[SR-Users] Possible bug in authentication

martian at centrum.sk martian at centrum.sk
Thu Aug 30 15:52:05 CEST 2012 

The ACK was indeed broken. The problem was at the SBC, where I did not expect it.
Everything works as it should.
Thank you very much for your help.
 
Martin
______________________________________________________________
> Od: "Klaus Darilion" 
> Komu: 
> Dátum: 28.08.2012 09:36
> Predmet: Re: [SR-Users] Possible bug in authentication
>
> CC: "SIP Router - Kamailio (OpenSER) and SIP Express Router (SER) - Users Mailing List", miconda at gmail.com


On 24.08.2012 14:41, martian at centrum.sk wrote:
> The Route and Record-route headers are identical.
>
>
>  From debug (when alias=domain.ch:5060):
>
> ----authentication of INVITE:
>
> Aug 24 14:22:44 server /usr/sbin/kamailio[8588]: NOTICE: :
> ---------------------- In route(AUTH), just before
> from_uri==myself ----------------------
>
> Aug 24 14:22:44 server /usr/sbin/kamailio[8588]: DEBUG: 
> [socket_info.c:583]: grep_sock_info - checking if host==us: 10==9 &&
> [domain.ch] == [127.0.0.1]
>
> Aug 24 14:22:44 server /usr/sbin/kamailio[8588]: DEBUG: 
> [socket_info.c:587]: grep_sock_info - checking if port 5060 (advertise
> 0) matches port 5060
>
> Aug 24 14:22:44 server /usr/sbin/kamailio[8588]: DEBUG: 
> [socket_info.c:583]: grep_sock_info - checking if host==us: 10==15 &&
> [domain.ch] == []
>
> Aug 24 14:22:44 server /usr/sbin/kamailio[8588]: DEBUG: 
> [socket_info.c:587]: grep_sock_info - checking if port 5060 (advertise
> 0) matches port 5060
>
> Aug 24 14:22:44 server /usr/sbin/kamailio[8588]: DEBUG: 
> [socket_info.c:583]: grep_sock_info - checking if host==us: 10==9 &&
> [domain.ch] == [127.0.0.1]
>
> Aug 24 14:22:44 server /usr/sbin/kamailio[8588]: DEBUG: 
> [socket_info.c:587]: grep_sock_info - checking if port 5060 (advertise
> 0) matches port 5060
>
> Aug 24 14:22:44 server /usr/sbin/kamailio[8588]: DEBUG: 
> [socket_info.c:583]: grep_sock_info - checking if host==us: 10==15 &&
> [domain.ch] == []
>
> Aug 24 14:22:44 server /usr/sbin/kamailio[8588]: DEBUG: 
> [socket_info.c:587]: grep_sock_info - checking if port 5060 (advertise
> 0) matches port 5060
>
> Aug 24 14:22:44 server /usr/sbin/kamailio[8588]: NOTICE: :
> ---------------------- from_uri==myself evaluated as
> TRUE!! ----------------------


Is this really a complete log? According to the log uri==myself should 
return FALSE as the compared strings are never the same.

> When I set alias=server.domain.ch:5060, from_uri==myself returns false
> (when determining if INVITE should be authenticated,resulting in
> replying 100 trying instead of 407 Proxy Auth Req) and loose_route()
> starts returning true and relays the ACK correctly.
>
> I can post more debug from this case also, but I didn't want to spam so
> much in one message.
>
> If you would like to see it, please let me know.
>
> So .. Shall I consider the loose_route() part fixed and assume that
> there MUST be a full name (hostname.domain:port) in the alias, when
> Kamailio is not used as a primary proxy for the domain?

No. It is rather simple: domain.ch is not identical to domain.ch:5060 
(as the first URI results in NAPTR+SRV lookups and my use another port 
than 5060).

Thus, if you want that Kamailio detects domain.ch as local domain, add 
"alias=domain.ch". If you want that Kamailio detects domain.ch:5060 as 
local domain add alias=domain.ch:5060 (not sure if quotes are needed here).

If you want that Kamailio accepts both domains as local domains, then 
add both alias.

Regardind loose_route: As Daniel mentioned, the ACK is broken.

regards
Klaus

>
> What about the from_uri==myself part?
>
> Martin
>
> ______________________________________________________________
>  > Od: "Klaus Darilion" 
>  > Komu: "SIP Router - Kamailio (OpenSER) and SIP Express Router (SER) -
> Users Mailing List" 
>  > Dátum: 23.08.2012 15:04
>  > Predmet: Re: [SR-Users] Possible bug in authentication
>  >
>
>  > CC: miconda at gmail.com
>
> The Route URI (sent by SBC) must be identical to the Record-Route URI
> (inserted by Kamailio).
>
> To find out why loose_route returns FALSE increase log-level.
> loose_route uses the "ismyself" function to evaluate if the Route header
> addresses this Kamailio server. And the "ismyself" is very verbose when
> doing this check.
>
> regards
> Klaus
>
> On 23.08.2012 13:51, martian at centrum.sk wrote:
>  > Ok, so .. I have a session border controller device that is a contact
>  > point for my SIP domain (SRV record in DNS set to its IP). All the
>  > trafic goes through it and it does things like topology hiding etc.. The
>  > device forwards the INVITE messages to Kamailio, because of the routing.
>  >
>  > The loose_route was working strangely, because it did not behave as
>  > described in the documentation.
>  >
>  > Here is the sip message that it was suppose to pass:
>  >
>  > ACK sip:acc1 at domain.ch:5060 SIP/2.0
>  >
>  > Via: SIP/2.0/UDP domain.ch;branch=z9hG4bKac386033013
>  >
>  > Max-Forwards: 70
>  >
>  > From: "acc2" ;tag=1c1749458918
>  >
>  > To: ;tag=1c1892801634
>  >
>  > Call-ID: 17494024742382012111116@
>  >
>  > CSeq: 2 ACK
>  >
>  > Contact: 
>  >
>  > Route: 
>  >
>  > Supported: em,timer,replaces,path,resource-priority
>  >
>  > Allow:
>  >
> REGISTER,OPTIONS,INVITE,ACK,CANCEL,BYE,NOTIFY,PRACK,REFER,INFO,SUBSCRIBE,UPDATE
>  >
>  > User-Agent: SBC_DEVICE
>  >
>  > Content-Length: 0
>  >
>  > As you can see, there is a Route header and a To_tag .. so the
>  > loose_route function should return true. But instead, it returned false,
>  > then t_check_trans() also returned false and the routing logic exited
>  > (exit;).
>  >
>  > This happens when the value of alias is not enclosed in double quotes.
>  >
>  > PS.: There is a "-" symbol in the domain name. Can't that be a problem
>  > causing the need for the double quotes?
>  >
>  > PS2: Should there be only a domain name in the alias? or also the
>  > hostname part? ... for example:   domain.ch:5060 or server.domain.ch:5060
>  >
>  > Martin
>  >
>  > ______________________________________________________________
>  >  > Od: "Daniel-Constantin Mierla" 
>  >  > Komu: "SIP Router - Kamailio (OpenSER) and SIP Express Router (SER) -
>  > Users Mailing List" 
>  >  > Dátum: 23.08.2012 12:21
>  >  > Predmet: Re: [SR-Users] Possible bug in authentication
>  >  >
>  >
>  > Hello,
>  >
>  > On 8/23/12 11:54 AM, martian at centrum.sk 
> wrote:
>  >
>  >     Hello to everybody.
>  >
>  >     I am currently working with Kamailio 3.3.1 on RedHat.
>  >
>  >     The "loose_route" function was not working correctly and I observed
>  >     some very strange behaviour (not as one described in the
>  >     documentation of the function).
>  >
>  >     I have found that there needs to be a port included in the "alias"
>  >     variable for the loose_route function to work correctly.
>  >
>  >     However, upon adding the port to alias, the INVITE messages were no
>  >     longer authenticated (Kamailio just accepted them and didn't send
>  >     proxy-auth header in 407 message).
>  >
>  >     My alias:
>  >
>  >     alias="domain.ch:5060"
>  >
>  >     Examining default routing logic, I found the problem here:
>  >
>  >     if (is_method("REGISTER") || from_uri==myself)
>  >
>  >     {
>  >
>  >     # authenticate requests
>  >
>  >     ...
>  >
>  >     }
>  >
>  >     The "from_uri==myself" was no longer evaluated as true, because
>  >     there was a port at the end of the alias.
>  >
>  >     The FROM Header of the INVITE messages looks like:
>  >
>  >     From: "acc1" ;tag=12345
>  >
>  >     ..so .. no port number there.
>  >
>  >     Btw, I have fixed this with replacing the "myself" list with my own
>  >     defined variable MY_DOMAIN.
>  >
>  >     #!define MY_DOMAIN ".*@domain.ch" 
>  >
>  >     So now the condition looks like this:
>  >
>  >     if (is_method("REGISTER") || from_uri=~MY_DOMAIN)
>  >
>  >     {
>  >
>  >     ...
>  >
>  >     }
>  >
>  >     I am not sure if this is a bug that needs to be fixed or not. I am
>  >     just pointing my finger at it and I hope it will contribute to the
>  >     development.
>  >
>  >     Also, a valid description of this behavior (when using port in
>  >     alias) would be appreciated.
>  >
>  >
>  > if you enclose the value of the alias parameter in double quotes, then
>  > it is taken as string value. If you want to set it to a host:port, then
>  > remove the double quotes:
>  >
>  > alias=domain.ch:5060
>  >
>  >
>  > Why do you say the loose_route() was working strangely? Do you add the
>  > hostname as record-route, not the IP address? Detail more about what you
>  > think is wrong with record routing/loose routing.
>  >
>  >
>  > Cheers,
>  > Daniel
>  >
>  > -- Daniel-Constantin Mierla
> -http://www.asipto.comhttp://twitter.com/#
> !/miconda
>   -http://www.linkedin.com/in/micondaKamailio Advanced Training, Berlin,
> Nov 5-8, 2012 -http://asipto.com/u/kat
>  >
>  >
>  >
>  > _______________________________________________
>  > SIP Express Router (SER) and Kamailio (OpenSER) - sr-users mailing list
>  > sr-users at lists.sip-router.org
>  > http://lists.sip-router.org/cgi-bin/mailman/listinfo/sr-users
>  >
>

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.sip-router.org/pipermail/sr-users/attachments/20120830/a25233b5/attachment-0001.htm>

More information about the sr-users mailing list