[OpenSIPS-Users] Need ideas to tamper with CSeq
Cindy Leung
cinthia721 at gmail.com
Mon Apr 4 20:49:36 CEST 2011
I have used what you suggested below and is working great for us. Thank you!
On Mar 31, 2011, at 7:40 PM, Ovidiu Sas wrote:
> Well, in the mean time, you can use the following workaround: let the
> phone register over tcp and perform authentication and for subsequent
> calls coming from the registered endpoint (tcp/IP/port) you don't need
> to authenticate the INVITE - just reuse the existing authenticated TCP
> connection. Like this there will be a single INVITE before the
> CANCEL.
>
>
> Regards,
> Ovidiu Sas
>
> On Thu, Mar 31, 2011 at 7:14 PM, Daniel Goepp <dan at goepp.net> wrote:
>> Thanks Ovidiu,
>>
>> Yeah, that is pretty much the conclusion we had come to regarding the
>> endpoint...we were just hoping I guess to have a fix and not have to wait
>> for the vendor to fix the phone, which will likely take quite some time.
>>
>> Oh well, that's life :(
>>
>> -dg
>>
>>
>> On Thu, Mar 31, 2011 at 3:22 PM, Ovidiu Sas <osas at voipembedded.com> wrote:
>>>
>>> The sequence is totally broken.
>>> You can try to modify the Cseq and loop the CANCEL but the proper
>>> thing to do here is to get a fix from the SIP UA manufacturer or get
>>> rid of the phone and use a good one.
>>>
>>>
>>> Regards,
>>> Ovidiu Sas
>>>
>>> On Thu, Mar 31, 2011 at 4:10 PM, Daniel Goepp <dan at goepp.net> wrote:
>>>> My first response to this got rejected as I was just over the body size
>>>> limit for the forum. I'm posting as an attachment this time:
>>>>
>>>> You are exactly correct in your read back ;) Here is a trace, I think I
>>>> removed everything. 1.1.1.1 is my office, where both number 1111 and
>>>> 2222
>>>> are registered from. 2.2.2.2 is our proxy, and 3.3.3.3 is another
>>>> openSIPS
>>>> server acting as a redirect server.
>>>>
>>>> Thanks
>>>>
>>>> -dg
>>>>
>>>>
>>>> On Thu, Mar 31, 2011 at 11:36 AM, Ovidiu Sas <osas at voipembedded.com>
>>>> wrote:
>>>>>
>>>>> Are you saying that the caller is sending an INVITE with CSeq 1, get's
>>>>> challenged, sends back an authenticated INVITE with CSeq 2 and when
>>>>> the call is aborted, the client that generated the second INVITE with
>>>>> Cseq 2 is sending a CANCEL with CSeq 1?
>>>>> Can you post a trace of such scenario?
>>>>> You can remove all the sensitive info from the trace.
>>>>>
>>>>>
>>>>> Regards,
>>>>> Ovidiu Sas
>>>>>
>>>>> On Thu, Mar 31, 2011 at 2:19 PM, Daniel Goepp <dan at goepp.net> wrote:
>>>>>> It has more to do with what OpenSIPS is receiving, not sending. We
>>>>>> get
>>>>>> the
>>>>>> first INVITE from the endpoint, challenge it, then get another INVITE
>>>>>> from
>>>>>> the endpoint, and it is incrementing the CSeq on the second INVITE.
>>>>>> We
>>>>>> have
>>>>>> no control over what the endpoint does with Cseq, unfortunately.
>>>>>>
>>>>>> -dg
>>>>>>
>>>>>>
>>>>>> On Thu, Mar 31, 2011 at 10:53 AM, Ovidiu Sas <osas at voipembedded.com>
>>>>>> wrote:
>>>>>>>
>>>>>>> Based on how the problem was described here, the issue is with how
>>>>>>> opensips was configured: the second INVITE sent by opensips should
>>>>>>> have the same CSeq as the initial INVITE (assuming that you perform
>>>>>>> uac authentication in opensips).
>>>>>>> Are you performing uac authentication in opensips?
>>>>>>>
>>>>>>>
>>>>>>> Regards,
>>>>>>> Ovidiu Sas
>>>>>>>
>>>>>>> On Thu, Mar 31, 2011 at 1:49 PM, Daniel Goepp <dan at goepp.net> wrote:
>>>>>>>> Thanks for the feedback Ovidiu.
>>>>>>>>
>>>>>>>> The GW appears to handle the INVITEs fine, which is how the
>>>>>>>> transaction
>>>>>>>> CSeq
>>>>>>>> gets updated to 2. The problem occurs when we get the CANCEL,
>>>>>>>> which
>>>>>>>> has
>>>>>>>> a
>>>>>>>> CSeq of 1, not 2. We will investigate some of the ideas you
>>>>>>>> propose
>>>>>>>> here.
>>>>>>>> We have opened a ticket with the endpoint manufacture, but you
>>>>>>>> know
>>>>>>>> what
>>>>>>>> that process is like I'm sure ;)
>>>>>>>>
>>>>>>>> -dg
>>>>>>>>
>>>>>>>>
>>>>>>>> On Thu, Mar 31, 2011 at 10:36 AM, Ovidiu Sas
>>>>>>>> <osas at voipembedded.com>
>>>>>>>> wrote:
>>>>>>>>>
>>>>>>>>> I assume that this is a hack because the GW is not able to
>>>>>>>>> properly
>>>>>>>>> handle the second INVITE (with auth header) that has the same
>>>>>>>>> Cseq
>>>>>>>>> as
>>>>>>>>> the initial INVITE (despite the fact that those two INVITEs are
>>>>>>>>> on
>>>>>>>>> different branch-es). As a workaround, the CSeq was probably
>>>>>>>>> tempered
>>>>>>>>> in the local_route.
>>>>>>>>>
>>>>>>>>> You could try to intercept the CANCEL when it hits the main
>>>>>>>>> route,
>>>>>>>>> replace the CSeq and the forward the CANCEL back to yourself and
>>>>>>>>> it
>>>>>>>>> may work. This is ugly and it needs to be properly implemented
>>>>>>>>> as
>>>>>>>>> it
>>>>>>>>> may break good clients.
>>>>>>>>>
>>>>>>>>>
>>>>>>>>> The proper solution here would be to add a new server in front of
>>>>>>>>> the
>>>>>>>>> GW, a server that will be able to handle the two INVITEs (with
>>>>>>>>> and
>>>>>>>>> without auth header) with the same CSeq number. One solution
>>>>>>>>> would
>>>>>>>>> be
>>>>>>>>> an opensips server configured in b2b mode. This should give you
>>>>>>>>> a
>>>>>>>>> clean implementation and no hacks in the config.
>>>>>>>>>
>>>>>>>>>
>>>>>>>>> Regards,
>>>>>>>>> Ovidiu Sas
>>>>>>>>>
>>>>>>>>> On Thu, Mar 31, 2011 at 12:55 PM, Daniel Goepp <dan at goepp.net>
>>>>>>>>> wrote:
>>>>>>>>>> I don't mean to step on Cinthia's toe here, but I would like to
>>>>>>>>>> add a
>>>>>>>>>> little
>>>>>>>>>> to her comments / questions in response some follow ups here.
>>>>>>>>>> The
>>>>>>>>>> problem
>>>>>>>>>> being presented has been acknowledged as a "bad" device, in
>>>>>>>>>> violation
>>>>>>>>>> of
>>>>>>>>>> the
>>>>>>>>>> RFC. And although it's not popular to work around issues,
>>>>>>>>>> sometimes
>>>>>>>>>> it
>>>>>>>>>> is
>>>>>>>>>> necessary, and one of the great things about OpenSIPS is how
>>>>>>>>>> flexible
>>>>>>>>>> and
>>>>>>>>>> powerful it is. The only problem here is the CANCEL, all other
>>>>>>>>>> signaling
>>>>>>>>>> including the BYE appear to work fine with this phone. Calls
>>>>>>>>>> complete
>>>>>>>>>> and
>>>>>>>>>> end just fine in all other cases. I agree that perhaps a proxy
>>>>>>>>>> shouldn't
>>>>>>>>>> have to do this, it is not an absolute in the real world that
>>>>>>>>>> it
>>>>>>>>>> would
>>>>>>>>>> never
>>>>>>>>>> have to. So this comes back to the initial question, and
>>>>>>>>>> regardless
>>>>>>>>>> of
>>>>>>>>>> best
>>>>>>>>>> practice, is there a way when OpenSIPS receives a CANCEL to
>>>>>>>>>> "help"
>>>>>>>>>> it
>>>>>>>>>> by
>>>>>>>>>> incrementing it's CSeq for it?
>>>>>>>>>>
>>>>>>>>>> Thanks
>>>>>>>>>>
>>>>>>>>>> -dg
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>> On Thu, Mar 31, 2011 at 7:48 AM, Ovidiu Sas
>>>>>>>>>> <osas at voipembedded.com>
>>>>>>>>>> wrote:
>>>>>>>>>>>
>>>>>>>>>>> On Thu, Mar 31, 2011 at 10:37 AM, Cindy Leung
>>>>>>>>>>> <cinthia721 at gmail.com>
>>>>>>>>>>> wrote:
>>>>>>>>>>>> I guess I wasn't being clear enough in the call flow. I
>>>>>>>>>>>> assume
>>>>>>>>>>>> the
>>>>>>>>>>>> CSeq
>>>>>>>>>>>> in the CANCEL has to be the same as the second INVITE.
>>>>>>>>>>>>
>>>>>>>>>>>> 1. Phone sends out INVITE #1, OpenSIPS responds with 401,
>>>>>>>>>>>> Phone
>>>>>>>>>>>> ACK'd.
>>>>>>>>>>>> I believe the transaction is over at this point.
>>>>>>>>>>>> 2. Phone sends out INVITE #2 with auth, OpenSIPS accepts the
>>>>>>>>>>>> INVITE
>>>>>>>>>>>> and
>>>>>>>>>>>> send back 180. Phone now sends out a CANCEL, but the CSeq
>>>>>>>>>>>> is
>>>>>>>>>>>> not
>>>>>>>>>>>> the
>>>>>>>>>>>> same
>>>>>>>>>>>> as INVITE #2.
>>>>>>>>>>>>
>>>>>>>>>>>> As far as I can tell, everything else (ruri, call-id...) is
>>>>>>>>>>>> the
>>>>>>>>>>>> same
>>>>>>>>>>>> except for CSeq.
>>>>>>>>>>>
>>>>>>>>>>> Exactly! You broke the CSeq between caller and callee. A
>>>>>>>>>>> proxy
>>>>>>>>>>> should never do that!
>>>>>>>>>>> Even if you fix somehow your CANCEL issue, calls will never
>>>>>>>>>>> complete.
>>>>>>>>>>> The 200ok will have a different CSeq then the initial INVITE
>>>>>>>>>>> (for
>>>>>>>>>>> the
>>>>>>>>>>> caller) and it will be discarded (by the caller).
>>>>>>>>>>> Also, BYE will not work.
>>>>>>>>>>> You have bigger issues here then just a CANCEL.
>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>> Regards,
>>>>>>>>>>> Ovidiu Sas
>>>>>>>>>>>
>>>>>>>>>>> _______________________________________________
>>>>>>>>>>> Users mailing list
>>>>>>>>>>> Users at lists.opensips.org
>>>>>>>>>>> http://lists.opensips.org/cgi-bin/mailman/listinfo/users
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>> _______________________________________________
>>>>>>>>>> Users mailing list
>>>>>>>>>> Users at lists.opensips.org
>>>>>>>>>> http://lists.opensips.org/cgi-bin/mailman/listinfo/users
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>> _______________________________________________
>>>>>>>> Users mailing list
>>>>>>>> Users at lists.opensips.org
>>>>>>>> http://lists.opensips.org/cgi-bin/mailman/listinfo/users
>>>>>>>>
>>>>>>>>
>>>>>>
>>>>>>
>>>>>> _______________________________________________
>>>>>> Users mailing list
>>>>>> Users at lists.opensips.org
>>>>>> http://lists.opensips.org/cgi-bin/mailman/listinfo/users
>>>>>>
>>>>>>
>>>>
>>>>
>>>> _______________________________________________
>>>> Users mailing list
>>>> Users at lists.opensips.org
>>>> http://lists.opensips.org/cgi-bin/mailman/listinfo/users
>>>>
>>>>
>>
>>
>> _______________________________________________
>> Users mailing list
>> Users at lists.opensips.org
>> http://lists.opensips.org/cgi-bin/mailman/listinfo/users
>>
>>
>
> _______________________________________________
> Users mailing list
> Users at lists.opensips.org
> http://lists.opensips.org/cgi-bin/mailman/listinfo/users
More information about the Users
mailing list