[OpenSIPS-Users] Multi-domain and reinvite authentications

Bogdan-Andrei Iancu bogdan at voice-system.ro
Tue Nov 17 10:37:18 CET 2009 

Hi Iñaki,

Iñaki Baz Castillo wrote:
> El Lunes, 16 de Noviembre de 2009, Bogdan-Andrei Iancu escribió:
>   
>> Hi Iñaki,
>>
>> I'm not sure a proxy needs to keep any dialog persistent info in order
>> to auth sequential requests - what it needs is a valid FROM uri (which
>> does not change during the dialog).
>>
>> IMO, a proxy, receiving a requests (initial or sequential) with a FROM
>> header pointing to one of the local SIP domains, should perform auth  -
>> shortly, if the caller is local subscriber, authenticate him - again,
>> only FROM hdr is sufficient.
>>     
>
> Hi Bogdan, please let me talk about a *real* example (I issued it) in which 
> asking for auth for in-dialog requests is not so easy:
>
>
> - Alice and Bob with auth users as "alice" and "bob".
> - Domain = "domain.org".
> - Bob has an alias 200 which becomes "bob" in the proxy.
> - Alice calls 200.
> - During the call, Bob (which received an initial INVITE with "To: 
> sip:200 at domain.org) sends a re-INVITE and keeps the received To as From, so it 
> uses "From: sip:200 at domain.org" rather than "From: sip:bob at domain.org".
> - The proxy asks for authentication so Bob regenerates the re-INVITE:
>     INVITE sip:alice at ip_alice SIP/2.0
>     From: sip:200 at domain.org
>     WWW-Authorization: Digest username="bob" ...
> - So the proxy declines this authentication as the From username "200" is 
> different than the credentials username "bob" (check_from() function).
>
> And it's really common this behavior in SIP phones (keeping the received "To" 
> as "From" in in-dialog requests).
>   
yes, good example - you are right. It is not only about domains, but 
usernames also....This might be tricky - the proxy can simply apply the 
same transformations on the username (from the message) to find out the 
real user behind it (like 200 hides bob)....otherwise, indeed, some kind 
of dialog state will be required (either via RR , either via dialog 
support).

Regards,
Bogdan

-- 
Bogdan-Andrei Iancu
www.voice-system.ro

More information about the Users mailing list