3 Apr
2016
3 Apr
'16
12:09 p.m.
Dear SIP-experts and DNS-SRV gurus;
I have some questions to the deployers of SER/Kamailio and
best current practice for multiple SIP-servers with SRV-records
and authentication. This is not a question about Kamailio itself
but rather experience with deployment of it in the field.
The current usecase is:
1. Multiple SIP-servers are deployed for the same domain
2. The DNS is configured with SRV-records for load balancing,
example: (lets call the domain "example.com")
$ host -t SRV _sip._udp.example.com
_sip._udp.example.com has SRV record 20 0 5080 alpha1.example.com.
_sip._udp.example.com has SRV record 20 0 5080 alpha2.example.com.
3. when a SIP client registers, it resolves the domain using RFC3263 [1]
and the first REGISTER request is sent to SIP-Server #1
4. SIP-server #1 replies with 401 containing the authentication challenge
5. The SIP Client adds the authentication header to the REGISTER
request and re-sends it, but this time also using RFC 3263, and due
to DNS rotation the request is sent to SIP-Server #2
6. Now, because the SIP-Servers are configured with _different_
secrets in the "auth" module [2], the REGISTER request
fails with authentication error.
Now, I know that it is common for SIP user-agents to send both requests
to the same SIP-server instance. Baresip [3] is not doing that, it does
a new RFC 3263 lookup for all requests (except e2e ACK/CANCEL).
so here are my questions:
- What is common practice in the field, to configure auth module
with the same "secret" or different "secret" values?
- Do you know if there is any reference to IETF documents about how
this should be handled? RFC 3263 says that every request should be
resolved, except:
"The procedures here MUST be done exactly once per transaction, where
transaction is as defined in [1]. That is, once a SIP server has
successfully been contacted (success is defined below), all
retransmissions of the SIP request and the ACK for non-2xx SIP
responses to INVITE MUST be sent to the same host. Furthermore, a
CANCEL for a particular SIP request MUST be sent to the same SIP
server that the SIP request was delivered to."
- What is common practice for SIP user-agents to do in this case?
/alfred
[1] https://tools.ietf.org/html/rfc3263#section-4.4
[2] http://www.kamailio.org/docs/modules/3.4.x/modules/auth.html#auth.secret
[3] https://github.com/alfredh/baresip/issues/39