[OpenSIPS-Devel] New contribution, uac_auth() in request route

Bogdan-Andrei Iancu bogdan at voice-system.ro
Wed Feb 24 11:54:08 CET 2010 

Hi Michael,

Michael Schloh von Bennewitz wrote:
> Hello Bogdan,
>
> On Tues., Feb. 16, 2010, Bogdan-Andrei Iancu wrote:
>   
>> 1) what if the client is really dummy or does not have support for
>> auth at all, so you cannot rely on the UAC to send a second INVITE
>> with credentials.
>>
>>     
> But this question is equally valid for regular usage of the auth
> module. If an administrator assumes that only UACs which will
> regiser are able to answer 401 or 407 replies correctly then
> he will have problems when a special case scenario appears (like
> the one you mention.) If I understand your question correctly,
> then the administrator knows to use uac_auth or proxy_challenge
> only when the client is not so dumb.
>   
Not really - is the regular usage of uac_auth(), the UAC sends an INVITE 
and opensips is doing the rest of the job (intercepting the 401 and 
generating a new INVITE), totally transparent for UAC  - here the UAC 
does not have to do anything extra.
>   
>> 2) what if the client  -  server relation is not passwd based, so again 
>> the UAC cannot generate the INVITE with credentials
>>
>>     
> Yes, the unmodified (in 1.6.X) uac_auth function only provides password
> based authentication. My changes simply extend the possible range of
> the unmodified uac_auth function to be usable from the request route
> as well. If the client must authenticate using a nonpassword based
> algorithm, then it's up to the admin to find a way to provide that.
> He won't be using uac_auth at all, so my changes are not relevant.
>   
That is correct, but my question was actually overlapping with the first 
one - about the capability of a client to send a second INVITE, in 
response to a 401/407. Only the scenario was different than in the first 
question:
    scenario 1) - there is no auth relation between UAC and opensips, so 
UAC cannot handle any auth challenge at all
    scenario 2) - there is a non-passwd auth relation between UAC and 
opensips, so UAC cannot handle any auth passwd-based challenge at all
>   
>> 3) what if the the UAC is also authenticating to the server :
>>       UAC   -> INVITE                  ->  proxy
>>       UAC   <- 407 proxy               <-  proxy
>>       UAC   -> INVITE+res_proxy        ->  proxy
>>                                            proxy  -> INVITE -> GW
>>                                            proxy  <- 407 gw <- GW
>>       UAC   <- 407 gw                  <-  proxy
>>     
>         UAC   -> INVITE+res_proxy+res_gw ->  proxy  -> INVITE -> GW
>                                              proxy  <- 200 OK <- GW
>         UAC   <- 200 OK                  <-  proxy
>
>   
>>    at this moment the uac may stop responding (as it cannot answer
>>    to the new request - unknown realm, or because it things the
>>    first auth failed)
>>
>>     
> I've tested this with only one softphone and one hardphone. Both
> Twinkle and Snom do indeed stop responding, but only if both proxy
> and gateway specify the same authentication realm. Probably this
> confuses the phone's software which thinks the authentication
> requests originated from the same server (not true.) This can be
> solved by the admin who has control over the auth module's realm
> logic.
>
> If there is no realm conflict then after the UAC tries once to
> authenticate to the SIP proxy it will accept 407 again and try
> to authenticate a second time, appending both Proxy-Authorization
> strings (one for each realm) to the new (third INVITE) request.
>
> Unfortunately, to solve the problem of a challenge loop the admin
> probably must use:
>
>   modparam("auth", "disable_nonce_check", 1)
>
> ...to allow OpenSIPS to pass the third INVITE without challenging.
>   
Right.
> I doubt that the SIP RFCs specify such multiple challenge results,
> so if that's true then the choice is up to us. The question is:
>
>   Do we want to distribute and support a hacky way
>   to provide multiple authentication stages?
>   
Normally, this is a job for a b2bua and not for a proxy. I agree that 
what we have so far is also a hack, so I do not expect the miracle- 
solution here :). I'm not against hacking the hack, but I'm just trying 
to see the design of the new hack and how it should work in some cases.
>   Or would we rather restrict the admin to a single
>   authentication stage?
>   
That's impossible in same cases.

Regarding your solution, I see it as a clean idea -forcing the cseq 
change from the UAC side- , but I'm so positive about who you try to 
force the UAC the re-send the request (via a challenge) - what about 
trying it via a 300 redirect (to the same destination) ?
> There's a chance to do this better using new B2B logic, but I
> kind of doubt that it would be much less hacky than this. Don't
> forget, the unmodified uac_auth function is hacky itself. It
> doesn't conform to RFC 2543 recommending sequential CSEQ numbers.
>   
Again, right, but also making auth with b2bua requires some more work - 
it will not work out of the package.

Regards,
Bogdan
> Regards,
> Michael
>
>   


-- 
Bogdan-Andrei Iancu
www.voice-system.ro

More information about the Devel mailing list