[SR-Users] Multiple SIP-servers with SRV-records and authentication secrets

James Cloos cloos at jhcloos.com
Mon Apr 4 01:37:59 CEST 2016


>>>>> "AH" == Alfred E Heggestad <aeh at db.org> writes:

AH> 1. Multiple SIP-servers are deployed for the same domain

AH> 2. The DNS is configured with SRV-records for load balancing,
AH>    example: (lets call the domain "example.com")

AH> 3. when a SIP client registers, it resolves the domain using RFC3263 [1]
AH>    and the first REGISTER request is sent to SIP-Server #1

AH> 4. SIP-server #1 replies with 401 containing the authentication challenge

AH> 5. The SIP Client adds the authentication header to the REGISTER
AH>    request and re-sends it, but this time also using RFC 3263, and due
AH>    to DNS rotation the request is sent to SIP-Server #2

AH> 6. Now, because the SIP-Servers are configured with _different_
AH>    secrets in the "auth" module [2], the REGISTER request
AH>    fails with authentication error.

I don't see how that can ever work.

Every uac I've used took a single name/passwd tuple for a given target.

Does blink do something different?  How can you specify that it should
use different credentials depending on which srv target it happens to
follow?

In every scenario I've looked at, all of the load-balanced backend
servers have to have a shared credential store of some sort, such as
a replicated sql or ldap cluster, to hold the users' creds, so the
digest (in sip's case) should work on any backend server.

-JimC
-- 
James Cloos <cloos at jhcloos.com>         OpenPGP: 0x997A9F17ED7DAEA6



More information about the sr-users mailing list