15 Jun
2009
15 Jun
'09
4:55 p.m.
Andreas Granig schrieb:
Hi all,
I just tried a setup like
[UA] --> [pub][Firewall][priv] --> [priv][Kam]
where the Firewall maps the public IP reachable by UAs to a private IP
where Kamailio is listening. If I run sipsak on the Kamailio-machine, I
can register fine, but as soon as the request goes via Firewall,
authentication stops working.
So how does the IP of Kamailio actually influence authentication? Do I
have to set something special on Kamailio to make this work?
Here's the Register after a 401 and the resulting 401 again, and it
looks pretty well to me (1.2.3.4 is the public Firewall IP, which is
configured as outbound proxy on the UA, 172.17.10.50 is the private
Kamailio-IP and is also used as domain for user sipwise1, which is
trying to register). Trace is taken on client-side, but looks the same
on the Kamailio server (NAT seems to be handled fine):
U 192.168.123.150:50600 -> 1.2.3.4:5060
REGISTER sip:1.2.3.4 SIP/2.0.
Via: SIP/2.0/UDP 192.168.123.150:50600;rport;branch=z9hG4bK906580090.
From: <sip:sipwise1@172.17.10.50>;tag=1631756043.
To: <sip:sipwise1@172.17.10.50>.
Call-ID: 1235449552.
CSeq: 4 REGISTER.
Contact: <sip:sipwise1@192.168.123.150:50600;line=e779ddd40d3251b>.
Authorization: Digest username="sipwise1", realm="172.17.10.50",
nonce="4a06e2820000000a80c173db2d166fedb7d8d1e933c97855",
uri="sip:1.2.3.4", response="de645a701a7c507c47a5278923bce54b",
algorithm=MD5.
Max-Forwards: 70.
User-Agent: Linphone/2.1.1 (eXosip2/3.1.0).
Expires: 900.
Content-Length: 0.
U 1.2.3.4:5060 -> 192.168.123.150:50600
SIP/2.0 401 Unauthorized.
Via: SIP/2.0/UDP
192.168.123.150:50600;rport=50600;branch=z9hG4bK906580090;received=213.47.175.165.
From: <sip:sipwise1@172.17.10.50>;tag=1631756043.
To: <sip:sipwise1@172.17.10.50>;tag=a49efde55ae28efd11dc5969af09c5db.b607.
Call-ID: 1235449552.
CSeq: 4 REGISTER.
WWW-Authenticate: Digest realm="172.17.10.50",
nonce="4a06e2820000000b2bd307dd3e71c80e3d6549ccc2b28269".
Server: Sipwise registrar.
Content-Length: 0.
So the only thing referring to the public Firewall IP is in the R-Uri of
the registration and in the Authorization-uri-token. Is this token also
used to calculate the auth hashes somehow?
Yes, the uri="" parameter is also used for calculation of the response.
So, if this gets changed then there will be a problem.
Further, the proxy should compare the RURI with the uri="" parameter to
detect man-in-the-middle attacks. AFAIK this is not done in the code,
but needs to be done in the config.
regards
klaus
Username looks fine in the Authorization header, and
so does Realm. Any
ideas?
Andreas
_______________________________________________
Kamailio (OpenSER) - Users mailing list
Users(a)lists.kamailio.org
http://lists.kamailio.org/cgi-bin/mailman/listinfo/users
http://lists.openser-project.org/cgi-bin/mailman/listinfo/users