> David Harris wrote:
>
> If an H.323 or MGCP originator calls a SIP user agent through a
> gateway, I am thinking the messaging should go from the gateway to a
> SIP proxy server and then to the SIP user agent. My guess is that
> registering all possible originators from the gateway wouldn't be an
> valid solution so if the proxy server is authenticating INVITEs, how
> is authenticating an INVITE from a gateway handled?
This is a good question; one that we have mentioned in passing here and
there, but for which we have not yet settled on a solution.
Let me rephrase the problem. A user makes a call from a PSTN phone
through a PSTN->SIP gateway. This call arrives at a proxy server, then
gets routed to a UAS. Either or both of the proxy/UAS might challenge
this request. In this case, who is being authenticated, the gateway
itself, or the user calling in through the gateway? If its the user
themselves, how would that work?
One might argue that authentication of a gateway by a proxy is useless;
really in this case you want a hop by hop security mechanism like IPSec
or TLS, and forgo completely the high overhead SIP authentication for
each message. Then again, in the absence of support for IPSec or TLS,
SIP proxy authentication migth provide a way to authenticate the gateway
from a proxy.
It also seems unlikely the UAS would really be interested in
authenticating the originating gateway.
So, given there are useful cases for authenticating both the gateway and
the user calling in through the gateway, how do we know which is being
challenged?
Some options:
1. The realm indicates this. For example, a realm of "gateway" would
indicate that the gateway is being authenticated, "user" means the user.
We wouldn't need to standardize the actual words here, but rather
standardize that the realm would indicate which was the case through
administrative configuration.
2. Use a different response code for each case. Probably not a great
idea.
3. Others?
I'll also note that this problem is not limited to gateways - its the
fundamental issue of whether you authenticate a device or a user, and
could equally well apply to a softphone application, single line
gateway, and trunking gateway.
Thoughts on this issue?
-Jonathan R.
--
Jonathan D. Rosenberg 72 Eagle Rock Ave.
Chief Scientist First Floor
dynamicsoft East Hanover, NJ 07936
[EMAIL PROTECTED] FAX: (973) 952-5050
http://www.cs.columbia.edu/~jdrosen PHONE: (732) 741-7244
http://www.dynamicsoft.com
