[SR-Users] Multiple SIP-servers with SRV-records and authentication secrets

Alfred E. Heggestad aeh at db.org
Sun Apr 3 18:09:32 CEST 2016 

Dear SIP-experts and DNS-SRV gurus;


I have some questions to the deployers of SER/Kamailio and
best current practice for multiple SIP-servers with SRV-records
and authentication. This is not a question about Kamailio itself
but rather experience with deployment of it in the field.


The current usecase is:

1. Multiple SIP-servers are deployed for the same domain

2. The DNS is configured with SRV-records for load balancing,
    example: (lets call the domain "example.com")

    $ host -t SRV _sip._udp.example.com
    _sip._udp.example.com has SRV record 20 0 5080 alpha1.example.com.
    _sip._udp.example.com has SRV record 20 0 5080 alpha2.example.com.

3. when a SIP client registers, it resolves the domain using RFC3263 [1]
    and the first REGISTER request is sent to SIP-Server #1

4. SIP-server #1 replies with 401 containing the authentication challenge

5. The SIP Client adds the authentication header to the REGISTER
    request and re-sends it, but this time also using RFC 3263, and due
    to DNS rotation the request is sent to SIP-Server #2

6. Now, because the SIP-Servers are configured with _different_
    secrets in the "auth" module [2], the REGISTER request
    fails with authentication error.



Now, I know that it is common for SIP user-agents to send both requests
to the same SIP-server instance. Baresip [3] is not doing that, it does
a new RFC 3263 lookup for all requests (except e2e ACK/CANCEL).


so here are my questions:

- What is common practice in the field, to configure auth module
   with the same "secret" or different "secret" values?

- Do you know if there is any reference to IETF documents about how
   this should be handled? RFC 3263 says that every request should be
   resolved, except:

   "The procedures here MUST be done exactly once per transaction, where
    transaction is as defined in [1].  That is, once a SIP server has
    successfully been contacted (success is defined below), all
    retransmissions of the SIP request and the ACK for non-2xx SIP
    responses to INVITE MUST be sent to the same host.  Furthermore, a
    CANCEL for a particular SIP request MUST be sent to the same SIP
    server that the SIP request was delivered to."

- What is common practice for SIP user-agents to do in this case?






/alfred

[1] https://tools.ietf.org/html/rfc3263#section-4.4

[2] http://www.kamailio.org/docs/modules/3.4.x/modules/auth.html#auth.secret

[3] https://github.com/alfredh/baresip/issues/39

More information about the sr-users mailing list