[asterisk-dev] Improving how Asterisk handles forked SIP requests.

Klaus Darilion klaus.mailinglists at pernau.at
Tue Jul 20 10:17:03 CDT 2010



Am 20.07.2010 16:52, schrieb David Vossel:
>
>
> ----- Original Message -----
>> From: "Klaus Darilion"<klaus.mailinglists at pernau.at>
>> To: "Asterisk Developers Mailing List"<asterisk-dev at lists.digium.com>
>> Cc: "Olle E. Johansson"<oej at edvina.net>
>> Sent: Tuesday, July 20, 2010 2:45:44 AM
>> Subject: Re: [asterisk-dev] Improving how Asterisk handles forked SIP requests.
>> I just checked the RFC but could not find a detailed description how
>> the
>> 2nd request should be constructed. I only found:
>>
>> If a UA receives a Proxy-Authenticate header field value in a 401/407
>> response to a request with a particular Call-ID, it should
>> incorporate credentials for that realm in all subsequent requests
>> that contain the same Call-ID. These credentials MUST NOT be cached
>> across dialogs; however, if a UA is configured with the realm of its
>> local outbound proxy, when one exists, then the UA MAY cache
>>
>> So, it seems that a nonce is correlated with a call-id. So, in case of
>> incoming forked call, why not sending back the same nonce on both
>> branches?
>
> I don't see how sending the same nonce in response to both branches will benefit us here.

Not even really a benefit - but why not using the same nonce? The 
challenge will be sent anyway to the same caller. And probably the proxy 
which does the forking may fail composing the multiple authentication 
headers anyway - or finally the UAC will gets confused on receiving 2 
challenges (maybe even with different nonces) for the same realm.

btw: does Asterisk verify if the RURI is identical to the URI in the 
Authentication header (used for response calculation)? If yes, then 
challenging a call whose RURI was changed at the proxy will fail anyway.

> Will my method of requiring the rURI of the incoming Request containing authentication credentials match the previous supplied rURI work?  I don't see any reason why the rURI should be allowed to change.

Should work - yes. But the application logic problem is at the caller's 
side and the proxy - handling multiple challenges for the same realm.

regards
klaus


>
> David Vossel
> Digium, Inc. | Software Developer, Open Source Software
> 445 Jan Davis Drive NW - Huntsville, AL 35806 - USA
> Check us out at: www.digium.com&  www.asterisk.org
> The_Boy_Wonder in #asterisk-dev
>



More information about the asterisk-dev mailing list