28 Aug
2012
28 Aug
'12
10:36 a.m.
On 24.08.2012 14:41, martian(a)centrum.sk wrote:
The Route and Record-route headers are identical.
From debug (when alias=domain.ch:5060):
----authentication of INVITE:
Aug 24 14:22:44 server /usr/sbin/kamailio[8588]: NOTICE: <script>:
---------------------- In route(AUTH), just before
from_uri==myself ----------------------
Aug 24 14:22:44 server /usr/sbin/kamailio[8588]: DEBUG: <core>
[socket_info.c:583]: grep_sock_info - checking if host==us: 10==9 &&
[domain.ch] == [127.0.0.1]
Aug 24 14:22:44 server /usr/sbin/kamailio[8588]: DEBUG: <core>
[socket_info.c:587]: grep_sock_info - checking if port 5060 (advertise
0) matches port 5060
Aug 24 14:22:44 server /usr/sbin/kamailio[8588]: DEBUG: <core>
[socket_info.c:583]: grep_sock_info - checking if host==us: 10==15 &&
[domain.ch] == [<IP_ADDRESS_OF_KAMAILIO>]
Aug 24 14:22:44 server /usr/sbin/kamailio[8588]: DEBUG: <core>
[socket_info.c:587]: grep_sock_info - checking if port 5060 (advertise
0) matches port 5060
Aug 24 14:22:44 server /usr/sbin/kamailio[8588]: DEBUG: <core>
[socket_info.c:583]: grep_sock_info - checking if host==us: 10==9 &&
[domain.ch] == [127.0.0.1]
Aug 24 14:22:44 server /usr/sbin/kamailio[8588]: DEBUG: <core>
[socket_info.c:587]: grep_sock_info - checking if port 5060 (advertise
0) matches port 5060
Aug 24 14:22:44 server /usr/sbin/kamailio[8588]: DEBUG: <core>
[socket_info.c:583]: grep_sock_info - checking if host==us: 10==15 &&
[domain.ch] == [<IP_ADDRESS_OF_KAMAILIO>]
Aug 24 14:22:44 server /usr/sbin/kamailio[8588]: DEBUG: <core>
[socket_info.c:587]: grep_sock_info - checking if port 5060 (advertise
0) matches port 5060
Aug 24 14:22:44 server /usr/sbin/kamailio[8588]: NOTICE: <script>:
---------------------- from_uri==myself evaluated as
TRUE!! ----------------------
Is this really a complete log? According to the log uri==myself should
return FALSE as the compared strings are never the same.
When I set alias=server.domain.ch:5060,
from_uri==myself returns false
(when determining if INVITE should be authenticated,resulting in
replying 100 trying instead of 407 Proxy Auth Req) and loose_route()
starts returning true and relays the ACK correctly.
I can post more debug from this case also, but I didn't want to spam so
much in one message.
If you would like to see it, please let me know.
So .. Shall I consider the loose_route() part fixed and assume that
there MUST be a full name (hostname.domain:port) in the alias, when
Kamailio is not used as a primary proxy for the domain?
No. It is rather simple: domain.ch is not identical to domain.ch:5060
(as the first URI results in NAPTR+SRV lookups and my use another port
than 5060).
Thus, if you want that Kamailio detects domain.ch as local domain, add
"alias=domain.ch". If you want that Kamailio detects domain.ch:5060 as
local domain add alias=domain.ch:5060 (not sure if quotes are needed here).
If you want that Kamailio accepts both domains as local domains, then
add both alias.
Regardind loose_route: As Daniel mentioned, the ACK is broken.
regards
Klaus
What about the from_uri==myself part?
Martin
______________________________________________________________
Od: "Klaus Darilion"
<klaus.mailinglists(a)pernau.at>
Komu: "SIP Router - Kamailio (OpenSER) and SIP Express Router (SER) -
Users
Mailing List" <sr-users(a)lists.sip-router.org>
Dátum: 23.08.2012 15:04
Predmet: Re: [SR-Users] Possible bug in authentication
CC: miconda(a)gmail.com
The Route URI (sent by SBC) must be identical to the Record-Route URI
(inserted by Kamailio).
To find out why loose_route returns FALSE increase log-level.
loose_route uses the "ismyself" function to evaluate if the Route header
addresses this Kamailio server. And the "ismyself" is very verbose when
doing this check.
regards
Klaus
On 23.08.2012 13:51, martian(a)centrum.sk wrote:
Ok, so .. I have a session border controller
device that is a contact
point for my SIP domain (SRV record in DNS set to its IP). All the
trafic goes through it and it does things like topology hiding etc.. The
device forwards the INVITE messages to Kamailio, because of the routing.
The loose_route was working strangely, because it did not behave as
described in the documentation.
Here is the sip message that it was suppose to pass:
ACK sip:acc1@domain.ch:5060 SIP/2.0
Via: SIP/2.0/UDP domain.ch;branch=z9hG4bKac386033013
Max-Forwards: 70
From: "acc2" <sip:acc2@domain.ch>;tag=1c1749458918
To: <sip:acc1@<IP_ADRESS_OF_KAMAILIO>;user=phone>;tag=1c1892801634
Call-ID: 17494024742382012111116@<IP_ADDRESS_OF_SBC>
CSeq: 2 ACK
Contact: <sip:acc2@domain.ch:5060>
Route: <sip:<IP_ADDRESS_OF_KAMAILIO>;lr=on>
Supported: em,timer,replaces,path,resource-priority
Allow:
REGISTER,OPTIONS,INVITE,ACK,CANCEL,BYE,NOTIFY,PRACK,REFER,INFO,SUBSCRIBE,UPDATE
User-Agent: SBC_DEVICE
Content-Length: 0
As you can see, there is a Route header and a To_tag .. so the
loose_route function should return true. But instead, it returned false,
then t_check_trans() also returned false and the routing logic exited
(exit;).
This happens when the value of alias is not enclosed in double quotes.
PS.: There is a "-" symbol in the domain name. Can't that be a problem
causing the need for the double quotes?
PS2: Should there be only a domain name in the alias? or also the
hostname part? ... for example: domain.ch:5060 or server.domain.ch:5060
Martin
______________________________________________________________
wrote:
Od: "Daniel-Constantin Mierla"
<miconda(a)gmail.com>
Komu: "SIP Router - Kamailio (OpenSER) and SIP Express Router (SER) -
Users
Mailing List" <sr-users(a)lists.sip-router.org>
Dátum: 23.08.2012 12:21
Predmet: Re: [SR-Users] Possible bug in authentication
Hello,
On 8/23/12 11:54 AM, martian(a)centrum.sk <mailto:martian@centrum.sk>
Hello to everybody.
I am currently working with Kamailio 3.3.1 on RedHat.
The "loose_route" function was not working correctly and I observed
some very strange behaviour (not as one described in the
documentation of the function).
I have found that there needs to be a port included in the "alias"
variable for the loose_route function to work correctly.
However, upon adding the port to alias, the INVITE messages were no
longer authenticated (Kamailio just accepted them and didn't send
proxy-auth header in 407 message).
My alias:
alias="domain.ch:5060"
Examining default routing logic, I found the problem here:
if (is_method("REGISTER") || from_uri==myself)
{
# authenticate requests
...
}
The "from_uri==myself" was no longer evaluated as true, because
there was a port at the end of the alias.
The FROM Header of the INVITE messages looks like:
From: "acc1" <sip:acc1@domain.ch>;tag=12345
..so .. no port number there.
Btw, I have fixed this with replacing the "myself" list with my own
defined variable MY_DOMAIN.
#!define MY_DOMAIN ".*(a)domain.ch" <mailto:.*@domain.ch>
So now the condition looks like this:
if (is_method("REGISTER") || from_uri=~MY_DOMAIN)
{
...
}
I am not sure if this is a bug that needs to be fixed or not. I am
just pointing my finger at it and I hope it will contribute to the
development.
Also, a valid description of this behavior (when using port in
alias) would be appreciated.
if you enclose the value of the alias parameter in double quotes, then
it is taken as string value. If you want to set it to a host:port, then
remove the double quotes:
alias=domain.ch:5060
Why do you say the loose_route() was working strangely? Do you add the
hostname as record-route, not the IP address? Detail more about what you
think is wrong with record routing/loose routing.
Cheers,
Daniel
-- Daniel-Constantin Mierla
-http://www.asipto.comhttp://twitter.com/#
<http://www.asipto.comhttp//twitter.com/>!/miconda
-http://www.linkedin.com/in/micondaKamailio Advanced Training, Berlin,
Nov 5-8, 2012 -http://asipto.com/u/kat
_______________________________________________
SIP Express Router (SER) and Kamailio (OpenSER) - sr-users mailing list
sr-users(a)lists.sip-router.org
http://lists.sip-router.org/cgi-bin/mailman/listinfo/sr-users