Thank you so much for the prompt and thorough replies.
Of the two options you offered I think that configuring my caching DNS server
looks about the best. There exists a small possibility that the IP address
could change and not refresh the name server before a request to the
registrar is launched.
The ideal solution would be convincing Callcentric to not use round robin
selection.
Thanks again
Rob D
On Sunday 07 October 2007, Christian Schlatter wrote:
Robert Dyck wrote:
I had already tried configuring the UA with the
address of one of the
servers ( both IP and domain name ) as well as altering the openser
config to force the address. The peculiar thing there is that the
registrar does not challenge or even respond at all. It would seem that
it ignores REGISTER requests that do not have
callcentric.com as the
domain name and realm.
Yes, that seems to be the case.
The UA can register with this provider without
difficulty when the UA is
configured to use STUN and no outgoing proxy. The UA does not do a second
DNS lookup. It simply uses the same address for both requests.
Ok, the credentials seem to be fine.
When the UA receives the challenge does it not
use the received nonce to
encrypt its credentials? I have to admit my knowledge of that subject is
shakey. And would this not have to be delivered to the same server that
sent the nonce?
You are right, although the nonce is included in the response to a
challenge, the registrar obviously has to make sure that it matches the
one sent in the challenge. Otherwise replay attacks would be easily
possible.
So the problem boils down to the fact that your SIP provider is using
round-robin DNS instead of NAPTR/SRV. This causes your openser to send
the requests to different hosts.
The trace you sent me indicates that you're using a local DNS cache
server. One option would be to configure this server to not to do
round-robin for "callcentric.com". E.g. with BIND this can be achieved
by adding
options {
rrset-order {
name "callcentric.com" order fixed;
};
}
The
callcentric.com DNS record has a TTL of 30 minutes, so the target IP
address could potentially change every 30 minutes.
Another option would be to hard-code the target IP address for REGISTER
requests in the openser config, like
if (is_method("REGISTER") && ($rd == "callcentric.com"))
{
t_relay("udp:204.11.192.22:5060");
}
which has the disadvantage that an IP change for
callcentric.com would
disable the callcentric registration service.
/Christian
> On Saturday 06 October 2007, you wrote:
>> Robert Dyck wrote:
>>> I am more familiar with ethereal. I hope that is OK. Also I have not
>>> edited the dumps so I am sending them privately. Attached are brief and
>>> detailed dumps from ethereal.
>>
>> Your SIP provider is using DNS round-robin which is why openser is
>> forwarding the requests to different IP addresses. This is the first
>> provider I see that is doing DNS RR, this is rather unusual and not what
>> is described by the SIP RFCs.
>>
>> Nevertheless, I still believe that your problem is related to wrong
>> credentials. Both provider registrars should accept your REGISTER with
>> Proxy-Auth header.
>>
>> You could also configure your SIP client with 204.11.192.22 instead of
>> the provider's hostname, this will disable DNS RR and let openser
>> forward the request always to the same host.
>>
>> /Christian
>>
>>> On Saturday 06 October 2007, you wrote:
>>>> Robert Dyck wrote:
>>>>> The second registrar does not send an error code, it simply issues
>>>>> its own challenge. Openser is definitely alternating between
>>>>> registrars. It does not send the credentials to the same registrar
>>>>> that requested them.
>>>>>
>>>>> I could send a trace if it would be helpful.
>>>>
>>>> Yes, that would be helpful, I'd also like to have a look at the DNS
>>>> traffic. Can you do
>>>>
>>>> tcpdump -i any -s 1500 -w /tmp/trace.pcap
>>>>
>>>> /Christian