[Kamailio-Users] Firewall and auth
Klaus Darilion
klaus.mailinglists at pernau.at
Mon Jun 15 15:55:54 CEST 2009
Andreas Granig schrieb:
> Hi all,
>
> I just tried a setup like
>
> [UA] --> [pub][Firewall][priv] --> [priv][Kam]
>
> where the Firewall maps the public IP reachable by UAs to a private IP
> where Kamailio is listening. If I run sipsak on the Kamailio-machine, I
> can register fine, but as soon as the request goes via Firewall,
> authentication stops working.
>
> So how does the IP of Kamailio actually influence authentication? Do I
> have to set something special on Kamailio to make this work?
>
> Here's the Register after a 401 and the resulting 401 again, and it
> looks pretty well to me (1.2.3.4 is the public Firewall IP, which is
> configured as outbound proxy on the UA, 172.17.10.50 is the private
> Kamailio-IP and is also used as domain for user sipwise1, which is
> trying to register). Trace is taken on client-side, but looks the same
> on the Kamailio server (NAT seems to be handled fine):
>
> U 192.168.123.150:50600 -> 1.2.3.4:5060
> REGISTER sip:1.2.3.4 SIP/2.0.
> Via: SIP/2.0/UDP 192.168.123.150:50600;rport;branch=z9hG4bK906580090.
> From: <sip:sipwise1 at 172.17.10.50>;tag=1631756043.
> To: <sip:sipwise1 at 172.17.10.50>.
> Call-ID: 1235449552.
> CSeq: 4 REGISTER.
> Contact: <sip:sipwise1 at 192.168.123.150:50600;line=e779ddd40d3251b>.
> Authorization: Digest username="sipwise1", realm="172.17.10.50",
> nonce="4a06e2820000000a80c173db2d166fedb7d8d1e933c97855",
> uri="sip:1.2.3.4", response="de645a701a7c507c47a5278923bce54b",
> algorithm=MD5.
> Max-Forwards: 70.
> User-Agent: Linphone/2.1.1 (eXosip2/3.1.0).
> Expires: 900.
> Content-Length: 0.
>
> U 1.2.3.4:5060 -> 192.168.123.150:50600
> SIP/2.0 401 Unauthorized.
> Via: SIP/2.0/UDP
> 192.168.123.150:50600;rport=50600;branch=z9hG4bK906580090;received=213.47.175.165.
> From: <sip:sipwise1 at 172.17.10.50>;tag=1631756043.
> To: <sip:sipwise1 at 172.17.10.50>;tag=a49efde55ae28efd11dc5969af09c5db.b607.
> Call-ID: 1235449552.
> CSeq: 4 REGISTER.
> WWW-Authenticate: Digest realm="172.17.10.50",
> nonce="4a06e2820000000b2bd307dd3e71c80e3d6549ccc2b28269".
> Server: Sipwise registrar.
> Content-Length: 0.
>
> So the only thing referring to the public Firewall IP is in the R-Uri of
> the registration and in the Authorization-uri-token. Is this token also
> used to calculate the auth hashes somehow?
Yes, the uri="" parameter is also used for calculation of the response.
So, if this gets changed then there will be a problem.
Further, the proxy should compare the RURI with the uri="" parameter to
detect man-in-the-middle attacks. AFAIK this is not done in the code,
but needs to be done in the config.
regards
klaus
> Username looks fine in the Authorization header, and so does Realm. Any
> ideas?
>
> Andreas
>
> _______________________________________________
> Kamailio (OpenSER) - Users mailing list
> Users at lists.kamailio.org
> http://lists.kamailio.org/cgi-bin/mailman/listinfo/users
> http://lists.openser-project.org/cgi-bin/mailman/listinfo/users
More information about the Users
mailing list