<p style="padding:0 0 0 0; margin:0 0 0 0;">The ACK was indeed broken. The problem was at the SBC, where I did not expect it.</p>
<p style="padding:0 0 0 0; margin:0 0 0 0;">Everything works as it should.</p>
<p style="padding:0 0 0 0; margin:0 0 0 0;">Thank you very much for your help.</p>
<p style="padding:0 0 0 0; margin:0 0 0 0;"> </p>
<p style="padding:0 0 0 0; margin:0 0 0 0;">Martin</p>
<p style="padding:0 0 0 0; margin:0 0 0 0;">______________________________________________________________<br />
> Od: "Klaus Darilion" <klaus.mailinglists@pernau.at><br />
> Komu: <martian@centrum.sk><br />
> Dátum: 28.08.2012 09:36<br />
> Predmet: Re: [SR-Users] Possible bug in authentication<br />
></p>
<p style="padding:0 0 0 0; margin:0 0 0 0;">> CC: "SIP Router - Kamailio (OpenSER) and SIP Express Router (SER) - Users Mailing List", miconda@gmail.com</p>
<p style="padding:0 0 0 0; margin:0 0 0 0;"><br />
<br />
On 24.08.2012 14:41, martian@centrum.sk wrote:<br />
> The Route and Record-route headers are identical.<br />
><br />
><br />
> From debug (when alias=domain.ch:5060):<br />
><br />
> ----authentication of INVITE:<br />
><br />
> Aug 24 14:22:44 server /usr/sbin/kamailio[8588]: NOTICE: <script>:<br />
> ---------------------- In route(AUTH), just before<br />
> from_uri==myself ----------------------<br />
><br />
> Aug 24 14:22:44 server /usr/sbin/kamailio[8588]: DEBUG: <core><br />
> [socket_info.c:583]: grep_sock_info - checking if host==us: 10==9 &&<br />
> [domain.ch] == [127.0.0.1]<br />
><br />
> Aug 24 14:22:44 server /usr/sbin/kamailio[8588]: DEBUG: <core><br />
> [socket_info.c:587]: grep_sock_info - checking if port 5060 (advertise<br />
> 0) matches port 5060<br />
><br />
> Aug 24 14:22:44 server /usr/sbin/kamailio[8588]: DEBUG: <core><br />
> [socket_info.c:583]: grep_sock_info - checking if host==us: 10==15 &&<br />
> [domain.ch] == [<IP_ADDRESS_OF_KAMAILIO>]<br />
><br />
> Aug 24 14:22:44 server /usr/sbin/kamailio[8588]: DEBUG: <core><br />
> [socket_info.c:587]: grep_sock_info - checking if port 5060 (advertise<br />
> 0) matches port 5060<br />
><br />
> Aug 24 14:22:44 server /usr/sbin/kamailio[8588]: DEBUG: <core><br />
> [socket_info.c:583]: grep_sock_info - checking if host==us: 10==9 &&<br />
> [domain.ch] == [127.0.0.1]<br />
><br />
> Aug 24 14:22:44 server /usr/sbin/kamailio[8588]: DEBUG: <core><br />
> [socket_info.c:587]: grep_sock_info - checking if port 5060 (advertise<br />
> 0) matches port 5060<br />
><br />
> Aug 24 14:22:44 server /usr/sbin/kamailio[8588]: DEBUG: <core><br />
> [socket_info.c:583]: grep_sock_info - checking if host==us: 10==15 &&<br />
> [domain.ch] == [<IP_ADDRESS_OF_KAMAILIO>]<br />
><br />
> Aug 24 14:22:44 server /usr/sbin/kamailio[8588]: DEBUG: <core><br />
> [socket_info.c:587]: grep_sock_info - checking if port 5060 (advertise<br />
> 0) matches port 5060<br />
><br />
> Aug 24 14:22:44 server /usr/sbin/kamailio[8588]: NOTICE: <script>:<br />
> ---------------------- from_uri==myself evaluated as<br />
> TRUE!! ----------------------<br />
<br />
<br />
Is this really a complete log? According to the log uri==myself should <br />
return FALSE as the compared strings are never the same.<br />
<br />
> When I set alias=server.domain.ch:5060, from_uri==myself returns false<br />
> (when determining if INVITE should be authenticated,resulting in<br />
> replying 100 trying instead of 407 Proxy Auth Req) and loose_route()<br />
> starts returning true and relays the ACK correctly.<br />
><br />
> I can post more debug from this case also, but I didn't want to spam so<br />
> much in one message.<br />
><br />
> If you would like to see it, please let me know.<br />
><br />
> So .. Shall I consider the loose_route() part fixed and assume that<br />
> there MUST be a full name (hostname.domain:port) in the alias, when<br />
> Kamailio is not used as a primary proxy for the domain?<br />
<br />
No. It is rather simple: domain.ch is not identical to domain.ch:5060 <br />
(as the first URI results in NAPTR+SRV lookups and my use another port <br />
than 5060).<br />
<br />
Thus, if you want that Kamailio detects domain.ch as local domain, add <br />
"alias=domain.ch". If you want that Kamailio detects domain.ch:5060 as <br />
local domain add alias=domain.ch:5060 (not sure if quotes are needed here).<br />
<br />
If you want that Kamailio accepts both domains as local domains, then <br />
add both alias.<br />
<br />
Regardind loose_route: As Daniel mentioned, the ACK is broken.<br />
<br />
regards<br />
Klaus<br />
<br />
><br />
> What about the from_uri==myself part?<br />
><br />
> Martin<br />
><br />
> ______________________________________________________________<br />
> > Od: "Klaus Darilion" <klaus.mailinglists@pernau.at><br />
> > Komu: "SIP Router - Kamailio (OpenSER) and SIP Express Router (SER) -<br />
> Users Mailing List" <sr-users@lists.sip-router.org><br />
> > Dátum: 23.08.2012 15:04<br />
> > Predmet: Re: [SR-Users] Possible bug in authentication<br />
> ><br />
><br />
> > CC: miconda@gmail.com<br />
><br />
> The Route URI (sent by SBC) must be identical to the Record-Route URI<br />
> (inserted by Kamailio).<br />
><br />
> To find out why loose_route returns FALSE increase log-level.<br />
> loose_route uses the "ismyself" function to evaluate if the Route header<br />
> addresses this Kamailio server. And the "ismyself" is very verbose when<br />
> doing this check.<br />
><br />
> regards<br />
> Klaus<br />
><br />
> On 23.08.2012 13:51, martian@centrum.sk wrote:<br />
> > Ok, so .. I have a session border controller device that is a contact<br />
> > point for my SIP domain (SRV record in DNS set to its IP). All the<br />
> > trafic goes through it and it does things like topology hiding etc.. The<br />
> > device forwards the INVITE messages to Kamailio, because of the routing.<br />
> ><br />
> > The loose_route was working strangely, because it did not behave as<br />
> > described in the documentation.<br />
> ><br />
> > Here is the sip message that it was suppose to pass:<br />
> ><br />
> > ACK sip:acc1@domain.ch:5060 SIP/2.0<br />
> ><br />
> > Via: SIP/2.0/UDP domain.ch;branch=z9hG4bKac386033013<br />
> ><br />
> > Max-Forwards: 70<br />
> ><br />
> > From: "acc2" <sip:acc2@domain.ch>;tag=1c1749458918<br />
> ><br />
> > To: <sip:acc1@<IP_ADRESS_OF_KAMAILIO>;user=phone>;tag=1c1892801634<br />
> ><br />
> > Call-ID: 17494024742382012111116@<IP_ADDRESS_OF_SBC><br />
> ><br />
> > CSeq: 2 ACK<br />
> ><br />
> > Contact: <sip:acc2@domain.ch:5060><br />
> ><br />
> > Route: <sip:<IP_ADDRESS_OF_KAMAILIO>;lr=on><br />
> ><br />
> > Supported: em,timer,replaces,path,resource-priority<br />
> ><br />
> > Allow:<br />
> ><br />
> REGISTER,OPTIONS,INVITE,ACK,CANCEL,BYE,NOTIFY,PRACK,REFER,INFO,SUBSCRIBE,UPDATE<br />
> ><br />
> > User-Agent: SBC_DEVICE<br />
> ><br />
> > Content-Length: 0<br />
> ><br />
> > As you can see, there is a Route header and a To_tag .. so the<br />
> > loose_route function should return true. But instead, it returned false,<br />
> > then t_check_trans() also returned false and the routing logic exited<br />
> > (exit;).<br />
> ><br />
> > This happens when the value of alias is not enclosed in double quotes.<br />
> ><br />
> > PS.: There is a "-" symbol in the domain name. Can't that be a problem<br />
> > causing the need for the double quotes?<br />
> ><br />
> > PS2: Should there be only a domain name in the alias? or also the<br />
> > hostname part? ... for example: domain.ch:5060 or server.domain.ch:5060<br />
> ><br />
> > Martin<br />
> ><br />
> > ______________________________________________________________<br />
> > > Od: "Daniel-Constantin Mierla" <miconda@gmail.com><br />
> > > Komu: "SIP Router - Kamailio (OpenSER) and SIP Express Router (SER) -<br />
> > Users Mailing List" <sr-users@lists.sip-router.org><br />
> > > Dátum: 23.08.2012 12:21<br />
> > > Predmet: Re: [SR-Users] Possible bug in authentication<br />
> > ><br />
> ><br />
> > Hello,<br />
> ><br />
> > On 8/23/12 11:54 AM, martian@centrum.sk <mailto:martian@centrum.sk><br />
> wrote:<br />
> ><br />
> > Hello to everybody.<br />
> ><br />
> > I am currently working with Kamailio 3.3.1 on RedHat.<br />
> ><br />
> > The "loose_route" function was not working correctly and I observed<br />
> > some very strange behaviour (not as one described in the<br />
> > documentation of the function).<br />
> ><br />
> > I have found that there needs to be a port included in the "alias"<br />
> > variable for the loose_route function to work correctly.<br />
> ><br />
> > However, upon adding the port to alias, the INVITE messages were no<br />
> > longer authenticated (Kamailio just accepted them and didn't send<br />
> > proxy-auth header in 407 message).<br />
> ><br />
> > My alias:<br />
> ><br />
> > alias="domain.ch:5060"<br />
> ><br />
> > Examining default routing logic, I found the problem here:<br />
> ><br />
> > if (is_method("REGISTER") || from_uri==myself)<br />
> ><br />
> > {<br />
> ><br />
> > # authenticate requests<br />
> ><br />
> > ...<br />
> ><br />
> > }<br />
> ><br />
> > The "from_uri==myself" was no longer evaluated as true, because<br />
> > there was a port at the end of the alias.<br />
> ><br />
> > The FROM Header of the INVITE messages looks like:<br />
> ><br />
> > From: "acc1" <sip:acc1@domain.ch>;tag=12345<br />
> ><br />
> > ..so .. no port number there.<br />
> ><br />
> > Btw, I have fixed this with replacing the "myself" list with my own<br />
> > defined variable MY_DOMAIN.<br />
> ><br />
> > #!define MY_DOMAIN ".*@domain.ch" <mailto:.*@domain.ch><br />
> ><br />
> > So now the condition looks like this:<br />
> ><br />
> > if (is_method("REGISTER") || from_uri=~MY_DOMAIN)<br />
> ><br />
> > {<br />
> ><br />
> > ...<br />
> ><br />
> > }<br />
> ><br />
> > I am not sure if this is a bug that needs to be fixed or not. I am<br />
> > just pointing my finger at it and I hope it will contribute to the<br />
> > development.<br />
> ><br />
> > Also, a valid description of this behavior (when using port in<br />
> > alias) would be appreciated.<br />
> ><br />
> ><br />
> > if you enclose the value of the alias parameter in double quotes, then<br />
> > it is taken as string value. If you want to set it to a host:port, then<br />
> > remove the double quotes:<br />
> ><br />
> > alias=domain.ch:5060<br />
> ><br />
> ><br />
> > Why do you say the loose_route() was working strangely? Do you add the<br />
> > hostname as record-route, not the IP address? Detail more about what you<br />
> > think is wrong with record routing/loose routing.<br />
> ><br />
> ><br />
> > Cheers,<br />
> > Daniel<br />
> ><br />
> > -- Daniel-Constantin Mierla<br />
> -<a href="http://www.asipto.comhttp//twitter.com/">http://www.asipto.comhttp://twitter.com/#</a><br />
> <<a href="http://www.asipto.comhttp//twitter.com/">http://www.asipto.comhttp//twitter.com/</a>>!/miconda<br />
> -<a href="http://www.linkedin.com/in/micondaKamailio">http://www.linkedin.com/in/micondaKamailio</a> Advanced Training, Berlin,<br />
> Nov 5-8, 2012 -<a href="http://asipto.com/u/kat">http://asipto.com/u/kat</a><br />
> ><br />
> ><br />
> ><br />
> > _______________________________________________<br />
> > SIP Express Router (SER) and Kamailio (OpenSER) - sr-users mailing list<br />
> > sr-users@lists.sip-router.org<br />
> > <a href="http://lists.sip-router.org/cgi-bin/mailman/listinfo/sr-users">http://lists.sip-router.org/cgi-bin/mailman/listinfo/sr-users</a><br />
> ><br />
></p>