Friday, December 5, 2014

SIP Digest Authentication in Cisco IOS


Summary

Digest authentication is one method for negotiating credentials in an HTTP environment.  The method is also supported for SIP.  In this post, I'm going to demonstrate how to configure Digest Authentication for a SIP trunk against a Cisco gateway.  The particular SIP service provider (Twilio) utilized here uses Digest auth in conjunction with ACL's to secure access to their SIP trunk product.

Environment

Figure 1 depicts the physical environment I've used for this exercise.  A SIP trunk is provisioned with the SIP Service Provider (SP) and configured on a Cisco router.  The trunk connection is across the Internet.  HTTP Digest Auth is configured on the router to authenticate to the SIP SP.

Figure 1

Figure 2 is a simplified (caller to SP SIP messaging only) ladder diagram for a digest auth call flow.  

Figure 2

Implementation

Configure Digest Auth Parameters

router(config)#sip-ua
router(config-sip-ua)#authentication username yourname password yourpassword1234567 realm sip.twilio.com

Line 1:  Makes this a global configuration.  You can also configure the digest parameters on a per dial-peer basis.
Line 2:  Establishes the username, password, and realm parameters relevant to this provider's SIP trunk.

Configure Dial Peer for SIP Trunk SP

dial-peer voice 160 voip
 translation-profile outgoing adde164
 destination-pattern 9*.T
 session protocol sipv2
 session target dns:yourname.pstn.twilio.com
 dtmf-relay rtp-nte digit-drop
 codec g711ulaw

Fairly standard dial-peer configuration above.  This particular SP requires phone numbers to be e.164 formatted, so I created a translation rule for that.

SIP Messaging

Below is the resulting successful message exchange between the Cisco gateway and this provider (debug ccsip messages) with the 407/new INVITE handshake highlighted.

Dec  5 17:39:50: //284/8408FCBA8359/SIP/Msg/ccsipDisplayMsg:
Sent: 
INVITE sip:+18001234567@yourname.pstn.twilio.com:5060 SIP/2.0
Via: SIP/2.0/UDP X.X.X.X:5060;branch=z9hG4bK11D19D0
Remote-Party-ID: <sip:1234567890@X.X.X.X>;party=calling;screen=no;privacy=off
From: <sip:1234567890@X.X.X.X>;tag=655DFE64-B2A
To: <sip:+18001234567@yourname.pstn.twilio.com>
Date: Fri, 05 Dec 2014 17:39:50 GMT
Call-ID: 8C0B2A64-7BDC11E4-835EED1E-7210D108@X.X.X.X
Supported: 100rel,timer,resource-priority,replaces,sdp-anat
Min-SE:  1800
Cisco-Guid: 2215181498-2078020068-2203708702-1913704712
User-Agent: Cisco-SIPGateway/IOS-15.2.4.M7
Allow: INVITE, OPTIONS, BYE, CANCEL, ACK, PRACK, UPDATE, REFER, SUBSCRIBE, NOTIFY, INFO, REGISTER
CSeq: 101 INVITE
Max-Forwards: 70
Timestamp: 1417801190
Contact: <sip:1234567890@X.X.X.X:5060>
Expires: 180
Allow-Events: telephone-event
Content-Type: application/sdp
Content-Disposition: session;handling=required
Content-Length: 274

v=0
o=CiscoSystemsSIP-GW-UserAgent 3449 1377 IN IP4 X.X.X.X
s=SIP Call
c=IN IP4 X.X.X.X
t=0 0
m=audio 16666 RTP/AVP 0 101 19
c=IN IP4 X.X.X.X
a=rtpmap:0 PCMU/8000
a=rtpmap:101 telephone-event/8000
a=fmtp:101 0-16
a=rtpmap:19 CN/8000
a=ptime:20

Dec  5 17:39:50: //284/8408FCBA8359/SIP/Msg/ccsipDisplayMsg:
Received: 
SIP/2.0 100 Giving a try
Via: SIP/2.0/UDP X.X.X.X:5060;branch=z9hG4bK11D19D0
From: <sip:1234567890@X.X.X.X>;tag=655DFE64-B2A
To: <sip:+18001234567@yourname.pstn.twilio.com>
Call-ID: 8C0B2A64-7BDC11E4-835EED1E-7210D108@X.X.X.X
CSeq: 101 INVITE
Server: Twilio Gateway
Content-Length: 0


Dec  5 17:39:50: //284/8408FCBA8359/SIP/Msg/ccsipDisplayMsg:
Received: 
SIP/2.0 407 Proxy Authentication required
To: <sip:+18001234567@yourname.pstn.twilio.com>;tag=65078573_6772d868_96d511db-e153-44f1-a2b8-d857b1388a10
Timestamp: 1417801190
Via: SIP/2.0/UDP X.X.X.X:5060;branch=z9hG4bK11D19D0
CSeq: 101 INVITE
Call-ID: 8C0B2A64-7BDC11E4-835EED1E-7210D108@X.X.X.X
From: <sip:1234567890@X.X.X.X>;tag=655DFE64-B2A
Contact: <sip:172.18.0.224:5060>
Proxy-Authenticate: Digest realm="sip.twilio.com",qop="auth",nonce="559389cd4b456fe70b70959fd9b16c9e",opaque="1a6d40a6ea756edc34b787452d0f36fe"
Content-Length: 0


Dec  5 17:39:50: //284/8408FCBA8359/SIP/Msg/ccsipDisplayMsg:
Sent: 
ACK sip:+18001234567@yourname.pstn.twilio.com:5060 SIP/2.0
Via: SIP/2.0/UDP X.X.X.X:5060;branch=z9hG4bK11D19D0
From: <sip:1234567890@X.X.X.X>;tag=655DFE64-B2A
To: <sip:+18001234567@yourname.pstn.twilio.com>;tag=65078573_6772d868_96d511db-e153-44f1-a2b8-d857b1388a10
Date: Fri, 05 Dec 2014 17:39:50 GMT
Call-ID: 8C0B2A64-7BDC11E4-835EED1E-7210D108@X.X.X.X
Max-Forwards: 70
CSeq: 101 ACK
Allow-Events: telephone-event
Content-Length: 0


Dec  5 17:39:50: //284/8408FCBA8359/SIP/Msg/ccsipDisplayMsg:
Sent: 
INVITE sip:+18001234567@yourname.pstn.twilio.com:5060 SIP/2.0
Via: SIP/2.0/UDP X.X.X.X:5060;branch=z9hG4bK11E173
Remote-Party-ID: <sip:1234567890@X.X.X.X>;party=calling;screen=no;privacy=off
From: <sip:1234567890@X.X.X.X>;tag=655DFE64-B2A
To: <sip:+18001234567@yourname.pstn.twilio.com>
Date: Fri, 05 Dec 2014 17:39:50 GMT
Call-ID: 8C0B2A64-7BDC11E4-835EED1E-7210D108@X.X.X.X
Supported: 100rel,timer,resource-priority,replaces,sdp-anat
Min-SE:  1800
Cisco-Guid: 2215181498-2078020068-2203708702-1913704712
User-Agent: Cisco-SIPGateway/IOS-15.2.4.M7
Allow: INVITE, OPTIONS, BYE, CANCEL, ACK, PRACK, UPDATE, REFER, SUBSCRIBE, NOTIFY, INFO, REGISTER
CSeq: 102 INVITE
Max-Forwards: 70
Timestamp: 1417801190
Contact: <sip:1234567890@X.X.X.X:5060>
Expires: 180
Allow-Events: telephone-event
Proxy-Authorization: Digest username="yourname",realm="sip.twilio.com",uri="sip:+18001234567@yourname.pstn.twilio.com:5060",response="0a8ba46efb08ac3a85d5514b1d541393",nonce="559389cd4b456fe70b70959fd9b16c9e",opaque="1a6d40a6ea756edc34b787452d0f36fe",cnonce="0347557B",qop=auth,algorithm=md5,nc=00000001
Content-Type: application/sdp
Content-Disposition: session;handling=required
Content-Length: 274

v=0
o=CiscoSystemsSIP-GW-UserAgent 3449 1377 IN IP4 X.X.X.X
s=SIP Call
c=IN IP4 X.X.X.X
t=0 0
m=audio 16666 RTP/AVP 0 101 19
c=IN IP4 X.X.X.X
a=rtpmap:0 PCMU/8000
a=rtpmap:101 telephone-event/8000
a=fmtp:101 0-16
a=rtpmap:19 CN/8000
a=ptime:20

Dec  5 17:39:50: //284/8408FCBA8359/SIP/Msg/ccsipDisplayMsg:
Received: 

SIP/2.0 100 Giving a try
Via: SIP/2.0/UDP X.X.X.X:5060;branch=z9hG4bK11E173
From: <sip:1234567890@X.X.X.X>;tag=655DFE64-B2A
To: <sip:+18001234567@yourname.pstn.twilio.com>
Call-ID: 8C0B2A64-7BDC11E4-835EED1E-7210D108@X.X.X.X
CSeq: 102 INVITE
Server: Twilio Gateway
Content-Length: 0


Dec  5 17:39:52: //284/8408FCBA8359/SIP/Msg/ccsipDisplayMsg:
Received: 
SIP/2.0 183 Session progress
To: <sip:+18001234567@yourname.pstn.twilio.com>;tag=56440050_6772d868_6c0350d8-3472-4d54-b30d-aafcebaf0605
Timestamp: 1417801190
Via: SIP/2.0/UDP X.X.X.X:5060;branch=z9hG4bK11E173
Record-Route: <sip:54.84.237.137:5060;lr;ftag=655DFE64-B2A>
CSeq: 102 INVITE
Call-ID: 8C0B2A64-7BDC11E4-835EED1E-7210D108@X.X.X.X
From: <sip:1234567890@X.X.X.X>;tag=655DFE64-B2A
Contact: <sip:172.18.16.165:5060>
Content-Type: application/sdp
X-Twilio-CallSid: CA64fa8633f28286b7946a7fca8891e8e8
Content-Length: 240

v=0
o=- 1737312510 1737312510 IN IP4 54.173.13.104
s=SIP Media Capabilities
c=IN IP4 54.173.13.104
t=0 0
m=audio 14350 RTP/AVP 0 101
a=rtpmap:0 PCMU/8000
a=rtpmap:101 telephone-event/8000
a=fmtp:101 0-15
a=sendrecv
a=maxptime:20


Dec  5 17:39:52: //284/8408FCBA8359/SIP/Msg/ccsipDisplayMsg:
Received: 
SIP/2.0 200 OK
To: <sip:+18001234567@yourname.pstn.twilio.com>;tag=56440050_6772d868_6c0350d8-3472-4d54-b30d-aafcebaf0605
Timestamp: 1417801190
Via: SIP/2.0/UDP X.X.X.X:5060;branch=z9hG4bK11E173
Record-Route: <sip:54.84.237.137:5060;lr;ftag=655DFE64-B2A>
CSeq: 102 INVITE
Call-ID: 8C0B2A64-7BDC11E4-835EED1E-7210D108@X.X.X.X
From: <sip:1234567890@X.X.X.X>;tag=655DFE64-B2A
Contact: <sip:172.18.16.165:5060>
Content-Type: application/sdp
X-Twilio-CallSid: CA64fa8633f28286b7946a7fca8891e8e8
Content-Length: 240

v=0
o=- 1489146381 1489146381 IN IP4 54.173.13.104
s=SIP Media Capabilities
c=IN IP4 54.173.13.104
t=0 0
m=audio 14350 RTP/AVP 0 101
a=rtpmap:0 PCMU/8000
a=rtpmap:101 telephone-event/8000
a=fmtp:101 0-15
a=sendrecv
a=maxptime:20

Dec  5 17:39:52: //284/8408FCBA8359/SIP/Msg/ccsipDisplayMsg:
Sent: 
ACK sip:172.18.16.165:5060 SIP/2.0
Via: SIP/2.0/UDP X.X.X.X:5060;branch=z9hG4bK11F655
From: <sip:1234567890@X.X.X.X>;tag=655DFE64-B2A
To: <sip:+18001234567@yourname.pstn.twilio.com>;tag=56440050_6772d868_6c0350d8-3472-4d54-b30d-aafcebaf0605
Date: Fri, 05 Dec 2014 17:39:50 GMT
Call-ID: 8C0B2A64-7BDC11E4-835EED1E-7210D108@X.X.X.X
Route: <sip:54.84.237.137:5060;lr;ftag=655DFE64-B2A>
Max-Forwards: 70
CSeq: 102 ACK
Proxy-Authorization: Digest username="yourname",realm="sip.twilio.com",
uri="sip:+18001234567@yourname.pstn.twilio.com:5060",response="0a8ba46efb08ac3a85d5514b1d541393",nonce="559389cd4b456fe70b70959fd9b16c9e",opaque="1a6d40a6ea756edc34b787452d0f36fe",cnonce="0347557B",qop=auth,algorithm=md5,nc=00000001
Allow-Events: telephone-event
Content-Length: 0


No comments:

Post a Comment