I had already tried configuring the UA with the address of one of the servers ( both IP and domain name ) as well as altering the openser config to force the address. The peculiar thing there is that the registrar does not challenge or even respond at all. It would seem that it ignores REGISTER requests that do not have callcentric.com as the domain name and realm.
The UA can register with this provider without difficulty when the UA is configured to use STUN and no outgoing proxy. The UA does not do a second DNS lookup. It simply uses the same address for both requests.
When the UA receives the challenge does it not use the received nonce to encrypt its credentials? I have to admit my knowledge of that subject is shakey. And would this not have to be delivered to the same server that sent the nonce?
On Saturday 06 October 2007, you wrote:
Robert Dyck wrote:
I am more familiar with ethereal. I hope that is OK. Also I have not edited the dumps so I am sending them privately. Attached are brief and detailed dumps from ethereal.
Your SIP provider is using DNS round-robin which is why openser is forwarding the requests to different IP addresses. This is the first provider I see that is doing DNS RR, this is rather unusual and not what is described by the SIP RFCs.
Nevertheless, I still believe that your problem is related to wrong credentials. Both provider registrars should accept your REGISTER with Proxy-Auth header.
You could also configure your SIP client with 204.11.192.22 instead of the provider's hostname, this will disable DNS RR and let openser forward the request always to the same host.
/Christian
On Saturday 06 October 2007, you wrote:
Robert Dyck wrote:
The second registrar does not send an error code, it simply issues its own challenge. Openser is definitely alternating between registrars. It does not send the credentials to the same registrar that requested them.
I could send a trace if it would be helpful.
Yes, that would be helpful, I'd also like to have a look at the DNS traffic. Can you do
tcpdump -i any -s 1500 -w /tmp/trace.pcap
/Christian
Robert Dyck wrote:
I had already tried configuring the UA with the address of one of the servers ( both IP and domain name ) as well as altering the openser config to force the address. The peculiar thing there is that the registrar does not challenge or even respond at all. It would seem that it ignores REGISTER requests that do not have callcentric.com as the domain name and realm.
Yes, that seems to be the case.
The UA can register with this provider without difficulty when the UA is configured to use STUN and no outgoing proxy. The UA does not do a second DNS lookup. It simply uses the same address for both requests.
Ok, the credentials seem to be fine.
When the UA receives the challenge does it not use the received nonce to encrypt its credentials? I have to admit my knowledge of that subject is shakey. And would this not have to be delivered to the same server that sent the nonce?
You are right, although the nonce is included in the response to a challenge, the registrar obviously has to make sure that it matches the one sent in the challenge. Otherwise replay attacks would be easily possible.
So the problem boils down to the fact that your SIP provider is using round-robin DNS instead of NAPTR/SRV. This causes your openser to send the requests to different hosts.
The trace you sent me indicates that you're using a local DNS cache server. One option would be to configure this server to not to do round-robin for "callcentric.com". E.g. with BIND this can be achieved by adding
options { rrset-order { name "callcentric.com" order fixed; }; }
The callcentric.com DNS record has a TTL of 30 minutes, so the target IP address could potentially change every 30 minutes.
Another option would be to hard-code the target IP address for REGISTER requests in the openser config, like
if (is_method("REGISTER") && ($rd == "callcentric.com")) { t_relay("udp:204.11.192.22:5060"); }
which has the disadvantage that an IP change for callcentric.com would disable the callcentric registration service.
/Christian
On Saturday 06 October 2007, you wrote:
Robert Dyck wrote:
I am more familiar with ethereal. I hope that is OK. Also I have not edited the dumps so I am sending them privately. Attached are brief and detailed dumps from ethereal.
Your SIP provider is using DNS round-robin which is why openser is forwarding the requests to different IP addresses. This is the first provider I see that is doing DNS RR, this is rather unusual and not what is described by the SIP RFCs.
Nevertheless, I still believe that your problem is related to wrong credentials. Both provider registrars should accept your REGISTER with Proxy-Auth header.
You could also configure your SIP client with 204.11.192.22 instead of the provider's hostname, this will disable DNS RR and let openser forward the request always to the same host.
/Christian
On Saturday 06 October 2007, you wrote:
Robert Dyck wrote:
The second registrar does not send an error code, it simply issues its own challenge. Openser is definitely alternating between registrars. It does not send the credentials to the same registrar that requested them.
I could send a trace if it would be helpful.
Yes, that would be helpful, I'd also like to have a look at the DNS traffic. Can you do
tcpdump -i any -s 1500 -w /tmp/trace.pcap
/Christian
Thank you so much for the prompt and thorough replies.
Of the two options you offered I think that configuring my caching DNS server looks about the best. There exists a small possibility that the IP address could change and not refresh the name server before a request to the registrar is launched.
The ideal solution would be convincing Callcentric to not use round robin selection.
Thanks again Rob D
On Sunday 07 October 2007, Christian Schlatter wrote:
Robert Dyck wrote:
I had already tried configuring the UA with the address of one of the servers ( both IP and domain name ) as well as altering the openser config to force the address. The peculiar thing there is that the registrar does not challenge or even respond at all. It would seem that it ignores REGISTER requests that do not have callcentric.com as the domain name and realm.
Yes, that seems to be the case.
The UA can register with this provider without difficulty when the UA is configured to use STUN and no outgoing proxy. The UA does not do a second DNS lookup. It simply uses the same address for both requests.
Ok, the credentials seem to be fine.
When the UA receives the challenge does it not use the received nonce to encrypt its credentials? I have to admit my knowledge of that subject is shakey. And would this not have to be delivered to the same server that sent the nonce?
You are right, although the nonce is included in the response to a challenge, the registrar obviously has to make sure that it matches the one sent in the challenge. Otherwise replay attacks would be easily possible.
So the problem boils down to the fact that your SIP provider is using round-robin DNS instead of NAPTR/SRV. This causes your openser to send the requests to different hosts.
The trace you sent me indicates that you're using a local DNS cache server. One option would be to configure this server to not to do round-robin for "callcentric.com". E.g. with BIND this can be achieved by adding
options { rrset-order { name "callcentric.com" order fixed; }; }
The callcentric.com DNS record has a TTL of 30 minutes, so the target IP address could potentially change every 30 minutes.
Another option would be to hard-code the target IP address for REGISTER requests in the openser config, like
if (is_method("REGISTER") && ($rd == "callcentric.com")) { t_relay("udp:204.11.192.22:5060"); }
which has the disadvantage that an IP change for callcentric.com would disable the callcentric registration service.
/Christian
On Saturday 06 October 2007, you wrote:
Robert Dyck wrote:
I am more familiar with ethereal. I hope that is OK. Also I have not edited the dumps so I am sending them privately. Attached are brief and detailed dumps from ethereal.
Your SIP provider is using DNS round-robin which is why openser is forwarding the requests to different IP addresses. This is the first provider I see that is doing DNS RR, this is rather unusual and not what is described by the SIP RFCs.
Nevertheless, I still believe that your problem is related to wrong credentials. Both provider registrars should accept your REGISTER with Proxy-Auth header.
You could also configure your SIP client with 204.11.192.22 instead of the provider's hostname, this will disable DNS RR and let openser forward the request always to the same host.
/Christian
On Saturday 06 October 2007, you wrote:
Robert Dyck wrote:
The second registrar does not send an error code, it simply issues its own challenge. Openser is definitely alternating between registrars. It does not send the credentials to the same registrar that requested them.
I could send a trace if it would be helpful.
Yes, that would be helpful, I'd also like to have a look at the DNS traffic. Can you do
tcpdump -i any -s 1500 -w /tmp/trace.pcap
/Christian
While there is are no NAPTR records for callcentric.com, there are SRV records:
;; ANSWER SECTION: _sip._udp.callcentric.com. 331 IN SRV 10 5 5080 alpha1.callcentric.com. _sip._udp.callcentric.com. 331 IN SRV 10 5 5080 alpha2.callcentric.com. _sip._udp.callcentric.com. 331 IN SRV 10 5 5060 alpha1.callcentric.com. _sip._udp.callcentric.com. 331 IN SRV 10 5 5060 alpha2.callcentric.com.
Your trace doesn't show any DNS SRV queries. What version of openser are you using? Versions before 1.1 didn't support NAPTR/SRV queries.
Instead of hard-coding the outbound proxy to the callcentric proxy IP address, you could instead use either 'alpha1.callcentric.com' or 'alpha2.callcentric.com'.
/Christian
Robert Dyck wrote:
I had already tried configuring the UA with the address of one of the servers ( both IP and domain name ) as well as altering the openser config to force the address. The peculiar thing there is that the registrar does not challenge or even respond at all. It would seem that it ignores REGISTER requests that do not have callcentric.com as the domain name and realm.
The UA can register with this provider without difficulty when the UA is configured to use STUN and no outgoing proxy. The UA does not do a second DNS lookup. It simply uses the same address for both requests.
When the UA receives the challenge does it not use the received nonce to encrypt its credentials? I have to admit my knowledge of that subject is shakey. And would this not have to be delivered to the same server that sent the nonce?
On Saturday 06 October 2007, you wrote:
Robert Dyck wrote:
I am more familiar with ethereal. I hope that is OK. Also I have not edited the dumps so I am sending them privately. Attached are brief and detailed dumps from ethereal.
Your SIP provider is using DNS round-robin which is why openser is forwarding the requests to different IP addresses. This is the first provider I see that is doing DNS RR, this is rather unusual and not what is described by the SIP RFCs.
Nevertheless, I still believe that your problem is related to wrong credentials. Both provider registrars should accept your REGISTER with Proxy-Auth header.
You could also configure your SIP client with 204.11.192.22 instead of the provider's hostname, this will disable DNS RR and let openser forward the request always to the same host.
/Christian
On Saturday 06 October 2007, you wrote:
Robert Dyck wrote:
The second registrar does not send an error code, it simply issues its own challenge. Openser is definitely alternating between registrars. It does not send the credentials to the same registrar that requested them.
I could send a trace if it would be helpful.
Yes, that would be helpful, I'd also like to have a look at the DNS traffic. Can you do
tcpdump -i any -s 1500 -w /tmp/trace.pcap
/Christian
On Sunday 07 October 2007, Christian Schlatter wrote:
While there is are no NAPTR records for callcentric.com, there are SRV records:
;; ANSWER SECTION: _sip._udp.callcentric.com. 331 IN SRV 10 5 5080 alpha1.callcentric.com. _sip._udp.callcentric.com. 331 IN SRV 10 5 5080 alpha2.callcentric.com. _sip._udp.callcentric.com. 331 IN SRV 10 5 5060 alpha1.callcentric.com. _sip._udp.callcentric.com. 331 IN SRV 10 5 5060 alpha2.callcentric.com.
Using openser config to force alphaX.callcentric.com had the same effect as using a hard coded IP address, namely no response.
Your trace doesn't show any DNS SRV queries. What version of openser are you using? Versions before 1.1 didn't support NAPTR/SRV queries.
I am using a rather old version of openser. My configuration was inspired by the Milkfish project. They have a patched version of nathelper that allows one to specify the address when mangling CONTACT. It does in fact support SRV queries. I think it is version 1.0. While exploring the code I discovered that if the UA explicitly sends to a port, openser will not use SRV. In the trace I sent the UA specifies a port. If the UA does not specify a port the version of openser that I am using will do SRV queries.
Do recent versions of openser allow fix_nated_contact("a.b.c.d")?
Instead of hard-coding the outbound proxy to the callcentric proxy IP address, you could instead use either 'alpha1.callcentric.com' or 'alpha2.callcentric.com'.
/Christian
Robert Dyck wrote:
I had already tried configuring the UA with the address of one of the servers ( both IP and domain name ) as well as altering the openser config to force the address. The peculiar thing there is that the registrar does not challenge or even respond at all. It would seem that it ignores REGISTER requests that do not have callcentric.com as the domain name and realm.
The UA can register with this provider without difficulty when the UA is configured to use STUN and no outgoing proxy. The UA does not do a second DNS lookup. It simply uses the same address for both requests.
When the UA receives the challenge does it not use the received nonce to encrypt its credentials? I have to admit my knowledge of that subject is shakey. And would this not have to be delivered to the same server that sent the nonce?
On Saturday 06 October 2007, you wrote:
Robert Dyck wrote:
I am more familiar with ethereal. I hope that is OK. Also I have not edited the dumps so I am sending them privately. Attached are brief and detailed dumps from ethereal.
Your SIP provider is using DNS round-robin which is why openser is forwarding the requests to different IP addresses. This is the first provider I see that is doing DNS RR, this is rather unusual and not what is described by the SIP RFCs.
Nevertheless, I still believe that your problem is related to wrong credentials. Both provider registrars should accept your REGISTER with Proxy-Auth header.
You could also configure your SIP client with 204.11.192.22 instead of the provider's hostname, this will disable DNS RR and let openser forward the request always to the same host.
/Christian
On Saturday 06 October 2007, you wrote:
Robert Dyck wrote:
The second registrar does not send an error code, it simply issues its own challenge. Openser is definitely alternating between registrars. It does not send the credentials to the same registrar that requested them.
I could send a trace if it would be helpful.
Yes, that would be helpful, I'd also like to have a look at the DNS traffic. Can you do
tcpdump -i any -s 1500 -w /tmp/trace.pcap
/Christian
Hi Robert,
fix_nated_contact is available inside the nathelper module. Check here the documentation for the latest stable openser version: http://www.openser.org/docs/modules/1.2.x/nathelper.html#AEN255
Regards, Ovidiu Sas
On 10/7/07, Robert Dyck rob.dyck@telus.net wrote:
On Sunday 07 October 2007, Christian Schlatter wrote:
While there is are no NAPTR records for callcentric.com, there are SRV records:
;; ANSWER SECTION: _sip._udp.callcentric.com. 331 IN SRV 10 5 5080 alpha1.callcentric.com. _sip._udp.callcentric.com. 331 IN SRV 10 5 5080 alpha2.callcentric.com. _sip._udp.callcentric.com. 331 IN SRV 10 5 5060 alpha1.callcentric.com. _sip._udp.callcentric.com. 331 IN SRV 10 5 5060 alpha2.callcentric.com.
Using openser config to force alphaX.callcentric.com had the same effect as using a hard coded IP address, namely no response.
Your trace doesn't show any DNS SRV queries. What version of openser are you using? Versions before 1.1 didn't support NAPTR/SRV queries.
I am using a rather old version of openser. My configuration was inspired by the Milkfish project. They have a patched version of nathelper that allows one to specify the address when mangling CONTACT. It does in fact support SRV queries. I think it is version 1.0. While exploring the code I discovered that if the UA explicitly sends to a port, openser will not use SRV. In the trace I sent the UA specifies a port. If the UA does not specify a port the version of openser that I am using will do SRV queries.
Do recent versions of openser allow fix_nated_contact("a.b.c.d")?
Instead of hard-coding the outbound proxy to the callcentric proxy IP address, you could instead use either 'alpha1.callcentric.com' or 'alpha2.callcentric.com'.
/Christian
Robert Dyck wrote:
I had already tried configuring the UA with the address of one of the servers ( both IP and domain name ) as well as altering the openser config to force the address. The peculiar thing there is that the registrar does not challenge or even respond at all. It would seem that it ignores REGISTER requests that do not have callcentric.com as the domain name and realm.
The UA can register with this provider without difficulty when the UA is configured to use STUN and no outgoing proxy. The UA does not do a second DNS lookup. It simply uses the same address for both requests.
When the UA receives the challenge does it not use the received nonce to encrypt its credentials? I have to admit my knowledge of that subject is shakey. And would this not have to be delivered to the same server that sent the nonce?
On Saturday 06 October 2007, you wrote:
Robert Dyck wrote:
I am more familiar with ethereal. I hope that is OK. Also I have not edited the dumps so I am sending them privately. Attached are brief and detailed dumps from ethereal.
Your SIP provider is using DNS round-robin which is why openser is forwarding the requests to different IP addresses. This is the first provider I see that is doing DNS RR, this is rather unusual and not what is described by the SIP RFCs.
Nevertheless, I still believe that your problem is related to wrong credentials. Both provider registrars should accept your REGISTER with Proxy-Auth header.
You could also configure your SIP client with 204.11.192.22 instead of the provider's hostname, this will disable DNS RR and let openser forward the request always to the same host.
/Christian
On Saturday 06 October 2007, you wrote:
Robert Dyck wrote: > The second registrar does not send an error code, it simply issues > its own challenge. Openser is definitely alternating between > registrars. It does not send the credentials to the same registrar > that requested them. > > I could send a trace if it would be helpful.
Yes, that would be helpful, I'd also like to have a look at the DNS traffic. Can you do
tcpdump -i any -s 1500 -w /tmp/trace.pcap
/Christian
Users mailing list Users@openser.org http://openser.org/cgi-bin/mailman/listinfo/users
Unfortunately it does not allow one to explicitly set the address. It appears that fix_nated_contact() was intended to be used by a registrar when presented with a private address. fix_nated_contact("a.b.c.d") is used to fix an outgoing message before it gets to a registrar.
Perhaps openser could adopt the patched version of nathelper and offer both forms of fix_nated_contact.
On Sunday 07 October 2007, Ovidiu Sas wrote:
Hi Robert,
fix_nated_contact is available inside the nathelper module. Check here the documentation for the latest stable openser version: http://www.openser.org/docs/modules/1.2.x/nathelper.html#AEN255
Regards, Ovidiu Sas
On 10/7/07, Robert Dyck rob.dyck@telus.net wrote:
On Sunday 07 October 2007, Christian Schlatter wrote:
While there is are no NAPTR records for callcentric.com, there are SRV records:
;; ANSWER SECTION: _sip._udp.callcentric.com. 331 IN SRV 10 5 5080 alpha1.callcentric.com. _sip._udp.callcentric.com. 331 IN SRV 10 5 5080 alpha2.callcentric.com. _sip._udp.callcentric.com. 331 IN SRV 10 5 5060 alpha1.callcentric.com. _sip._udp.callcentric.com. 331 IN SRV 10 5 5060 alpha2.callcentric.com.
Using openser config to force alphaX.callcentric.com had the same effect as using a hard coded IP address, namely no response.
Your trace doesn't show any DNS SRV queries. What version of openser are you using? Versions before 1.1 didn't support NAPTR/SRV queries.
I am using a rather old version of openser. My configuration was inspired by the Milkfish project. They have a patched version of nathelper that allows one to specify the address when mangling CONTACT. It does in fact support SRV queries. I think it is version 1.0. While exploring the code I discovered that if the UA explicitly sends to a port, openser will not use SRV. In the trace I sent the UA specifies a port. If the UA does not specify a port the version of openser that I am using will do SRV queries.
Do recent versions of openser allow fix_nated_contact("a.b.c.d")?
Instead of hard-coding the outbound proxy to the callcentric proxy IP address, you could instead use either 'alpha1.callcentric.com' or 'alpha2.callcentric.com'.
/Christian
Robert Dyck wrote:
I had already tried configuring the UA with the address of one of the servers ( both IP and domain name ) as well as altering the openser config to force the address. The peculiar thing there is that the registrar does not challenge or even respond at all. It would seem that it ignores REGISTER requests that do not have callcentric.com as the domain name and realm.
The UA can register with this provider without difficulty when the UA is configured to use STUN and no outgoing proxy. The UA does not do a second DNS lookup. It simply uses the same address for both requests.
When the UA receives the challenge does it not use the received nonce to encrypt its credentials? I have to admit my knowledge of that subject is shakey. And would this not have to be delivered to the same server that sent the nonce?
On Saturday 06 October 2007, you wrote:
Robert Dyck wrote:
I am more familiar with ethereal. I hope that is OK. Also I have not edited the dumps so I am sending them privately. Attached are brief and detailed dumps from ethereal.
Your SIP provider is using DNS round-robin which is why openser is forwarding the requests to different IP addresses. This is the first provider I see that is doing DNS RR, this is rather unusual and not what is described by the SIP RFCs.
Nevertheless, I still believe that your problem is related to wrong credentials. Both provider registrars should accept your REGISTER with Proxy-Auth header.
You could also configure your SIP client with 204.11.192.22 instead of the provider's hostname, this will disable DNS RR and let openser forward the request always to the same host.
/Christian
On Saturday 06 October 2007, you wrote: > Robert Dyck wrote: >> The second registrar does not send an error code, it simply >> issues its own challenge. Openser is definitely alternating >> between registrars. It does not send the credentials to the same >> registrar that requested them. >> >> I could send a trace if it would be helpful. > > Yes, that would be helpful, I'd also like to have a look at the > DNS traffic. Can you do > > tcpdump -i any -s 1500 -w /tmp/trace.pcap > > /Christian
Users mailing list Users@openser.org http://openser.org/cgi-bin/mailman/listinfo/users
-
Christian Schlatter -
Ovidiu Sas -
Robert Dyck