[SR-Users] Multiple SIP-servers with SRV-records and authentication secrets

Olle E. Johansson oej at edvina.net
Mon Apr 4 10:27:30 CEST 2016


> On 03 Apr 2016, at 18:09, Alfred E. Heggestad <aeh at db.org> wrote:
> 
> Dear SIP-experts and DNS-SRV gurus;
> 
> 
> I have some questions to the deployers of SER/Kamailio and
> best current practice for multiple SIP-servers with SRV-records
> and authentication. This is not a question about Kamailio itself
> but rather experience with deployment of it in the field.
> 
> 
> The current usecase is:
> 
> 1. Multiple SIP-servers are deployed for the same domain
> 
> 2. The DNS is configured with SRV-records for load balancing,
>   example: (lets call the domain "example.com")
> 
>   $ host -t SRV _sip._udp.example.com
>   _sip._udp.example.com has SRV record 20 0 5080 alpha1.example.com.
>   _sip._udp.example.com has SRV record 20 0 5080 alpha2.example.com.
> 
> 3. when a SIP client registers, it resolves the domain using RFC3263 [1]
>   and the first REGISTER request is sent to SIP-Server #1
> 
> 4. SIP-server #1 replies with 401 containing the authentication challenge
> 
> 5. The SIP Client adds the authentication header to the REGISTER
>   request and re-sends it, but this time also using RFC 3263, and due
>   to DNS rotation the request is sent to SIP-Server #2
> 
> 6. Now, because the SIP-Servers are configured with _different_
>   secrets in the "auth" module [2], the REGISTER request
>   fails with authentication error.
> 
> 
> 
> Now, I know that it is common for SIP user-agents to send both requests
> to the same SIP-server instance. Baresip [3] is not doing that, it does
> a new RFC 3263 lookup for all requests (except e2e ACK/CANCEL).
> 
> 
> so here are my questions:
> 
> - What is common practice in the field, to configure auth module
>  with the same "secret" or different "secret" values?
Within the same realm the user has the same credentials. As long as
you have the same realm, one user name should NOT have different
secrets. If the two servers have different secrets for the same user, the
realm should be different.
I am not sure if there’s a document stating that every server in the same
realm has to handle the same set of nonces, i.e. accept an authentication
based on a nonce from another server, but in my world that follows
the idea of a realm.

> 
> - Do you know if there is any reference to IETF documents about how
>  this should be handled? RFC 3263 says that every request should be
>  resolved, except:
> 
>  "The procedures here MUST be done exactly once per transaction, where
>   transaction is as defined in [1].  That is, once a SIP server has
>   successfully been contacted (success is defined below), all
>   retransmissions of the SIP request and the ACK for non-2xx SIP
>   responses to INVITE MUST be sent to the same host.  Furthermore, a
>   CANCEL for a particular SIP request MUST be sent to the same SIP
>   server that the SIP request was delivered to.”

I think many developers are confused about REGISTER. It does not
create a dialog but some software handles it like one. It’s easy to
fall into a trap thinking about REGISTER as a dialog.

> 
> - What is common practice for SIP user-agents to do in this case?
Not many does what baresip does, which I think is correct. In Kamailio
multiple servers can handle the same nonce, so this behaviour works
very well with multiple Kamailios .

/O
> 
> 
> 
> 
> 
> 
> /alfred
> 
> [1] https://tools.ietf.org/html/rfc3263#section-4.4
> 
> [2] http://www.kamailio.org/docs/modules/3.4.x/modules/auth.html#auth.secret
> 
> [3] https://github.com/alfredh/baresip/issues/39
> 
> 
> 
> _______________________________________________
> SIP Express Router (SER) and Kamailio (OpenSER) - sr-users mailing list
> sr-users at lists.sip-router.org
> http://lists.sip-router.org/cgi-bin/mailman/listinfo/sr-users




More information about the sr-users mailing list