sorry for my late reply. What I am referring to is the SIP OPTIONS that P-CSCF (Kamailio IMS) send to UE after REGISTRATION is completed.
Our question is why P-CSCF send SIP OPTIONS to UE using normal TCP connection, not using IPSEC/ESP connection? Below is the sample extracted from https://www.sharetechnote.com/html/IMS_SIP_Procedure_Reg_Auth_IPSec.html After the "401 Unauthorized" sendt from PCSCF to UE, the UE sends 2nd REGISTER to PCSCF through the IPSEC/ESP tunnel. The SUBSCRIBE and NOTIFY are all going through IPSEC/ESP connection. But, we observed that P_CSCF sends SIP OPTIONS healthcheck to UE using unprotected port. ie. <P-CSCF IP>:5060 -> <UE IP>:port-c, where port-c is a port defined in the Security-Client on SIP REGISTER from UE. [truncated]Security-Client: ipsec-3gpp; alg=hmac-md5-96; ealg=des-ede3-cbc; spi-c=3384516058; spi-s=2766124529; port-c=8001; port-s=8901,ipsec-3gpp; alg=hmac-md5-96; ealg=aes-cbc; spi-c=3384516058; spi-s=2766124529; port-c=8001; port-s=8 [Security-mechanism]: ipsec-3gpp alg: hmac-md5-96 ealg: des-ede3-cbc spi-c: 3384516058 (0xc9bb9dda) spi-s: 2766124529 (0xa4dfb5f1) port-c: 8001 port-s: 8901 [Security-mechanism]: ipsec-3gpp alg: hmac-md5-96 ealg: aes-cbc spi-c: 3384516058 (0xc9bb9dda) spi-s: 2766124529 (0xa4dfb5f1) port-c: 8001 port-s: 8901 Below is the packet flows between UE (192.168.1.57) and P-CSCF (168.168168.66) No. Time Source SrcPort Destination DstPort Protocol Length DSCP Info 6 2020-07-20 04:17:05.030865 192.168.1.57 32100 168.168.168.66 5060 SIP 662 CS0 Request: REGISTER sip:ims.mnc006.mcc454.3gppnetwork.org (1 binding) | 8 2020-07-20 04:17:05.031415 168.168.168.66 5060 192.168.1.57 32100 SIP 397 4 Status: 100 Trying | 12 2020-07-20 04:17:05.157922 168.168.168.66 5060 192.168.1.57 32100 SIP 927 4 Status: 401 Unauthorized - Challenging the UE | *** BELOW is through IPSEC/ESP *** 26 2020-07-20 04:17:06.606762 192.168.1.57 8001 168.168.168.66 6106 SIP 86 CS0 Request: REGISTER sip:ims.mnc006.mcc454.3gppnetwork.org (1 binding) | 28 2020-07-20 04:17:06.607409 168.168.168.66 6106 192.168.1.57 8001 SIP 422 4 Status: 100 Trying | 34 2020-07-20 04:17:06.741601 168.168.168.66 6106 192.168.1.57 8001 SIP 910 4 Status: 200 OK (9 bindings) | 39 2020-07-20 04:17:07.182961 192.168.1.57 8001 168.168.168.66 6106 SIP 950 CS0 Request: SUBSCRIBE sip:454061110000...@ims.mnc006.mcc454.3gppnetwork.org | 40 2020-07-20 04:17:07.186154 168.168.168.66 6106 192.168.1.57 8001 SIP 622 4 Status: 200 Subscription to REG saved | 49 2020-07-20 04:17:07.195560 168.168.168.66 5106 192.168.1.57 8901 SIP/XML 1058 4 Request: NOTIFY sip:192.168.1.57:8901;alias=192.168.1.57~8001~1 | 50 2020-07-20 04:17:09.175092 192.168.1.57 8001 168.168.168.66 6106 SIP 950 CS0 Request: SUBSCRIBE sip:99999...@ims.mnc001.mcc001.3gppnetwork.org | 51 2020-07-20 04:17:13.167390 192.168.1.57 8001 168.168.168.66 6106 SIP 950 CS0 Request: SUBSCRIBE sip:99999...@ims.mnc001.mcc001.3gppnetwork.org | 52 2020-07-20 04:17:13.170202 168.168.168.66 6106 192.168.1.57 8001 SIP 622 4 Status: 200 Subscription to REG saved | 61 2020-07-20 04:17:13.179940 168.168.168.66 5106 192.168.1.57 8901 SIP/XML 1058 4 Request: NOTIFY sip:192.168.1.57:8901;alias=192.168.1.57~8001~1 | 70 2020-07-20 04:17:13.659133 168.168.168.66 5106 192.168.1.57 8901 SIP/XML 1058 4 Request: NOTIFY sip:192.168.1.57:8901;alias=192.168.1.57~8001~1 | *** P-CSCF uses port 5060 as source port to send SIP OPTIONS to UE tunnel port 8001, it is not going through ESP/IPSEC tunnel, why? This causes UE did not response SIP OPTIONS properly. 71 2020-07-20 04:17:18.432320 168.168.168.66 5060 192.168.1.57 8001 SIP 441 4 Request: OPTIONS sip:192.168.1.57:8901 | 72 2020-07-20 04:17:18.908989 168.168.168.66 5060 192.168.1.57 8001 SIP 441 4 Request: OPTIONS sip:192.168.1.57:8901 | 73 2020-07-20 04:17:19.909063 168.168.168.66 5060 192.168.1.57 8001 SIP 441 4 Request: OPTIONS sip:192.168.1.57:8901 | On Tue, Jul 7, 2020 at 2:37 PM Daniel-Constantin Mierla <mico...@gmail.com> wrote: > > Hello, > > On 30.06.20 00:21, BALL SUN wrote: > > Hi > > > > During the testing with Kamailio IMS, we found that SUBSCRIBE and > > NOTIFY message flow between UE and P-CSCF is shown below. > > > > SUBSCRIBE and its response: 192.168.1.102:9101 (port-c) -> > > 192.168.2.66:6101 (port-s) > > NOTIFY: 192.168.2.66:5101 (port-c) -> 192.168.1.102:9100 (port-s) > > > > based on the sip security, is it the expected behavior that they are > > using port-c and port-s? > > > > The reason why we asked is because we found that the NOTIFY did not > > properly propagate to the UE due to different port addresses. > > > > Does anyone have this experience? and how we can resolve it? > > Not sure what you refer with port-c and port-s, but in kamailio you have > the option to enforce the local socket for sending the sip messages out. > See the force_send_socket(), set_send_socket() or $fs variable. > > Usually, the NOTIFY should be sent from the socket where the SUBSCRIBE > was received. > > However, not that in case of TCP/TLS, the connections may use ephemeral > ports, being different that the socket Kamailio is listening on. > > Cheers, > Daniel > > -- > Daniel-Constantin Mierla -- www.asipto.com > www.twitter.com/miconda -- www.linkedin.com/in/miconda > Funding: https://www.paypal.me/dcmierla >
_______________________________________________ Kamailio (SER) - Users Mailing List sr-users@lists.kamailio.org https://lists.kamailio.org/cgi-bin/mailman/listinfo/sr-users