[SR-Users] [VoLTE] 401 unauthorized error
Ovidiu Sas
osas at voipembedded.com
Tue Aug 24 18:07:00 CEST 2021
Probably the 401 didn’t make it to the client and what you are seeing are
retransmission.
-ovidiu
On Tue, Aug 24, 2021 at 11:54 오택경 <ohtk at kaist.ac.kr> wrote:
> I tried to use all of the algorithms which fhoss can support, but they did
> not work.
>
> Fortunately, I found that my UE did not send the digest response for the
> received nonce to the server after 401 unauthorized.
> (digest response content is empty in the 2nd register packet.)
>
> I think this is the cause of the authentication problem. So I changed to
> another smartphone, but the same problem has occurred.
>
>
>
> -----Original Message-----
> From: "Yuriy Gorlichenko" <ovoshlook at gmail.com>
> To: "오택경" <ohtk at kaist.ac.kr>;
> Cc: "Kamailio (SER) - Users Mailing List" <sr-users at lists.kamailio.org>;
> Sent: 2021-08-24 (화) 21:37:36 (UTC+09:00)
> Subject: Re: Re: [SR-Users] [VoLTE] 401 unauthorized error
>
> I do not remember, to be honest, if IMS supports basic md5 auth
> algorithms. You need to go through specs about algo supported. Also try to
> look into docs of kamailio ims modules which algorithms it implements. If
> you find one which satisfies your device for negotiation then just use it.
> If no - try to update your client to have support of one of the proper
> algorithms.
>
> On Tue, 24 Aug 2021, 10:45 오택경, <ohtk at kaist.ac.kr> wrote:
>
> Thank you for your help!
>
> I looked into the UE's IMS register request as you told me. (the content
> of request is shown below)
>
> As my thinking, my UE can support only two algorithms: hmac-sha1-96 and
> hmac-md5-96.
>
> But fhoss cannot support above auth algorithms (fhoss can support
> digest-akav1-md5, digest-akav2-md5, digest, http_digest_md5,
> early-ims-security, nass-bundled and sip digest).
>
> What algorithm should I switch to for authentication in fhoss? Or do I
> have to change the UE device (smartphone) for auth?
>
> Very thanks,
> Taekkyung Oh.
>
> *<IMS register request from the UE>*
> *Frame 4153: 840 bytes on wire (6720 bits), 840 bytes captured (6720 bits)
> on interface 0*
> *Ethernet II, Src: 02:42:ac:16:00:16 (02:42:ac:16:00:16), Dst:
> 02:42:ac:16:00:06 (02:42:ac:16:00:06)*
> *Internet Protocol Version 4, Src: 172.22.0.22, Dst: 172.22.0.6*
> *User Datagram Protocol, Src Port: 2152, Dst Port: 2152*
> *GPRS Tunneling Protocol*
> *Internet Protocol Version 4, Src: 192.168.101.3, Dst: 172.22.0.21*
> *Transmission Control Protocol, Src Port: 5060, Dst Port: 5060, Seq: 1021,
> Ack: 1, Len: 750*
> *[2 Reassembled TCP Segments (1770 bytes): #4147(1020), #4153(750)]*
> *Session Initiation Protocol (REGISTER)*
> * Request-Line: REGISTER sip:ims.mnc001.mcc001.3gppnetwork.org
> <http://ims.mnc001.mcc001.3gppnetwork.org> SIP/2.0*
> * Method: REGISTER*
> * Request-URI: sip:ims.mnc001.mcc001.3gppnetwork.org
> <http://ims.mnc001.mcc001.3gppnetwork.org>*
> * Request-URI Host Part: ims.mnc001.mcc001.3gppnetwork.org
> <http://ims.mnc001.mcc001.3gppnetwork.org>*
> * [Resent Packet: False]*
> * Message Header*
> * To: <sip:001010000031094 at ims.mnc001.mcc001.3gppnetwork.org
> <sip:001010000031094 at ims.mnc001.mcc001.3gppnetwork.org>>*
> * SIP to address:
> sip:001010000031094 at ims.mnc001.mcc001.3gppnetwork.org
> <sip:001010000031094 at ims.mnc001.mcc001.3gppnetwork.org>*
> * SIP to address User Part: 001010000031094*
> * SIP to address Host Part:
> ims.mnc001.mcc001.3gppnetwork.org
> <http://ims.mnc001.mcc001.3gppnetwork.org>*
> * From: <sip:001010000031094 at ims.mnc001.mcc001.3gppnetwork.org
> <sip:001010000031094 at ims.mnc001.mcc001.3gppnetwork.org>>;tag=qyecbkJ*
> * SIP from address:
> sip:001010000031094 at ims.mnc001.mcc001.3gppnetwork.org
> <sip:001010000031094 at ims.mnc001.mcc001.3gppnetwork.org>*
> * SIP from address User Part: 001010000031094*
> * SIP from address Host Part:
> ims.mnc001.mcc001.3gppnetwork.org
> <http://ims.mnc001.mcc001.3gppnetwork.org>*
> * SIP from tag: qyecbkJ*
> * Contact: <sip:001010000031094 at 192.168.101.3:5060
> <http://sip:001010000031094@192.168.101.3:5060>>;+sip.instance="<urn:gsma:imei:86355804-632692-0>";+g.3gpp.accesstype="cellular2";audio;video;+g.3gpp.smsip;+g.3gpp.icsi-ref="urn%3Aurn-7%3A3gpp-service.ims.icsi.mmtel"*
> * Contact URI: sip:001010000031094 at 192.168.101.3:5060
> <http://sip:001010000031094@192.168.101.3:5060>*
> * Contact URI User Part: 001010000031094*
> * Contact URI Host Part: 192.168.101.3*
> * Contact URI Host Port: 5060*
> * Contact parameter:
> +sip.instance="<urn:gsma:imei:86355804-632692-0>"*
> * Contact parameter: +g.3gpp.accesstype="cellular2"*
> * Contact parameter: audio*
> * Contact parameter: video*
> * Contact parameter: +g.3gpp.smsip*
> * Contact parameter:
> +g.3gpp.icsi-ref="urn%3Aurn-7%3A3gpp-service.ims.icsi.mmtel"\r\n*
> * Expires: 600000*
> * P-Access-Network-Info:
> 3GPP-E-UTRAN-FDD;utran-cell-id-3gpp=0010100010019B01*
> * access-type: 3GPP-E-UTRAN-FDD*
> * utran-cell-id-3gpp: 0010100010019B01*
> * Supported: path,sec-agree*
> * Allow:
> INVITE,ACK,OPTIONS,BYE,CANCEL,UPDATE,PRACK,NOTIFY,MESSAGE,REFER*
> * Require: sec-agree*
> * Proxy-Require: sec-agree*
> * [truncated]Security-Client:
> ipsec-3gpp;alg=hmac-sha-1-96;prot=esp;mod=trans;ealg=des-ede3-cbc;spi-c=10559690;spi-s=65664952;port-c=31112;port-s=31803,ipsec-3gpp;alg=hmac-sha-1-96;prot=esp;mod=trans;ealg=aes-cbc;spi-c=10559690;spi-s=65664*
> * [Security-mechanism]: ipsec-3gpp*
> * alg: hmac-sha-1-96*
> * prot: esp*
> * mod=trans*
> * ealg: des-ede3-cbc*
> * spi-c: 10559690 (0x00a120ca)*
> * spi-s: 65664952 (0x03e9f7b8)*
> * port-c: 31112*
> * port-s: 31803*
> * [Security-mechanism]: ipsec-3gpp*
> * alg: hmac-sha-1-96*
> * prot: esp*
> * mod=trans*
> * ealg: aes-cbc*
> * spi-c: 10559690 (0x00a120ca)*
> * spi-s: 65664952 (0x03e9f7b8)*
> * port-c: 31112*
> * port-s: 31803*
> * [Security-mechanism]: ipsec-3gpp*
> * alg: hmac-sha-1-96*
> * prot: esp*
> * mod=trans*
> * ealg: null*
> * spi-c: 10559690 (0x00a120ca)*
> * spi-s: 65664952 (0x03e9f7b8)*
> * port-c: 31112*
> * port-s: 31803*
> * [Security-mechanism]: ipsec-3gpp*
> * alg: hmac-md5-96*
> * prot: esp*
> * mod=trans*
> * ealg: des-ede3-cbc*
> * spi-c: 10559690 (0x00a120ca)*
> * spi-s: 65664952 (0x03e9f7b8)*
> * port-c: 31112*
> * port-s: 31803*
> * [Security-mechanism]: ipsec-3gpp*
> * alg: hmac-md5-96*
> * prot: esp*
> * mod=trans*
> * ealg: aes-cbc*
> * spi-c: 10559690 (0x00a120ca)*
> * spi-s: 65664952 (0x03e9f7b8)*
> * port-c: 31112*
> * port-s: 31803*
> * [Security-mechanism]: ipsec-3gpp*
> * alg: hmac-md5-96*
> * prot: esp*
> * mod=trans*
> * ealg: null*
> * spi-c: 10559690 (0x00a120ca)*
> * spi-s: 65664952 (0x03e9f7b8)*
> * port-c: 31112*
> * port-s: 31803*
> * Authorization: Digest
> username="001010000031094 at ims.mnc001.mcc001.3gppnetwork.org
> <001010000031094 at ims.mnc001.mcc001.3gppnetwork.org>",realm="ims.mnc001.mcc001.3gppnetwork.org
> <http://ims.mnc001.mcc001.3gppnetwork.org>",uri="sip:ims.mnc001.mcc001.3gppnetwork.org
> <http://ims.mnc001.mcc001.3gppnetwork.org>",nonce="",response=""*
> * Authentication Scheme: Digest*
> * Username: "001010000031094 at ims.mnc001.mcc001.3gppnetwork.org
> <001010000031094 at ims.mnc001.mcc001.3gppnetwork.org>"*
> * Realm: "ims.mnc001.mcc001.3gppnetwork.org
> <http://ims.mnc001.mcc001.3gppnetwork.org>"*
> * Authentication URI: "sip:ims.mnc001.mcc001.3gppnetwork.org
> <http://ims.mnc001.mcc001.3gppnetwork.org>"*
> * Nonce Value: ""*
> * Digest Authentication Response: ""*
> * Call-ID: txecbknlk at 192.168.101.3 <txecbknlk at 192.168.101.3>*
> * CSeq: 1 REGISTER*
> * Sequence Number: 1*
> * Method: REGISTER*
> * Max-Forwards: 70*
> * Via: SIP/2.0/TCP
> 192.168.101.3:5060;branch=z9hG4bKrzecbkJzsat7Xk6daqm5;rport*
> * Transport: TCP*
> * Sent-by Address: 192.168.101.3*
> * Sent-by port: 5060*
> * Branch: z9hG4bKrzecbkJzsat7Xk6daqm5*
> * RPort: rport*
> * User-Agent: IM-client/OMA1.0 HW-Rto/V1.0*
> * Content-Length: 0*
>
>
>
>
> -----Original Message-----
> From: "Yuriy Gorlichenko" <ovoshlook at gmail.com>
> To: "Kamailio (SER) - Users Mailing List" <sr-users at lists.kamailio.org>;
> Cc:
> Sent: 2021-08-24 (화) 05:55:26 (UTC+09:00)
> Subject: Re: [SR-Users] [VoLTE] 401 unauthorized error
>
>
> Hi 401 is normal response for sip auth
> It is also normal response for IMS service
> Look into sip basic auth mechanism to clarify what is going on here and
> additionally look into Spec of IMS auth. There should be only auth algo
> change
> I believe you did not check further request processing.
> On Mon, 23 Aug 2021, 18:19 오택경, <ohtk at kaist.ac.kr> wrote:
>
> Hi.
>
> I am implementing the VoLTE setup with the dockerized project (
> https://github.com/herlesupreeth/docker_open5gs).
>
> I have almost done to run the VoLTE service, but 401 unauthorized error in
> sip and auth-pending error in fhoss have occured.
>
> How can I fix this problem?
>
> I will share the discussion note in which I tried to solve some problems
> including the above one.
> : https://github.com/herlesupreeth/docker_open5gs/issues/55
>
> Very thanks,
> Taekkyung Oh.
> __________________________________________________________
> Kamailio - Users Mailing List - Non Commercial Discussions
> * sr-users at lists.kamailio.org
> Important: keep the mailing list in the recipients, do not reply only to
> the sender!
> Edit mailing list options or unsubscribe:
> * https://lists.kamailio.org/cgi-bin/mailman/listinfo/sr-users
>
> __________________________________________________________ Kamailio -
> Users Mailing List - Non Commercial Discussions *
> sr-users at lists.kamailio.org Important: keep the mailing list in the
> recipients, do not reply only to the sender! Edit mailing list options or
> unsubscribe: *
> https://lists.kamailio.org/cgi-bin/mailman/listinfo/sr-users
>
>
>
>
>
> -----Original Message-----
> From: "Yuriy Gorlichenko" <ovoshlook at gmail.com>
> To: "Kamailio (SER) - Users Mailing List" <sr-users at lists.kamailio.org>;
> Cc:
> Sent: 2021-08-24 (화) 05:55:26 (UTC+09:00)
> Subject: Re: [SR-Users] [VoLTE] 401 unauthorized error
>
>
> Hi 401 is normal response for sip auth
> It is also normal response for IMS service
> Look into sip basic auth mechanism to clarify what is going on here and
> additionally look into Spec of IMS auth. There should be only auth algo
> change
> I believe you did not check further request processing.
> On Mon, 23 Aug 2021, 18:19 오택경, <ohtk at kaist.ac.kr> wrote:
>
> Hi.
>
> I am implementing the VoLTE setup with the dockerized project (
> https://github.com/herlesupreeth/docker_open5gs).
>
> I have almost done to run the VoLTE service, but 401 unauthorized error in
> sip and auth-pending error in fhoss have occured.
>
> How can I fix this problem?
>
> I will share the discussion note in which I tried to solve some problems
> including the above one.
> : https://github.com/herlesupreeth/docker_open5gs/issues/55
>
> Very thanks,
> Taekkyung Oh.
> __________________________________________________________
> Kamailio - Users Mailing List - Non Commercial Discussions
> * sr-users at lists.kamailio.org
> Important: keep the mailing list in the recipients, do not reply only to
> the sender!
> Edit mailing list options or unsubscribe:
> * https://lists.kamailio.org/cgi-bin/mailman/listinfo/sr-users
>
> __________________________________________________________ Kamailio -
> Users Mailing List - Non Commercial Discussions *
> sr-users at lists.kamailio.org Important: keep the mailing list in the
> recipients, do not reply only to the sender! Edit mailing list options or
> unsubscribe: *
> https://lists.kamailio.org/cgi-bin/mailman/listinfo/sr-users
> __________________________________________________________
> Kamailio - Users Mailing List - Non Commercial Discussions
> * sr-users at lists.kamailio.org
> Important: keep the mailing list in the recipients, do not reply only to
> the sender!
> Edit mailing list options or unsubscribe:
> * https://lists.kamailio.org/cgi-bin/mailman/listinfo/sr-users
>
--
VoIP Embedded, Inc.
http://www.voipembedded.com
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.kamailio.org/pipermail/sr-users/attachments/20210824/db7a4fd8/attachment.htm>
More information about the sr-users
mailing list