4 Apr
2016
4 Apr
'16
8:51 a.m.
Hello,
are you using also a different realm per server? Because, iirc, the
username/password must be the same for a realm.
On the other hand, for many kamailio in a farm should not matter much,
because the relevant attribute in the 401 is the nonce. If you set the
secret for generating the nonce to be the same in the two servers and
use the mechanism with time interval validity for nonce (not one time
nonce), it should work, given that the time on the both servers is the
same (sync'ed).
Cheers,
Daniel
On 03/04/16 18:09, Alfred E. Heggestad wrote:
Dear SIP-experts and DNS-SRV gurus;
I have some questions to the deployers of SER/Kamailio and
best current practice for multiple SIP-servers with SRV-records
and authentication. This is not a question about Kamailio itself
but rather experience with deployment of it in the field.
The current usecase is:
1. Multiple SIP-servers are deployed for the same domain
2. The DNS is configured with SRV-records for load balancing,
example: (lets call the domain "example.com")
$ host -t SRV _sip._udp.example.com
_sip._udp.example.com has SRV record 20 0 5080 alpha1.example.com.
_sip._udp.example.com has SRV record 20 0 5080 alpha2.example.com.
3. when a SIP client registers, it resolves the domain using RFC3263 [1]
and the first REGISTER request is sent to SIP-Server #1
4. SIP-server #1 replies with 401 containing the authentication challenge
5. The SIP Client adds the authentication header to the REGISTER
request and re-sends it, but this time also using RFC 3263, and due
to DNS rotation the request is sent to SIP-Server #2
6. Now, because the SIP-Servers are configured with _different_
secrets in the "auth" module [2], the REGISTER request
fails with authentication error.
Now, I know that it is common for SIP user-agents to send both requests
to the same SIP-server instance. Baresip [3] is not doing that, it does
a new RFC 3263 lookup for all requests (except e2e ACK/CANCEL).
so here are my questions:
- What is common practice in the field, to configure auth module
with the same "secret" or different "secret" values?
- Do you know if there is any reference to IETF documents about how
this should be handled? RFC 3263 says that every request should be
resolved, except:
"The procedures here MUST be done exactly once per transaction, where
transaction is as defined in [1]. That is, once a SIP server has
successfully been contacted (success is defined below), all
retransmissions of the SIP request and the ACK for non-2xx SIP
responses to INVITE MUST be sent to the same host. Furthermore, a
CANCEL for a particular SIP request MUST be sent to the same SIP
server that the SIP request was delivered to."
- What is common practice for SIP user-agents to do in this case?
/alfred
[1] https://tools.ietf.org/html/rfc3263#section-4.4
[2]
http://www.kamailio.org/docs/modules/3.4.x/modules/auth.html#auth.secret
[3] https://github.com/alfredh/baresip/issues/39
_______________________________________________
SIP Express Router (SER) and Kamailio (OpenSER) - sr-users mailing list
sr-users(a)lists.sip-router.org
http://lists.sip-router.org/cgi-bin/mailman/listinfo/sr-users
--
Daniel-Constantin Mierla
http://www.asipto.com
http://twitter.com/#!/miconda - http://www.linkedin.com/in/miconda
Kamailio World Conference, Berlin, May 18-20, 2016 - http://www.kamailioworld.com