[OpenSIPS-Users] Contents of ACK in up-to-date RFC 3261

Robert Borz robert.borz at web.de
Thu Jan 22 13:44:50 CET 2009 

Hi,

so remove_hf("Proxy-Authorization") removes any Proxy-Authorization headers or just the first?

What will happen if there are more than one proy auth. Header fields, will all of them be removed? This would be a solution... but I don't want to close our Sip proxy and only let outgoing and incoming sip calls of our domain go through.

Hmm, I tried to add an radius_proxy_authorize() before the consume_credentials(), but as you said, I can't challenge ACKs and BYEs.

Hmm.... 



-----Original Message-----
From: bogdan at voice-system.ro [mailto:bogdan at voice-system.ro] 
Sent: Thursday, January 22, 2009 1:22 PM
To: Robert Borz
Cc: users at lists.opensips.org
Subject: Re: [OpenSIPS-Users] Contents of ACK in up-to-date RFC 3261

Hi Robert,

I did read your email (even sent a reply ;))

consume_credentials() function removes only credentials that were 
checked for authentication, so, in order to make it work, you have to 
previously do authentication. The function works in this way because a 
requests may contain credentials for multiple SIP proxies (chained 
authentication), so a proxy must be careful and remove only credentials 
targeting itself.

So, what you you could do is to check if the ACK has the "Proxy-Auth" 
headers (with is_present_hf) and if so, use remove_hf() function to 
strip it out without any check.

Regards,
Bogdan

Robert Borz wrote:
> Hi Bogdan,
>
> thanks a lot for your response!
>
> So... you're exactly saying where I run into. ;)
> Did you read my last mails with the subject "consume_credentials doesn't work with auth_radius module"?
>
> Maybe you can help me just by telling me what's the way people do in production.
>
> So... concerning my current configuration, I think I have the clue right now, what the problem is.
>
> If an unauthorized INVITE comes in, my SER does radius_proxy_authorize() - no problem here. But, to the 200 OK (Call answered), the ACK of my client also contains the proxy authorization credentials, which is loose-routed. And now, the is_present_hf("Proxy-Authorization") function returns true (which is correct if the UAC includes the credentials in the ACK), but consume_credentials() returns an error, because it doesn't know that it has verified (and marked) the credentials before.
>
> How to proceed in this case....
>
> -----Original Message-----
> From: bogdan at voice-system.ro [mailto:bogdan at voice-system.ro] 
> Sent: Thursday, January 22, 2009 8:41 AM
> To: Robert Borz
> Cc: users at lists.opensips.org
> Subject: Re: [OpenSIPS-Users] Contents of ACK in up-to-date RFC 3261
>
> Hi Robert,
>
> Robert Borz wrote:
>   
>> Just had a look at RFC 3261... 269 pages... well, looks for a hard work for one day... but it isn't written to understand and answer my dumb questions within one or two hours. ;)
>>   
>>     
> indeed, the RFC3261 is like a novel :).....
>   
>> So, just want to know which contents in an ACK message are allowed in which case...
>>
>> Especially, I'm interested in which contents in an ACK are allowed in a response to a 200 OK (after INVITE)... is the Proxy-Authorization header field allowed in an ACK as response to a 200 OK of an INVITE?
>>   
>>     
> yes, it is optional - see the RFC3261, section 20.1 , page 163 - Table 3
>   
>> Maybe someone read my previous two mails, I'm a little confused right now... 
>>
>> I detected different behaviour between different UACs, which is nothing unusual for me (I'm just a developer, too).
>>
>> X-Lite for example includes the digest-credentials in an ACK packet in the Proxy-Authorization header field, whereas the snom-softphone does not.
>> The Ekige softphone for windows also includes the Proxy-Authorization header field.
>>
>> So, which behaviour is standard? It would be great to get any help from you... just to spare the time reading the whole RFC... :-(
>>   
>>     
> well, all are correct, as the header presence in the ACK request is 
> optional....
>
> My understanding on the RFC (on the auth matter) is that if the INVITE 
> has an "Proxy-Authorization" headers, the ACK should also contain 
> one...but it is not a must, it is a recommendation. The idea is, if the 
> proxy asked for auth for INVITE, it might ask for the ACK also....but as 
> you cannot challenge the ACK, the client should pre-fill the auth in ACK.
>
> Regards,
> Bogdan
>   
>> <lying>But, I don’t mind reading it...</lying> ;-P
>>
>>
>> Robert.
>>
>>
>> _______________________________________________
>> Users mailing list
>> Users at lists.opensips.org
>> http://lists.opensips.org/cgi-bin/mailman/listinfo/users
>>   
>>     
>
>
>
>

More information about the Users mailing list