----- Original Message ----- From: <[EMAIL PROTECTED]> To: <sip-implementors@lists.cs.columbia.edu> Sent: Wednesday, January 09, 2008 6:28 AM Subject: Sip-implementors Digest, Vol 58, Issue 8
> Send Sip-implementors mailing list submissions to > sip-implementors@lists.cs.columbia.edu > > To subscribe or unsubscribe via the World Wide Web, visit > https://lists.cs.columbia.edu/cucslists/listinfo/sip-implementors > or, via email, send a message with subject or body 'help' to > [EMAIL PROTECTED] > > You can reach the person managing the list at > [EMAIL PROTECTED] > > When replying, please edit your Subject line so it is more specific > than "Re: Contents of Sip-implementors digest..." > > > Today's Topics: > > 1. Any reference docs about SIP protocol interaction in CDMA > Authentication Call Flows (NC Reddy) > 2. Authorization with qop=auth (Stephen C. Steel) > 3. Re: Using domain names in Contact URI (Raj Jain) > 4. Re: Using domain names in Contact URI (Raj Jain) > 5. Re: Using domain names in Contact URI (Raj Jain) > 6. Re: Using domain names in Contact URI (Raj Jain) > 7. Re: Authorization with qop=auth (Brett Tate) > > > ---------------------------------------------------------------------- > > Message: 1 > Date: Tue, 8 Jan 2008 18:06:20 -0500 > From: "NC Reddy" <[EMAIL PROTECTED]> > Subject: [Sip-implementors] Any reference docs about SIP protocol > interaction in CDMA Authentication Call Flows > To: sip-implementors@lists.cs.columbia.edu > Message-ID: > <[EMAIL PROTECTED]> > Content-Type: text/plain; charset=ISO-8859-1 > > Hi, > Any reference on SIP-CDMA-AUTH Call Flows doc. > > Thanks in Advance. > > Regards > Channa > > > ------------------------------ > > Message: 2 > Date: Tue, 8 Jan 2008 17:16:35 -0500 > From: "Stephen C. Steel" <[EMAIL PROTECTED]> > Subject: [Sip-implementors] Authorization with qop=auth > To: <sip-implementors@lists.cs.columbia.edu> > Message-ID: <[EMAIL PROTECTED]@kvs.com> > Content-Type: text/plain; charset="us-ascii" > > I have been testing a SIP application, and I've been having trouble with > authorization. Most servers seem to send a basic "WWW-Authenticate:" header > without an entry for qop, and the application authenticates with these > servers > without any problem. > > One particular SIP/PSTN gateway service provider has a server which > includes qop="auth" in the "WWW-Authenticate:" header of its responses. > The application seems to respond appropriately: the resulting > "Authorization:" header now includes qop=auth, as well as entries for > cnonce and nc. However, these requests always generate a > "401 Unauthorized" response. So, either my credentials are wrong, > or the application is calculating the response incorrectly, > or the server is verifying the response incorrectly. > > I'm quite sure I have the correct credentials (user and password) for this > service. If I use an older version of the application that doesn't > support qop, it authenticates fine. > > Is there a publicly available known-good server I could test my application > against to help decide whether my application or the server is at fault. > > Thanks, > Stephen C. Steel > > > > > ------------------------------ > > Message: 3 > Date: Tue, 8 Jan 2008 18:29:25 -0500 > From: "Raj Jain" <[EMAIL PROTECTED]> > Subject: Re: [Sip-implementors] Using domain names in Contact URI > To: <[EMAIL PROTECTED]>, > <sip-implementors@lists.cs.columbia.edu> > Message-ID: <[EMAIL PROTECTED]> > Content-Type: text/plain; charset="us-ascii" > > > You say "Our goal is to bind hundreds of Contact URIs to one AoR." > > without specifying what those contact URIs might be. Would > > it be possible to use one base URI but to create many > > different derived URIs by adding a URI-parameter? > > Not really. Each Contact URI contains a distinct IP address. They can not be > derived by automata. That's why we need to pre-configure the Registrar > out-of-band. > > > In any case, if you want useful advice, you should describe > > more of the problem -- it is likely that determining a "good" > > solution requires understanding why you think you need to > > register hundreds of contacts for an AOR. Otherwise, all we > > can say is "What you have suggested doesn't seem like it is > > going to work well." > > Fair. Let me write up a bit more about the problem. > > -- > Raj Jain > > > > ------------------------------ > > Message: 4 > Date: Tue, 8 Jan 2008 18:46:56 -0500 > From: "Raj Jain" <[EMAIL PROTECTED]> > Subject: Re: [Sip-implementors] Using domain names in Contact URI > To: "'John Aronsson'" <[EMAIL PROTECTED]>, > <sip-implementors@lists.cs.columbia.edu> > Message-ID: <[EMAIL PROTECTED]> > Content-Type: text/plain; charset="iso-8859-1" > > > Of course you can use a username and a FQDN in the contact. > > True, as far as the SIP ABNF goes. I guess, I found it a bit unusual to use > FQDNs in Contact (and as an analogy in Via). These headers are meant to > identify an actual device. Are there any examples of systems where FQDNs are > used in Contact? > > With Via, at least we have the received= parameter so we don't need to do a > DNS lookup when it comes to delivering a response. However, if the Contact > contains an FQDN then the UAC/Proxy will need to do a DNS (RFC 3263) lookup > do deliver a request to the UAS. This could result in a mid-dialog request > being routed to a whole different device than what the AoR wanted. > > -- > Raj > > > > Without it, i.e. using IP-addresses, proxies would be quite > > handicapped. > > > > Let me quote 3261: > > > > > > "The location service is just an abstract concept. It generally > > contains information that allows a proxy to input a URI > > and receive a > > set of zero or more URIs that tell the proxy where to send the > > request. Registrations are one way to create this information, but > > not the only way. Arbitrary mapping functions can be configured at > > the discretion of the administrator. > > > > Finally, it is important to note that in SIP, registration is used > > for routing incoming SIP requests and has no role in authorizing > > outgoing requests. Authorization and authentication are handled in > > SIP either on a request-by-request basis with a challenge/response > > mechanism, or by using a lower layer scheme as discussed in Section > > 26." > > > > But, I have a feeling You're after something else, but don't > > know what :-) > > > > John Aronsson > > > > -----Ursprungligt meddelande----- > > Fr?n: [EMAIL PROTECTED] > > [mailto:[EMAIL PROTECTED] F?r Raj Jain > > Skickat: den 7 januari 2008 20:50 > > Till: [EMAIL PROTECTED] > > Kopia: sip-implementors@lists.cs.columbia.edu > > ?mne: Re: [Sip-implementors] Using domain names in Contact URI > > > > On Jan 7, 2008 1:54 PM, <[EMAIL PROTECTED]> wrote: > > > I'm not sure whether it makes to sense to use domain names in a > > > Contact URI. The SIP ABNF allows it. Any thoughts or > > suggestions on > > > this? > > > > > > It is legal to do so, and it is mandatory that a registrar/proxy > > > support it correctly, as the registrar does not control the contact > > > addresses that UAs will present to it. > > > > Define "support it correctly". If my Registrar uses its own > > database to resolve a domain name in a Contact URI instead of > > querying DNS, then am I violating any normative statements > > made in any RFC? > > > > > I don't know what the constraints in your design are, but have you > > > considered using a URI-parameter? If your redirection > > service carries > > > the URI-parameter form the AOR to the registered contact, > > then you can > > > have an unlimited number of different SIP URIs that map through one > > > registration to distinct contact URIs. > > > > Let me try to understand this. We didn't really have a > > redirection service in mind. We were thinking that a > > Registrar and a Proxy will be sufficient. Our goal is to bind > > hundreds of Contact URIs to one AoR. > > We're saying that we can't carry all those Contact URIs > > in-line in a REGISTER message so lets carry them "indirectly" > > and use an OOB mechanism. I'm not sure how a Redirection > > Service, URI parameter helps this situation. > > > > -- > > Thanks, > > Raj > > _______________________________________________ > > Sip-implementors mailing list > > Sip-implementors@lists.cs.columbia.edu > > https://lists.cs.columbia.edu/cucslists/listinfo/sip-implementors > > > > > > > > _______________________________________________ > > Sip-implementors mailing list > > Sip-implementors@lists.cs.columbia.edu > > https://lists.cs.columbia.edu/cucslists/listinfo/sip-implementors > > > > > ------------------------------ > > Message: 5 > Date: Tue, 8 Jan 2008 19:14:15 -0500 > From: "Raj Jain" <[EMAIL PROTECTED]> > Subject: Re: [Sip-implementors] Using domain names in Contact URI > To: "'Paul Kyzivat'" <[EMAIL PROTECTED]> > Cc: sip-implementors@lists.cs.columbia.edu > Message-ID: <[EMAIL PROTECTED]> > Content-Type: text/plain; charset="us-ascii" > > [EMAIL PROTECTED] wrote: > > Reading between the lines, this sounds like the goal is for a > > "pbx" to register with a proxy, and then for the proxy to > > route calls for a block of numbers to that pbx. > > You're close. It's a key telephone system. > > > The sip forum addressed this to some extent in a spec known > > as SIPConnect. (But IMO they botched it a bit.) > > The SIPConnect spec doesn't address our problem. In our case, the switching > system and the proxy/registrar are sitting in the same domain. This is an > intra-domain problem. The SIPConnect spec describes how a SIP PBX connects > to a SIP Service Provider (SSP). Outbound registrations from an enterprise > to the SSP are OPTIONAL in SIPConnect anyway. > > > If I have the scenario right, the problem is that you want to > > register once, but then after calls have been routed by the > > proxy to the pbx, it needs to be able to determine which AOR > > had been called, so it can route to the proper phone/contact. > > > > Have I guessed right? > > Not exactly. The issue is the multiplicity of the Contacts bound to an AoR > and not figuring out an AoR on the fly. When the call comes into the proxy, > it comes to a known AoR. The proxy can now choose one among hundreds of IP > addresses to push the call to that AoR. > > The fundamental issue is how to tell the Location Service that a particular > AoR can be reached by hundreds of IP addresses. We said it is impractical to > carry all the IP addresses in a REGISTER so let's put them in the Location > Service using some out-of-band mechanism, and then use REGISTER to turn the > bindings on or off. Using an FQDN (which may not exist in DNS) in the > Contact: is a subtly different point, but I think it seems okay to do so. > > -- > Raj > > > > > > [EMAIL PROTECTED] wrote: > > > From: "Raj Jain" <[EMAIL PROTECTED]> > > > > > > On Jan 7, 2008 1:54 PM, <[EMAIL PROTECTED]> wrote: > > > > I'm not sure whether it makes to sense to use > > domain names in a > > > > Contact URI. The SIP ABNF allows it. Any thoughts > > or suggestions on > > > > this? > > > > > > > > It is legal to do so, and it is mandatory that a > > registrar/proxy > > > > support it correctly, as the registrar does not > > control the contact > > > > addresses that UAs will present to it. > > > > > > Define "support it correctly". If my Registrar uses its > > own database > > > to resolve a domain name in a Contact URI instead of > > querying DNS, > > > then am I violating any normative statements made in any RFC? > > > > > > I suppose it depends on what is in the database. If that > > matches what > > > DNS returns, or it is correct in the context for domain > > names that the > > > Registrar has some knowledge about, that would seem OK. > > > > > > > I don't know what the constraints in your design are, > > but have you > > > > considered using a URI-parameter? If your redirection > > service carries > > > > the URI-parameter form the AOR to the registered > > contact, then you can > > > > have an unlimited number of different SIP URIs that > > map through one > > > > registration to distinct contact URIs. > > > > > > Let me try to understand this. We didn't really have a > > redirection > > > service in mind. We were thinking that a Registrar and a > > Proxy will be > > > sufficient. Our goal is to bind hundreds of Contact URIs > > to one AoR. > > > We're saying that we can't carry all those Contact URIs > > in-line in a > > > REGISTER message so lets carry them "indirectly" and use an OOB > > > mechanism. I'm not sure how a Redirection Service, URI > > parameter helps > > > this situation. > > > > > > You say "Our goal is to bind hundreds of Contact URIs to one AoR." > > > without specifying what those contact URIs might be. Would it be > > > possible to use one base URI but to create many different > > derived URIs > > > by adding a URI-parameter? > > > > > > In any case, if you want useful advice, you should describe more of > > > the problem -- it is likely that determining a "good" solution > > > requires understanding why you think you need to register > > hundreds of > > > contacts for an AOR. Otherwise, all we can say is "What you have > > > suggested doesn't seem like it is going to work well." > > > > > > Dale > > > _______________________________________________ > > > Sip-implementors mailing list > > > Sip-implementors@lists.cs.columbia.edu > > > https://lists.cs.columbia.edu/cucslists/listinfo/sip-implementors > > > > > > > ------------------------------ > > Message: 6 > Date: Tue, 8 Jan 2008 19:36:23 -0500 > From: "Raj Jain" <[EMAIL PROTECTED]> > Subject: Re: [Sip-implementors] Using domain names in Contact URI > To: "'Raj Jain'" <[EMAIL PROTECTED]>, <[EMAIL PROTECTED]>, > <sip-implementors@lists.cs.columbia.edu> > Message-ID: <[EMAIL PROTECTED]> > Content-Type: text/plain; charset="us-ascii" > > I promised I'll provide more background about the question I raised: > > It's a key telephone system. We live and breathe Shared Line Appearances. > The system is fully-distributed with no central point of control, > whatsoever. The system is comprised of tiny trunk cards (due to legacy > reasons) that have now been converted to SIP UAs. The system is highly > scalable and as result there can be hundreds of these SIP UA cards installed > in a single system. These trunk cards are "created equal" - i.e. anyone of > them can take you to the same extension (AoR). An AoR is registered with the > Registrar/Proxy when a user logs-in. To hide the multiplicity of these SIP > UA cards from the external world we've fronted them with a SIP Proxy Server. > The proxy server load balances traffic to these line cards in some fashion. > > -- > Raj > > > > -----Original Message----- > > From: Raj Jain [mailto:[EMAIL PROTECTED] > > Sent: Tuesday, January 08, 2008 6:29 PM > > To: '[EMAIL PROTECTED]'; > > 'sip-implementors@lists.cs.columbia.edu' > > Subject: RE: [Sip-implementors] Using domain names in Contact URI > > > > > You say "Our goal is to bind hundreds of Contact URIs to one AoR." > > > without specifying what those contact URIs might be. Would it be > > > possible to use one base URI but to create many different > > derived URIs > > > by adding a URI-parameter? > > > > Not really. Each Contact URI contains a distinct IP address. > > They can not be derived by automata. That's why we need to > > pre-configure the Registrar out-of-band. > > > > > In any case, if you want useful advice, you should describe more of > > > the problem -- it is likely that determining a "good" > > > solution requires understanding why you think you need to register > > > hundreds of contacts for an AOR. Otherwise, all we can say > > is "What > > > you have suggested doesn't seem like it is going to work well." > > > > Fair. Let me write up a bit more about the problem. > > > > -- > > Raj Jain > > > > ------------------------------ > > Message: 7 > Date: Tue, 8 Jan 2008 19:57:47 -0500 > From: "Brett Tate" <[EMAIL PROTECTED]> > Subject: Re: [Sip-implementors] Authorization with qop=auth > To: <[EMAIL PROTECTED]>, <sip-implementors@lists.cs.columbia.edu> > Message-ID: > <[EMAIL PROTECTED]> > Content-Type: text/plain; charset="us-ascii" > > There are numerous tools and clients such as SIPp > (http://sipp.sourceforge.net/) and X-Lite > (http://www.counterpath.com/xlite-overview.html); however I'm not sure > which support qop. Keep in mind that some products are more lenient > than others concerning non compliances. > > A common qop problem relates to quotes. You can compare your headers to > rfc2617 section 3.5 or post them to the list. > > You can verify that the UAC is generating the correct digest response by > following the rfc2617 algorithm and using > "http://gtools.org/tool/md5-hash-generator/";. A decent summary of > rfc2617 is within > "http://en.wikipedia.org/wiki/Digest_access_authentication";; however the > rfc better reflects the quote removal. > > > > > -----Original Message----- > > From: [EMAIL PROTECTED] > > [mailto:[EMAIL PROTECTED] On > > Behalf Of Stephen C. Steel > > Sent: Tuesday, January 08, 2008 5:17 PM > > To: sip-implementors@lists.cs.columbia.edu > > Subject: [Sip-implementors] Authorization with qop=auth > > > > I have been testing a SIP application, and I've been having > > trouble with authorization. Most servers seem to send a basic > > "WWW-Authenticate:" header without an entry for qop, and the > > application authenticates with these servers without any problem. > > > > One particular SIP/PSTN gateway service provider has a server > > which includes qop="auth" in the "WWW-Authenticate:" header > > of its responses. > > The application seems to respond appropriately: the resulting > > "Authorization:" header now includes qop=auth, as well as > > entries for cnonce and nc. However, these requests always generate a > > "401 Unauthorized" response. So, either my credentials are > > wrong, or the application is calculating the response > > incorrectly, or the server is verifying the response incorrectly. > > > > I'm quite sure I have the correct credentials (user and > > password) for this service. If I use an older version of the > > application that doesn't support qop, it authenticates fine. > > > > Is there a publicly available known-good server I could test > > my application against to help decide whether my application > > or the server is at fault. > > > > Thanks, > > Stephen C. Steel > > > > > > _______________________________________________ > > Sip-implementors mailing list > > Sip-implementors@lists.cs.columbia.edu > > https://lists.cs.columbia.edu/cucslists/listinfo/sip-implementors > > > > > > ------------------------------ > > _______________________________________________ > Sip-implementors mailing list > Sip-implementors@lists.cs.columbia.edu > https://lists.cs.columbia.edu/cucslists/listinfo/sip-implementors > > End of Sip-implementors Digest, Vol 58, Issue 8 > *********************************************** > > > __________ NOD32 2768 (20080106) Information __________ > > This message was checked by NOD32 antivirus system. > http://www.eset.com > > _______________________________________________ Sip-implementors mailing list Sip-implementors@lists.cs.columbia.edu https://lists.cs.columbia.edu/cucslists/listinfo/sip-implementors
