[OpenSIPS-Users] Contents of ACK in up-to-date RFC 3261
Bogdan-Andrei Iancu
bogdan at voice-system.ro
Thu Jan 22 14:44:07 CET 2009
Removes all of them. See:
http://www.opensips.org/html/docs/modules/1.4.x/textops.html#id271734
Regards,
Bogdan
Robert Borz wrote:
> Hi,
>
> so remove_hf("Proxy-Authorization") removes any Proxy-Authorization headers or just the first?
>
> What will happen if there are more than one proy auth. Header fields, will all of them be removed? This would be a solution... but I don't want to close our Sip proxy and only let outgoing and incoming sip calls of our domain go through.
>
> Hmm, I tried to add an radius_proxy_authorize() before the consume_credentials(), but as you said, I can't challenge ACKs and BYEs.
>
> Hmm....
>
>
>
> -----Original Message-----
> From: bogdan at voice-system.ro [mailto:bogdan at voice-system.ro]
> Sent: Thursday, January 22, 2009 1:22 PM
> To: Robert Borz
> Cc: users at lists.opensips.org
> Subject: Re: [OpenSIPS-Users] Contents of ACK in up-to-date RFC 3261
>
> Hi Robert,
>
> I did read your email (even sent a reply ;))
>
> consume_credentials() function removes only credentials that were
> checked for authentication, so, in order to make it work, you have to
> previously do authentication. The function works in this way because a
> requests may contain credentials for multiple SIP proxies (chained
> authentication), so a proxy must be careful and remove only credentials
> targeting itself.
>
> So, what you you could do is to check if the ACK has the "Proxy-Auth"
> headers (with is_present_hf) and if so, use remove_hf() function to
> strip it out without any check.
>
> Regards,
> Bogdan
>
> Robert Borz wrote:
>
>> Hi Bogdan,
>>
>> thanks a lot for your response!
>>
>> So... you're exactly saying where I run into. ;)
>> Did you read my last mails with the subject "consume_credentials doesn't work with auth_radius module"?
>>
>> Maybe you can help me just by telling me what's the way people do in production.
>>
>> So... concerning my current configuration, I think I have the clue right now, what the problem is.
>>
>> If an unauthorized INVITE comes in, my SER does radius_proxy_authorize() - no problem here. But, to the 200 OK (Call answered), the ACK of my client also contains the proxy authorization credentials, which is loose-routed. And now, the is_present_hf("Proxy-Authorization") function returns true (which is correct if the UAC includes the credentials in the ACK), but consume_credentials() returns an error, because it doesn't know that it has verified (and marked) the credentials before.
>>
>> How to proceed in this case....
>>
>> -----Original Message-----
>> From: bogdan at voice-system.ro [mailto:bogdan at voice-system.ro]
>> Sent: Thursday, January 22, 2009 8:41 AM
>> To: Robert Borz
>> Cc: users at lists.opensips.org
>> Subject: Re: [OpenSIPS-Users] Contents of ACK in up-to-date RFC 3261
>>
>> Hi Robert,
>>
>> Robert Borz wrote:
>>
>>
>>> Just had a look at RFC 3261... 269 pages... well, looks for a hard work for one day... but it isn't written to understand and answer my dumb questions within one or two hours. ;)
>>>
>>>
>>>
>> indeed, the RFC3261 is like a novel :).....
>>
>>
>>> So, just want to know which contents in an ACK message are allowed in which case...
>>>
>>> Especially, I'm interested in which contents in an ACK are allowed in a response to a 200 OK (after INVITE)... is the Proxy-Authorization header field allowed in an ACK as response to a 200 OK of an INVITE?
>>>
>>>
>>>
>> yes, it is optional - see the RFC3261, section 20.1 , page 163 - Table 3
>>
>>
>>> Maybe someone read my previous two mails, I'm a little confused right now...
>>>
>>> I detected different behaviour between different UACs, which is nothing unusual for me (I'm just a developer, too).
>>>
>>> X-Lite for example includes the digest-credentials in an ACK packet in the Proxy-Authorization header field, whereas the snom-softphone does not.
>>> The Ekige softphone for windows also includes the Proxy-Authorization header field.
>>>
>>> So, which behaviour is standard? It would be great to get any help from you... just to spare the time reading the whole RFC... :-(
>>>
>>>
>>>
>> well, all are correct, as the header presence in the ACK request is
>> optional....
>>
>> My understanding on the RFC (on the auth matter) is that if the INVITE
>> has an "Proxy-Authorization" headers, the ACK should also contain
>> one...but it is not a must, it is a recommendation. The idea is, if the
>> proxy asked for auth for INVITE, it might ask for the ACK also....but as
>> you cannot challenge the ACK, the client should pre-fill the auth in ACK.
>>
>> Regards,
>> Bogdan
>>
>>
>>> <lying>But, I don’t mind reading it...</lying> ;-P
>>>
>>>
>>> Robert.
>>>
>>>
>>> _______________________________________________
>>> Users mailing list
>>> Users at lists.opensips.org
>>> http://lists.opensips.org/cgi-bin/mailman/listinfo/users
>>>
>>>
>>>
>>
>>
>>
>
>
>
>
More information about the Users
mailing list