200ok). The reason can be that the sbc 
changed the contact in 200 ok or the r-uri. Also, it could be that the 
UA is the broken device.

> This happens when the value of alias is not enclosed in double quotes.
>
> PS.: There is a "-" symbol in the domain name. Can't that be a problem 
> causing the need for the double quotes?
>

No, '-' in the hostname is valid. If it would not be valid, kamailio 
will not start, alias value is checked at startup.

> PS2: Should there be only a domain name in the alias? or also the 
> hostname part? ... for example:   domain.ch:5060 or server.domain.ch:5060
>

Alias value has pretty much same format as for listen, like 
'protocol:address:port'. protocol and port are option, address can be IP 
or hostname. So

alias=domain.ch:5060

is valid.

Cheers,
Daniel

> Martin
>
> ______________________________________________________________
> > Od: "Daniel-Constantin Mierla" <miconda at gmail.com>
> > Komu: "SIP Router - Kamailio (OpenSER) and SIP Express Router (SER) 
> - Users Mailing List" <sr-users at lists.sip-router.org>
> > Dátum: 23.08.2012 12:21
> > Predmet: Re: [SR-Users] Possible bug in authentication
> >
>
> Hello,
>
> On 8/23/12 11:54 AM, martian at centrum.sk <mailto:martian at centrum.sk> wrote:
>
>     Hello to everybody.
>
>     I am currently working with Kamailio 3.3.1 on RedHat.
>
>     The "loose_route" function was not working correctly and I
>     observed some very strange behaviour (not as one described in the
>     documentation of the function).
>
>     I have found that there needs to be a port included in the "alias"
>     variable for the loose_route function to work correctly.
>
>     However, upon adding the port to alias, the INVITE messages were
>     no longer authenticated (Kamailio just accepted them and didn't
>     send proxy-auth header in 407 message).
>
>     My alias:
>
>     alias="domain.ch:5060"
>
>     Examining default routing logic, I found the problem here:
>
>     if (is_method("REGISTER") || from_uri==myself)
>
>     {
>
>     # authenticate requests
>
>     ...
>
>     }
>
>     The "from_uri==myself" was no longer evaluated as true, because
>     there was a port at the end of the alias.
>
>     The FROM Header of the INVITE messages looks like:
>
>     From: "acc1" <sip:acc1 at domain.ch>;tag=12345
>
>     ..so .. no port number there.
>
>     Btw, I have fixed this with replacing the "myself" list with my
>     own defined variable MY_DOMAIN.
>
>     #!define MY_DOMAIN ".*@domain.ch" <mailto:.*@domain.ch>
>
>     So now the condition looks like this:
>
>     if (is_method("REGISTER") || from_uri=~MY_DOMAIN)
>
>     {
>
>     ...
>
>     }
>
>     I am not sure if this is a bug that needs to be fixed or not. I am
>     just pointing my finger at it and I hope it will contribute to the
>     development.
>
>     Also, a valid description of this behavior (when using port in
>     alias) would be appreciated.
>
>
> if you enclose the value of the alias parameter in double quotes, then 
> it is taken as string value. If you want to set it to a host:port, 
> then remove the double quotes:
>
> alias=domain.ch:5060
>
>
> Why do you say the loose_route() was working strangely? Do you add the 
> hostname as record-route, not the IP address? Detail more about what 
> you think is wrong with record routing/loose routing.
>
>
> Cheers,
> Daniel
>
> -- Daniel-Constantin Mierla -http://www.asipto.comhttp://twitter.com/#!/miconda  <http://twitter.com/#%21/miconda>  -http://www.linkedin.com/in/micondaKamailio Advanced Training, Berlin, Nov 5-8, 2012 -http://asipto.com/u/kat

-- 
Daniel-Constantin Mierla - http://www.asipto.com
http://twitter.com/#!/miconda - http://www.linkedin.com/in/miconda
Kamailio Advanced Training, Berlin, Nov 5-8, 2012 - http://asipto.com/u/kat

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.sip-router.org/pipermail/sr-users/attachments/20120824/726df9b8/attachment.htm>

More information about the sr-users mailing list