2008/8/19, Vivek Batra <[EMAIL PROTECTED]>: > Hi, > > I have query regarding challenge response mechanism (digest authentication, > MD5) in SIP as follows: > > > > A and B are SIP clients registered with B2BUA. > > A calls B and sends INVITE to B2BUA. B2BUA challenges INVITE with response > 407 Auth.
Suppose B2BUA challenges with realm="realm_b2bua". > A again sends the INVITE with authentication header (say H1) and required > credentials to B2BUA. > > B2BUA sends this INVITE to B. > > B has a capability to challenge the INVITE (like Linksys 3102 etc). So, B > sends the response 407 Auth. to B2BUA. Suppose B challenges with realm="realm_b". > B2BUA passes this response viz 407 to A. > > A again generates the INVITE with authentication header (say H2) and sends > it to B2BUA. > Now my question is 'What should be the implementation in A regarding > Authentication Header. Should A includes only authentication header H2 in > INVITE or both H1 and H2?' If A doesn't include H1 then B2BUA will challenge it again. A must include both H1 and H2. > In both the cases whether A includes H1 or H1 and H2 as Authentication > Header in INVITE, what should be the implementation in B2BUA when received > this INVITE from A since B2BUA has already been authenticate the caller viz > A?? How does B2BUA it has already authentiacted A before? Digest mechanism doesn't work as a "session". The caller must include (Proxy-)Authentication header in any request, if not, the proxy or UAS (B2BUA) will challenge it. The behaviour is what you describe but: - When 403 from B arrives to B2BUA, B2BUA could resend the request with Authorization header since B2BUA is a UAC when talking with B. Anyway B2BUA could also send the 403 to A (it's implementator decission). - When 403 from B arrives to A, A must re-generate the request with two (Proxy-)Authorization headers: one for "realm_b2bua" and other one for "realm_b". - B2BUA will test the credentials for its realm "realm_b", and for this scenario to work, B2BUA msut bypass the other Authorization header to B (with "realm_b") so B will test those credentials. Anyway you are mixing a proxy behaviour with a B2BUA behaviour. It sounds more logical that B2BUA performs the authentication when B replies a 403 (because B replies to B2BUA, not to A). Regards. -- Iñaki Baz Castillo <[EMAIL PROTECTED]> _______________________________________________ Sip-implementors mailing list [email protected] https://lists.cs.columbia.edu/cucslists/listinfo/sip-implementors
