[SR-Users] [VoLTE] 401 unauthorized error
Yuriy Gorlichenko
ovoshlook at gmail.com
Tue Aug 24 14:37:20 CEST 2021
I do not remember, to be honest, if IMS supports basic md5 auth algorithms.
You need to go through specs about algo supported. Also try to look into
docs of kamailio ims modules which algorithms it implements. If you find
one which satisfies your device for negotiation then just use it. If no -
try to update your client to have support of one of the proper algorithms.
On Tue, 24 Aug 2021, 10:45 오택경, <ohtk at kaist.ac.kr> wrote:
> Thank you for your help!
>
> I looked into the UE's IMS register request as you told me. (the content
> of request is shown below)
>
> As my thinking, my UE can support only two algorithms: hmac-sha1-96 and
> hmac-md5-96.
>
> But fhoss cannot support above auth algorithms (fhoss can support
> digest-akav1-md5, digest-akav2-md5, digest, http_digest_md5,
> early-ims-security, nass-bundled and sip digest).
>
> What algorithm should I switch to for authentication in fhoss? Or do I
> have to change the UE device (smartphone) for auth?
>
> Very thanks,
> Taekkyung Oh.
>
> *<IMS register request from the UE>*
> *Frame 4153: 840 bytes on wire (6720 bits), 840 bytes captured (6720 bits)
> on interface 0*
> *Ethernet II, Src: 02:42:ac:16:00:16 (02:42:ac:16:00:16), Dst:
> 02:42:ac:16:00:06 (02:42:ac:16:00:06)*
> *Internet Protocol Version 4, Src: 172.22.0.22, Dst: 172.22.0.6*
> *User Datagram Protocol, Src Port: 2152, Dst Port: 2152*
> *GPRS Tunneling Protocol*
> *Internet Protocol Version 4, Src: 192.168.101.3, Dst: 172.22.0.21*
> *Transmission Control Protocol, Src Port: 5060, Dst Port: 5060, Seq: 1021,
> Ack: 1, Len: 750*
> *[2 Reassembled TCP Segments (1770 bytes): #4147(1020), #4153(750)]*
> *Session Initiation Protocol (REGISTER)*
> * Request-Line: REGISTER sip:ims.mnc001.mcc001.3gppnetwork.org
> <http://ims.mnc001.mcc001.3gppnetwork.org> SIP/2.0*
> * Method: REGISTER*
> * Request-URI: sip:ims.mnc001.mcc001.3gppnetwork.org
> <http://ims.mnc001.mcc001.3gppnetwork.org>*
> * Request-URI Host Part: ims.mnc001.mcc001.3gppnetwork.org
> <http://ims.mnc001.mcc001.3gppnetwork.org>*
> * [Resent Packet: False]*
> * Message Header*
> * To: <sip:001010000031094 at ims.mnc001.mcc001.3gppnetwork.org
> <sip%3A001010000031094 at ims.mnc001.mcc001.3gppnetwork.org>>*
> * SIP to address:
> sip:001010000031094 at ims.mnc001.mcc001.3gppnetwork.org
> <sip%3A001010000031094 at ims.mnc001.mcc001.3gppnetwork.org>*
> * SIP to address User Part: 001010000031094*
> * SIP to address Host Part:
> ims.mnc001.mcc001.3gppnetwork.org
> <http://ims.mnc001.mcc001.3gppnetwork.org>*
> * From: <sip:001010000031094 at ims.mnc001.mcc001.3gppnetwork.org
> <sip%3A001010000031094 at ims.mnc001.mcc001.3gppnetwork.org>>;tag=qyecbkJ*
> * SIP from address:
> sip:001010000031094 at ims.mnc001.mcc001.3gppnetwork.org
> <sip%3A001010000031094 at ims.mnc001.mcc001.3gppnetwork.org>*
> * SIP from address User Part: 001010000031094*
> * SIP from address Host Part:
> ims.mnc001.mcc001.3gppnetwork.org
> <http://ims.mnc001.mcc001.3gppnetwork.org>*
> * SIP from tag: qyecbkJ*
> * Contact: <sip:001010000031094 at 192.168.101.3:5060
> <http://sip:001010000031094@192.168.101.3:5060>>;+sip.instance="<urn:gsma:imei:86355804-632692-0>";+g.3gpp.accesstype="cellular2";audio;video;+g.3gpp.smsip;+g.3gpp.icsi-ref="urn%3Aurn-7%3A3gpp-service.ims.icsi.mmtel"*
> * Contact URI: sip:001010000031094 at 192.168.101.3:5060
> <http://sip:001010000031094@192.168.101.3:5060>*
> * Contact URI User Part: 001010000031094*
> * Contact URI Host Part: 192.168.101.3*
> * Contact URI Host Port: 5060*
> * Contact parameter:
> +sip.instance="<urn:gsma:imei:86355804-632692-0>"*
> * Contact parameter: +g.3gpp.accesstype="cellular2"*
> * Contact parameter: audio*
> * Contact parameter: video*
> * Contact parameter: +g.3gpp.smsip*
> * Contact parameter:
> +g.3gpp.icsi-ref="urn%3Aurn-7%3A3gpp-service.ims.icsi.mmtel"\r\n*
> * Expires: 600000*
> * P-Access-Network-Info:
> 3GPP-E-UTRAN-FDD;utran-cell-id-3gpp=0010100010019B01*
> * access-type: 3GPP-E-UTRAN-FDD*
> * utran-cell-id-3gpp: 0010100010019B01*
> * Supported: path,sec-agree*
> * Allow:
> INVITE,ACK,OPTIONS,BYE,CANCEL,UPDATE,PRACK,NOTIFY,MESSAGE,REFER*
> * Require: sec-agree*
> * Proxy-Require: sec-agree*
> * [truncated]Security-Client:
> ipsec-3gpp;alg=hmac-sha-1-96;prot=esp;mod=trans;ealg=des-ede3-cbc;spi-c=10559690;spi-s=65664952;port-c=31112;port-s=31803,ipsec-3gpp;alg=hmac-sha-1-96;prot=esp;mod=trans;ealg=aes-cbc;spi-c=10559690;spi-s=65664*
> * [Security-mechanism]: ipsec-3gpp*
> * alg: hmac-sha-1-96*
> * prot: esp*
> * mod=trans*
> * ealg: des-ede3-cbc*
> * spi-c: 10559690 (0x00a120ca)*
> * spi-s: 65664952 (0x03e9f7b8)*
> * port-c: 31112*
> * port-s: 31803*
> * [Security-mechanism]: ipsec-3gpp*
> * alg: hmac-sha-1-96*
> * prot: esp*
> * mod=trans*
> * ealg: aes-cbc*
> * spi-c: 10559690 (0x00a120ca)*
> * spi-s: 65664952 (0x03e9f7b8)*
> * port-c: 31112*
> * port-s: 31803*
> * [Security-mechanism]: ipsec-3gpp*
> * alg: hmac-sha-1-96*
> * prot: esp*
> * mod=trans*
> * ealg: null*
> * spi-c: 10559690 (0x00a120ca)*
> * spi-s: 65664952 (0x03e9f7b8)*
> * port-c: 31112*
> * port-s: 31803*
> * [Security-mechanism]: ipsec-3gpp*
> * alg: hmac-md5-96*
> * prot: esp*
> * mod=trans*
> * ealg: des-ede3-cbc*
> * spi-c: 10559690 (0x00a120ca)*
> * spi-s: 65664952 (0x03e9f7b8)*
> * port-c: 31112*
> * port-s: 31803*
> * [Security-mechanism]: ipsec-3gpp*
> * alg: hmac-md5-96*
> * prot: esp*
> * mod=trans*
> * ealg: aes-cbc*
> * spi-c: 10559690 (0x00a120ca)*
> * spi-s: 65664952 (0x03e9f7b8)*
> * port-c: 31112*
> * port-s: 31803*
> * [Security-mechanism]: ipsec-3gpp*
> * alg: hmac-md5-96*
> * prot: esp*
> * mod=trans*
> * ealg: null*
> * spi-c: 10559690 (0x00a120ca)*
> * spi-s: 65664952 (0x03e9f7b8)*
> * port-c: 31112*
> * port-s: 31803*
> * Authorization: Digest
> username="001010000031094 at ims.mnc001.mcc001.3gppnetwork.org
> <001010000031094 at ims.mnc001.mcc001.3gppnetwork.org>",realm="ims.mnc001.mcc001.3gppnetwork.org
> <http://ims.mnc001.mcc001.3gppnetwork.org>",uri="sip:ims.mnc001.mcc001.3gppnetwork.org
> <http://ims.mnc001.mcc001.3gppnetwork.org>",nonce="",response=""*
> * Authentication Scheme: Digest*
> * Username: "001010000031094 at ims.mnc001.mcc001.3gppnetwork.org
> <001010000031094 at ims.mnc001.mcc001.3gppnetwork.org>"*
> * Realm: "ims.mnc001.mcc001.3gppnetwork.org
> <http://ims.mnc001.mcc001.3gppnetwork.org>"*
> * Authentication URI: "sip:ims.mnc001.mcc001.3gppnetwork.org
> <http://ims.mnc001.mcc001.3gppnetwork.org>"*
> * Nonce Value: ""*
> * Digest Authentication Response: ""*
> * Call-ID: txecbknlk at 192.168.101.3 <txecbknlk at 192.168.101.3>*
> * CSeq: 1 REGISTER*
> * Sequence Number: 1*
> * Method: REGISTER*
> * Max-Forwards: 70*
> * Via: SIP/2.0/TCP
> 192.168.101.3:5060;branch=z9hG4bKrzecbkJzsat7Xk6daqm5;rport*
> * Transport: TCP*
> * Sent-by Address: 192.168.101.3*
> * Sent-by port: 5060*
> * Branch: z9hG4bKrzecbkJzsat7Xk6daqm5*
> * RPort: rport*
> * User-Agent: IM-client/OMA1.0 HW-Rto/V1.0*
> * Content-Length: 0*
>
>
>
>
> -----Original Message-----
> From: "Yuriy Gorlichenko" <ovoshlook at gmail.com>
> To: "Kamailio (SER) - Users Mailing List" <sr-users at lists.kamailio.org>;
> Cc:
> Sent: 2021-08-24 (화) 05:55:26 (UTC+09:00)
> Subject: Re: [SR-Users] [VoLTE] 401 unauthorized error
>
>
> Hi 401 is normal response for sip auth
> It is also normal response for IMS service
> Look into sip basic auth mechanism to clarify what is going on here and
> additionally look into Spec of IMS auth. There should be only auth algo
> change
> I believe you did not check further request processing.
> On Mon, 23 Aug 2021, 18:19 오택경, <ohtk at kaist.ac.kr> wrote:
>
> Hi.
>
> I am implementing the VoLTE setup with the dockerized project (
> https://github.com/herlesupreeth/docker_open5gs).
>
> I have almost done to run the VoLTE service, but 401 unauthorized error in
> sip and auth-pending error in fhoss have occured.
>
> How can I fix this problem?
>
> I will share the discussion note in which I tried to solve some problems
> including the above one.
> : https://github.com/herlesupreeth/docker_open5gs/issues/55
>
> Very thanks,
> Taekkyung Oh.
> __________________________________________________________
> Kamailio - Users Mailing List - Non Commercial Discussions
> * sr-users at lists.kamailio.org
> Important: keep the mailing list in the recipients, do not reply only to
> the sender!
> Edit mailing list options or unsubscribe:
> * https://lists.kamailio.org/cgi-bin/mailman/listinfo/sr-users
>
> __________________________________________________________ Kamailio -
> Users Mailing List - Non Commercial Discussions *
> sr-users at lists.kamailio.org Important: keep the mailing list in the
> recipients, do not reply only to the sender! Edit mailing list options or
> unsubscribe: *
> https://lists.kamailio.org/cgi-bin/mailman/listinfo/sr-users
>
>
>
>
> -----Original Message-----
> From: "Yuriy Gorlichenko" <ovoshlook at gmail.com>
> To: "Kamailio (SER) - Users Mailing List" <sr-users at lists.kamailio.org>;
> Cc:
> Sent: 2021-08-24 (화) 05:55:26 (UTC+09:00)
> Subject: Re: [SR-Users] [VoLTE] 401 unauthorized error
>
>
> Hi 401 is normal response for sip auth
> It is also normal response for IMS service
> Look into sip basic auth mechanism to clarify what is going on here and
> additionally look into Spec of IMS auth. There should be only auth algo
> change
> I believe you did not check further request processing.
> On Mon, 23 Aug 2021, 18:19 오택경, <ohtk at kaist.ac.kr> wrote:
>
> Hi.
>
> I am implementing the VoLTE setup with the dockerized project (
> https://github.com/herlesupreeth/docker_open5gs).
>
> I have almost done to run the VoLTE service, but 401 unauthorized error in
> sip and auth-pending error in fhoss have occured.
>
> How can I fix this problem?
>
> I will share the discussion note in which I tried to solve some problems
> including the above one.
> : https://github.com/herlesupreeth/docker_open5gs/issues/55
>
> Very thanks,
> Taekkyung Oh.
> __________________________________________________________
> Kamailio - Users Mailing List - Non Commercial Discussions
> * sr-users at lists.kamailio.org
> Important: keep the mailing list in the recipients, do not reply only to
> the sender!
> Edit mailing list options or unsubscribe:
> * https://lists.kamailio.org/cgi-bin/mailman/listinfo/sr-users
>
> __________________________________________________________ Kamailio -
> Users Mailing List - Non Commercial Discussions *
> sr-users at lists.kamailio.org Important: keep the mailing list in the
> recipients, do not reply only to the sender! Edit mailing list options or
> unsubscribe: *
> https://lists.kamailio.org/cgi-bin/mailman/listinfo/sr-users
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.kamailio.org/pipermail/sr-users/attachments/20210824/1eb44bea/attachment.htm>
More information about the sr-users
mailing list