SIP Authentication

Revision as of 04:44, 26 March 2020

SIP Authentication is a stateless challenge-based mechanism which ensures user's identity. Authentication challenge can be asked commonly for Invite and Bye methods. This means that anyone receiving an INVITE message can force the sender to prove his or her identity before the message is processed. In fact, SIP authentication is not limited to these two messages type. Any SIP method (the proper name for a SIP message) can be challenged by the recipient.

WWW (401 Unauthorized) or proxy-auth (407 Proxy Authentication)?

• When authenticating to the server that will deliver a service, a www-authentication header should be used. The 401 (Unauthorized) response message is used by an origin server to challenge the authorization of a user agent
• When authenticating to a server that will proxy the request to the endpoint, proxy-authentication should be used
• In _one_ transaction, both www_authentication and proxy_authentication can be used

TelcoBridges and SIP Authentication

TelcoBridges can handle SIP Authentication differently according to your network.

• IP to IP calls (FreeSBC/ProSBC)
• TDM to IP calls (Tmedia)

FreeSBC/ProSBC

In the case of IP to IP calls, the challenge messages are forwarded between the SIP device and authentication server.

Invite callflow:

Bye callflow:

Configuration

By default, TelcoBridges' products will forward authentication challenge messages.

Tmedia

In the case of TDM to IP calls, the tmedia needs to respond to the authentication challenge message.

Invite callflow:

Bye callflow:

Configuration

The Tmedia needs to configure the 'Authentication Parameters' section for each SIP NAP that requires to respond to authentication challenge messages.

• v3.0: SIP Authentication

References

• voip-info.org