Re: [asterisk-users] Initial REGISTER Request: Contains Credentials before 401: KDDI Japan

2013-05-16 Thread Matthew J. Roth
Brian,

 KDDI does provide a list of supported equipment and vendors.  Specific
 hardware or license based software products that quickly become cost
 prohibitive.
 
 I doubt that Asterisk will find it's way on the list any time soon.  Because
 KDDI follows the traditional big telco method of interoperability, which
 normally means licensing products for use on their network.

That's exactly the sort of thing that the industry should be evolving away from.
For now, this should help quiet KDDI's complaints.

Here is a small patch to the transmit_register() function in chan_sip.c that
prevents adding an Authorization header to the initial REGISTER request:


--- certified-asterisk-1.8.15-cert1/channels/chan_sip.c.orig2013-05-16 
16:30:12.0 -0400
+++ certified-asterisk-1.8.15-cert1/channels/chan_sip.c 2013-05-16 
16:57:49.0 -0400
@@ -13620,6 +13620,8 @@
if (!ast_strlen_zero(global_useragent))
add_header(req, User-Agent, global_useragent);

+/* Never add auth header to the initial REGISTER request */
+if (r-regattempts) {
if (auth) {  /* Add auth header */
add_header(req, authheader, auth);
} else if (!ast_strlen_zero(r-nonce)) {
@@ -13647,6 +13649,7 @@
 ast_log(LOG_NOTICE, No authorization available for 
authentication of registration to %s@%s\n, r-username, r-hostname);
}
}
+}

snprintf(tmp, sizeof(tmp), %d, r-expiry);
add_header(req, Expires, tmp);


I tested it to make sure it works as advertised, but not thoroughly enough to
be completely confident that there are no side effects.  At the very least, it
should be a good starting point for a more robust patch.

Here is a SIP trace of the REGISTER dialog when Asterisk starts or when 'sip
reload' is entered at the CLI.


17:03:39.279847 IP astdev.imminc.com.sip  ekiga.net.sip: SIP, length: 381
REGISTER sip:ekiga.net SIP/2.0
Via: SIP/2.0/UDP 192.168.1.1:5060;branch=z9hG4bK0f4587f3;rport
Max-Forwards: 70
From: sip:regt...@ekiga.net;tag=as1f2818c1
To: sip:regt...@ekiga.net
Call-ID: 5f37c0dc188cdd5c02a9a092148ef217@192.168.1.1
CSeq: 104 REGISTER
User-Agent: Asterisk PBX 1.8.15-cert1
Expires: 120
Contact: sip:s@192.168.1.1:5060
Content-Length: 0


17:03:39.370575 IP ekiga.net.sip  astdev.imminc.com.sip: SIP, length: 462
SIP/2.0 401 Unauthorized
Via: SIP/2.0/UDP 192.168.1.1:5060;branch=z9hG4bK0f4587f3;rport=42521
From: sip:regt...@ekiga.net;tag=as1f2818c1
To: sip:regt...@ekiga.net;tag=c64e1f832a41ec1c1f4e5673ac5b80f6.9b08
Call-ID: 5f37c0dc188cdd5c02a9a092148ef217@192.168.1.1
CSeq: 104 REGISTER
WWW-Authenticate: Digest realm=ekiga.net, 
nonce=519549c961b09f86679289f055e42960ed06592c052d
Server: Kamailio (1.5.3-notls (i386/linux))
Content-Length: 0


17:03:39.403113 IP astdev.imminc.com.sip  ekiga.net.sip: SIP, length: 582
REGISTER sip:ekiga.net SIP/2.0
Via: SIP/2.0/UDP 192.168.1.1:5060;branch=z9hG4bK32be996c;rport
Max-Forwards: 70
From: sip:regt...@ekiga.net;tag=as36aa89ae
To: sip:regt...@ekiga.net
Call-ID: 5f37c0dc188cdd5c02a9a092148ef217@192.168.1.1
CSeq: 105 REGISTER
User-Agent: Asterisk PBX 1.8.15-cert1
Authorization: Digest username=regtest, realm=ekiga.net, algorithm=MD5, 
uri=sip:ekiga.net, nonce=519549c961b09f86679289f055e42960ed06592c052d, 
response=e477ad0f835211b06d750a8c3edf88ea
Expires: 120
Contact: sip:s@192.168.1.1:5060
Content-Length: 0


17:03:39.495126 IP ekiga.net.sip  astdev.imminc.com.sip: SIP, length: 399
SIP/2.0 200 OK
Via: SIP/2.0/UDP 192.168.1.1:5060;branch=z9hG4bK32be996c;rport=42521
From: sip:regt...@ekiga.net;tag=as36aa89ae
To: sip:regt...@ekiga.net;tag=c64e1f832a41ec1c1f4e5673ac5b80f6.bf7b
Call-ID: 5f37c0dc188cdd5c02a9a092148ef217@192.168.1.1
CSeq: 105 REGISTER
Contact: sip:s@192.168.1.1:5060;expires=600
Server: Kamailio (1.5.3-notls (i386/linux))
Content-Length: 0


I hope this helps you convince KDDI that Asterisk is a legitimate VoIP platform.
Please reply and let me know how it goes.

Regards,

Matthew Roth
InterMedia Marketing Solutions
Software Engineer and Systems Developer

--
_
-- Bandwidth and Colocation Provided by http://www.api-digital.com --
New to Asterisk? Join us for a live introductory webinar every Thurs:
   http://www.asterisk.org/hello

asterisk-users mailing list
To UNSUBSCRIBE or update options visit:
   http://lists.digium.com/mailman/listinfo/asterisk-users


[asterisk-users] Initial REGISTER Request: Contains Credentials before 401: KDDI Japan

2013-05-15 Thread Brian LaVallee
Hi Matthew,

Thanks for the response.

 From: Matthew J. Roth mr...@imminc.com
 Reply-To: Asterisk Users Mailing List - Non-Commercial Discussion
 asterisk-users@lists.digium.com
 Date: Wed, 15 May 2013 12:28:11 -0500 (CDT)
 To: Asterisk Users Mailing List - Non-Commercial Discussion
 asterisk-users@lists.digium.com
 Subject: Re: [asterisk-users] Initial REGISTER Request: Contains Credentials
 before 401
 
 Brian LaVallee wrote:
 
 My SIP provider is not happy that credentials (in the Authorization header
 field) are provided in the initial REGISTER request.
 
 The SIP provider ONLY wants the credentials AFTER rejecting the message with
 a 401.
 
 I know it's dumb, because the RFC says that the the initial REGISTER message
 MAY include credentials.  If it fails, the proper authentication method is
 included in the 401.  I know there is nothing wrong, it is how SIP is
 supposed to work.
 
 Who is your SIP provider?  They need to be called out so that other Asterisk
 users can avoid them.  This tendency to flip the customer/vendor relationship
 on
 its head must be discouraged.

The SIP provider is KDDI Japan.

 However I would like to keep my SIP provider from complaining.
 
 The only thing they should complain about is if you don't pay your bill on
 time.
 
 Asterisk is NOT SUPPORTED by the SIP provider.
 
 The REGISTER request was successful so, at least from a practical standpoint,
 the provider does support Asterisk.  It would be ideal if all providers
 officially supported Asterisk, but this is just one example of how it's not
 worth trying to please everyone.

I know that the SIP provider is being overly diligent to prevent toll-fraud,
but some of their complaints about normal SIP communications have been
outrageous.  

I don't want to go into it, but KDDI has actually complained that the REPLY
to the 401 was too fast.
 
 Does anyone in the Asterisk community know how to avoid sending the
 credentials until AFTER receiving a 401?
 
 Edit the source.  I'm sorry to be blunt, but I really can't see the developers
 adding another option to sip.conf just to satisfy such a pointless request.
 
 Any suggestions would be appreciated!
 
 Ask the provider what platforms are supported.  Pick one of them and use it
 to
 configure the useragent and sdpsession options in sip.conf.  Or look for
 another provider that doesn't waste your time complaining about RFC-compliant
 behavior.  

KDDI does provide a list of supported equipment and vendors.  Specific
hardware or license based software products that quickly become cost
prohibitive.

I doubt that Asterisk will find it's way on the list any time soon.  Because
KDDI follows the traditional big telco method of interoperability, which
normally means licensing products for use on their network.

 Regards,
 
 Matthew Roth
 InterMedia Marketing Solutions
 Software Engineer and Systems Developer
 --
 _
 -- Bandwidth and Colocation Provided by http://www.api-digital.com --
 New to Asterisk? Join us for a live introductory webinar every Thurs:
http://www.asterisk.org/hello
 
 asterisk-users mailing list
 To UNSUBSCRIBE or update options visit:
http://lists.digium.com/mailman/listinfo/asterisk-users





--
_
-- Bandwidth and Colocation Provided by http://www.api-digital.com --
New to Asterisk? Join us for a live introductory webinar every Thurs:
   http://www.asterisk.org/hello

asterisk-users mailing list
To UNSUBSCRIBE or update options visit:
   http://lists.digium.com/mailman/listinfo/asterisk-users