Upload
asit-swain
View
219
Download
0
Embed Size (px)
Citation preview
8/10/2019 SIP Registration Process
1/2
Registration:
Before we describe the flow of a typical SIP call, let's have a look at how SIP user agentsregister with a SIP registrar. The example below shows a situation where an SIP softphone(namely, the Ekiga client) registers with an Asterisk PBX. The Asterisk's IP address is
10.10.1.99, while the client is at 10.10.1.13 and wants to register the telephone number13.
In order to register, the SIP telephone needs the send the REGISTER request:
The registrar server will immediately reply with the provisional response "100 Trying". This
indicates that the request has been received (and thus the client does not need toretransmit it) and that it is being processed. While processing the request, the registrardiscovers that the user agent needs to authenticate. It therefore responds with "401
Unauthorized". For the user agent, this means that it has to send the REGISTER requestonce more, this time providing authentication.
REGISTER sip: 10.10.1.99 SIP/2.0CSeq: 1 REGISTER
Via: SIP/2.0/UDP 10.10.1.13:5060;branch=z9hG4bK78946131-99e1-de11-8845-080027608325;rport
User-Agent: Ekiga/3.2.5From:
;tag=d60e6131-99e1-de11-8845-080027608325Call-ID: e4ec6031-99e1-de11-8845-080027608325@vvt-laptopTo:
Contact: ;q=1
Expires: 3600Content-Length: 0Max-Forwards: 70
We probably do not need to show the "100 Trying" response. The text of the "401Unauthorized" message is as follows:
SIP/2.0 401 Unauthorized
Via: SIP/2.0/UDP 10.10.1.13:5060;branch=z9hG4bK78946131-99e1-de11-8845-080027608325;
received=10.10.1.13;rport=5060
From: ;
tag=d60e6131-99e1-de11-8845-080027608325
8/10/2019 SIP Registration Process
2/2
To: ;tag=as5489aeadCall-ID: e4ec6031-99e1-de11-8845-080027608325@vvt-laptop
CSeq: 1 REGISTER
User-Agent: Asterisk PBXSupported: replacesWWW-Authenticate: Digest realm="atlanta.example.com", qop="auth",
nonce="ea9c8e88df84f1cec4341ae6cbe5a359", opaque="", stale=FALSE,
algorithm=MD5Content-Length: 0
In the "401 Unauthorized" response, the important header is WWW-Authenticate:. It
instructs the client to authenticate using the digest authentication (RFC2617). The nonce(a
short for "number used once") parameter is a "challenge string". The client will combine the
challenge string with the user's password and compute the MD5 hash of the resulting string.The server will compute its own hash using the same method and compare it with the MD5
hash provided by the client. The digest authentication is the most frequently used method
because the password is never sent over the network in plain text. The "basic"authentication has been deprecated in SIP 2.0 as it is insecure (sending a password in plaintext is generally a bad idea).
The realm parameter indicates the domain of the proxy server, so that the client knowswhich password to use. The qop (quality of protection)parameter indicates that the
server supports integrity protection for either the request line alone (auth) or for both therequest line and the message body (auth-int).
Once the client computes the MD5 digest, it will re-send the REGISTER request. Themessage will look like this:
REGISTER sip: 10.10.1.99 SIP/2.0
CSeq: 2 REGISTERVia: SIP/2.0/UDP 10.10.1.13:5060;
branch=z9hG4bK32366531-99e1-de11-8845-080027608325;rport
User-Agent: Ekiga/3.2.5From: ;
tag=d60e6131-99e1-de11-8845-080027608325Call-ID: e4ec6031-99e1-de11-8845-080027608325@vvt-laptop
To: Contact: ;q=1
Authorization: Digest username="bob", realm="atlanta.example.com"nonce="ea9c8e88df84f1cec4341ae6cbe5a359", opaque="",
uri="sips: ss2.biloxi.example.com",
response="dfe56131d1958046689d83306477ecc"Expires: 3600Content-Length: 0
Max-Forwards: 70
The registrar server will again first respond with "100 Trying" and then compare the two
MD5 hashes (the one provided by the client with the one computed by the registrar itself).If they match, the registrar will respond with "200 OK" and insert the endpoint to the
location database. The database is usually shared between the registrar and the proxy
server so that the proxy can use it to contact users. The response "200 OK" contains oneimportant parameter, Expires.It tells the client that the registration will expire after thegiven number of seconds and the client will be required to register again.
http://www.ietf.org/rfc/rfc2617.txthttp://www.ietf.org/rfc/rfc2617.txthttp://www.ietf.org/rfc/rfc2617.txthttp://www.ietf.org/rfc/rfc2617.txt