4 Mar
2014
4 Mar
'14
9:38 p.m.
Hey all,
I have a pretty general SIP question that I'm hoping some of you can
shed some light on. I hope this ok for the list.
I am setting up a SIP proxy with Kamailio. The backend server
(Asterisk in my case) requires authentication. Is it standard/best
practice to require a proxy to authenticate to a backend server for
INVITEs?
I am already registering, with authentication, on behalf of the
client, i.e, the client registers to the proxy, then the proxy
registers to the backend server, all with authentication. I was
hoping not to have to do this on INVITEs, but if I don't I'm left with
the following:
client proxy backend
| -------INVITE-------> | |
| <--------407--------- | |
| ---------ACK--------> | |
| ----INVITE(auth)----> | |
| <--------100--------- | |
| | -------INVITE-------> |
| | <--------401--------- |
| | ---------ACK--------> |
| <--------401--------- | |
| ---------ACK--------> | |
| ----INVITE(auth)----> | |
| <--------100--------- | |
| | ----INVITE(auth)----> |
| | <--------100--------- |
| | <---------OK--------- |
| <---------OK--------- | |
| ---------ACK--------> | |
| | ---------ACK--------> |
It works, but, it's terrible...
Before I try to make it work differently, what do you all think it should do?
Marc
4 Mar
4 Mar
10:57 p.m.
Hello,
a proxy cannot authenticate itself with username and password without
breaking RFC (respectively cseq sequence numbers). The best and the
standard practice is to accept the traffic from the proxy based on
source IP.
Cheers,
Daniel
On 04/03/14 20:38, Marc Soda wrote:
Hey all,
I have a pretty general SIP question that I'm hoping some of you can
shed some light on. I hope this ok for the list.
I am setting up a SIP proxy with Kamailio. The backend server
(Asterisk in my case) requires authentication. Is it standard/best
practice to require a proxy to authenticate to a backend server for
INVITEs?
I am already registering, with authentication, on behalf of the
client, i.e, the client registers to the proxy, then the proxy
registers to the backend server, all with authentication. I was
hoping not to have to do this on INVITEs, but if I don't I'm left with
the following:
client proxy backend
| -------INVITE-------> | |
| <--------407--------- | |
| ---------ACK--------> | |
| ----INVITE(auth)----> | |
| <--------100--------- | |
| | -------INVITE-------> |
| | <--------401--------- |
| | ---------ACK--------> |
| <--------401--------- | |
| ---------ACK--------> | |
| ----INVITE(auth)----> | |
| <--------100--------- | |
| | ----INVITE(auth)----> |
| | <--------100--------- |
| | <---------OK--------- |
| <---------OK--------- | |
| ---------ACK--------> | |
| | ---------ACK--------> |
It works, but, it's terrible...
Before I try to make it work differently, what do you all think it should do?
Marc
_______________________________________________
SIP Express Router (SER) and Kamailio (OpenSER) - sr-users mailing list
sr-users(a)lists.sip-router.org
http://lists.sip-router.org/cgi-bin/mailman/listinfo/sr-users
--
Daniel-Constantin Mierla - http://www.asipto.com
http://twitter.com/#!/miconda - http://www.linkedin.com/in/miconda
3919
days inactive
3919
days old
1 comments
2 participants
participants (2)
-
Daniel-Constantin Mierla -
Marc Soda