Summary
Digest authentication is one method for negotiating credentials in an HTTP environment. The method is also supported for SIP. In this post, I'm going to demonstrate how to configure Digest Authentication for a SIP trunk against a Cisco gateway. The particular SIP service provider (Twilio) utilized here uses Digest auth in conjunction with ACL's to secure access to their SIP trunk product.
Environment
Figure 1 depicts the physical environment I've used for this exercise. A SIP trunk is provisioned with the SIP Service Provider (SP) and configured on a Cisco router. The trunk connection is across the Internet. HTTP Digest Auth is configured on the router to authenticate to the SIP SP.
 |
| Figure 1 |
Figure 2 is a simplified (caller to SP SIP messaging only) ladder diagram for a digest auth call flow.
 |
| Figure 2 |
Implementation
Configure Digest Auth Parameters
router(config)#sip-ua router(config-sip-ua)#authentication username yourname password yourpassword1234567 realm sip.twilio.com
Line 1: Makes this a global configuration. You can also configure the digest parameters on a per dial-peer basis.
Line 2: Establishes the username, password, and realm parameters relevant to this provider's SIP trunk.
Line 2: Establishes the username, password, and realm parameters relevant to this provider's SIP trunk.
Configure Dial Peer for SIP Trunk SP
dial-peer voice 160 voip translation-profile outgoing adde164 destination-pattern 9*.T session protocol sipv2 session target dns:yourname.pstn.twilio.com dtmf-relay rtp-nte digit-drop codec g711ulaw
Fairly standard dial-peer configuration above. This particular SP requires phone numbers to be e.164 formatted, so I created a translation rule for that.
SIP Messaging
Below is the resulting successful message exchange between the Cisco gateway and this provider (debug ccsip messages) with the 407/new INVITE handshake highlighted.
Dec 5 17:39:50: //284/8408FCBA8359/SIP/Msg/ccsipDisplayMsg: Sent: INVITE sip:+18001234567@yourname.pstn.twilio.com:5060 SIP/2.0 Via: SIP/2.0/UDP X.X.X.X:5060;branch=z9hG4bK11D19D0 Remote-Party-ID: <sip:1234567890@X.X.X.X>;party=calling;screen=no;privacy=off From: <sip:1234567890@X.X.X.X>;tag=655DFE64-B2A To: <sip:+18001234567@yourname.pstn.twilio.com> Date: Fri, 05 Dec 2014 17:39:50 GMT Call-ID: 8C0B2A64-7BDC11E4-835EED1E-7210D108@X.X.X.X Supported: 100rel,timer,resource-priority,replaces,sdp-anat Min-SE: 1800 Cisco-Guid: 2215181498-2078020068-2203708702-1913704712 User-Agent: Cisco-SIPGateway/IOS-15.2.4.M7 Allow: INVITE, OPTIONS, BYE, CANCEL, ACK, PRACK, UPDATE, REFER, SUBSCRIBE, NOTIFY, INFO, REGISTER CSeq: 101 INVITE Max-Forwards: 70 Timestamp: 1417801190 Contact: <sip:1234567890@X.X.X.X:5060> Expires: 180 Allow-Events: telephone-event Content-Type: application/sdp Content-Disposition: session;handling=required Content-Length: 274 v=0 o=CiscoSystemsSIP-GW-UserAgent 3449 1377 IN IP4 X.X.X.X s=SIP Call c=IN IP4 X.X.X.X t=0 0 m=audio 16666 RTP/AVP 0 101 19 c=IN IP4 X.X.X.X a=rtpmap:0 PCMU/8000 a=rtpmap:101 telephone-event/8000 a=fmtp:101 0-16 a=rtpmap:19 CN/8000 a=ptime:20 Dec 5 17:39:50: //284/8408FCBA8359/SIP/Msg/ccsipDisplayMsg: Received: SIP/2.0 100 Giving a try Via: SIP/2.0/UDP X.X.X.X:5060;branch=z9hG4bK11D19D0 From: <sip:1234567890@X.X.X.X>;tag=655DFE64-B2A To: <sip:+18001234567@yourname.pstn.twilio.com> Call-ID: 8C0B2A64-7BDC11E4-835EED1E-7210D108@X.X.X.X CSeq: 101 INVITE Server: Twilio Gateway Content-Length: 0 Dec 5 17:39:50: //284/8408FCBA8359/SIP/Msg/ccsipDisplayMsg: Received: SIP/2.0 407 Proxy Authentication required To: <sip:+18001234567@yourname.pstn.twilio.com>;tag=65078573_6772d868_96d511db-e153-44f1-a2b8-d857b1388a10 Timestamp: 1417801190 Via: SIP/2.0/UDP X.X.X.X:5060;branch=z9hG4bK11D19D0 CSeq: 101 INVITE Call-ID: 8C0B2A64-7BDC11E4-835EED1E-7210D108@X.X.X.X From: <sip:1234567890@X.X.X.X>;tag=655DFE64-B2A Contact: <sip:172.18.0.224:5060> Proxy-Authenticate: Digest realm="sip.twilio.com",qop="auth",nonce="559389cd4b456fe70b70959fd9b16c9e",opaque="1a6d40a6ea756edc34b787452d0f36fe" Content-Length: 0 Dec 5 17:39:50: //284/8408FCBA8359/SIP/Msg/ccsipDisplayMsg: Sent: ACK sip:+18001234567@yourname.pstn.twilio.com:5060 SIP/2.0 Via: SIP/2.0/UDP X.X.X.X:5060;branch=z9hG4bK11D19D0 From: <sip:1234567890@X.X.X.X>;tag=655DFE64-B2A To: <sip:+18001234567@yourname.pstn.twilio.com>;tag=65078573_6772d868_96d511db-e153-44f1-a2b8-d857b1388a10 Date: Fri, 05 Dec 2014 17:39:50 GMT Call-ID: 8C0B2A64-7BDC11E4-835EED1E-7210D108@X.X.X.X Max-Forwards: 70 CSeq: 101 ACK Allow-Events: telephone-event Content-Length: 0 Dec 5 17:39:50: //284/8408FCBA8359/SIP/Msg/ccsipDisplayMsg: Sent: INVITE sip:+18001234567@yourname.pstn.twilio.com:5060 SIP/2.0 Via: SIP/2.0/UDP X.X.X.X:5060;branch=z9hG4bK11E173 Remote-Party-ID: <sip:1234567890@X.X.X.X>;party=calling;screen=no;privacy=off From: <sip:1234567890@X.X.X.X>;tag=655DFE64-B2A To: <sip:+18001234567@yourname.pstn.twilio.com> Date: Fri, 05 Dec 2014 17:39:50 GMT Call-ID: 8C0B2A64-7BDC11E4-835EED1E-7210D108@X.X.X.X Supported: 100rel,timer,resource-priority,replaces,sdp-anat Min-SE: 1800 Cisco-Guid: 2215181498-2078020068-2203708702-1913704712 User-Agent: Cisco-SIPGateway/IOS-15.2.4.M7 Allow: INVITE, OPTIONS, BYE, CANCEL, ACK, PRACK, UPDATE, REFER, SUBSCRIBE, NOTIFY, INFO, REGISTER CSeq: 102 INVITE Max-Forwards: 70 Timestamp: 1417801190 Contact: <sip:1234567890@X.X.X.X:5060> Expires: 180 Allow-Events: telephone-event Proxy-Authorization: Digest username="yourname",realm="sip.twilio.com",uri="sip:+18001234567@yourname.pstn.twilio.com:5060",response="0a8ba46efb08ac3a85d5514b1d541393",nonce="559389cd4b456fe70b70959fd9b16c9e",opaque="1a6d40a6ea756edc34b787452d0f36fe",cnonce="0347557B",qop=auth,algorithm=md5,nc=00000001 Content-Type: application/sdp Content-Disposition: session;handling=required Content-Length: 274 v=0 o=CiscoSystemsSIP-GW-UserAgent 3449 1377 IN IP4 X.X.X.X s=SIP Call c=IN IP4 X.X.X.X t=0 0 m=audio 16666 RTP/AVP 0 101 19 c=IN IP4 X.X.X.X a=rtpmap:0 PCMU/8000 a=rtpmap:101 telephone-event/8000 a=fmtp:101 0-16 a=rtpmap:19 CN/8000 a=ptime:20 Dec 5 17:39:50: //284/8408FCBA8359/SIP/Msg/ccsipDisplayMsg: Received: SIP/2.0 100 Giving a try Via: SIP/2.0/UDP X.X.X.X:5060;branch=z9hG4bK11E173 From: <sip:1234567890@X.X.X.X>;tag=655DFE64-B2A To: <sip:+18001234567@yourname.pstn.twilio.com> Call-ID: 8C0B2A64-7BDC11E4-835EED1E-7210D108@X.X.X.X CSeq: 102 INVITE Server: Twilio Gateway Content-Length: 0 Dec 5 17:39:52: //284/8408FCBA8359/SIP/Msg/ccsipDisplayMsg: Received: SIP/2.0 183 Session progress To: <sip:+18001234567@yourname.pstn.twilio.com>;tag=56440050_6772d868_6c0350d8-3472-4d54-b30d-aafcebaf0605 Timestamp: 1417801190 Via: SIP/2.0/UDP X.X.X.X:5060;branch=z9hG4bK11E173 Record-Route: <sip:54.84.237.137:5060;lr;ftag=655DFE64-B2A> CSeq: 102 INVITE Call-ID: 8C0B2A64-7BDC11E4-835EED1E-7210D108@X.X.X.X From: <sip:1234567890@X.X.X.X>;tag=655DFE64-B2A Contact: <sip:172.18.16.165:5060> Content-Type: application/sdp X-Twilio-CallSid: CA64fa8633f28286b7946a7fca8891e8e8 Content-Length: 240 v=0 o=- 1737312510 1737312510 IN IP4 54.173.13.104 s=SIP Media Capabilities c=IN IP4 54.173.13.104 t=0 0 m=audio 14350 RTP/AVP 0 101 a=rtpmap:0 PCMU/8000 a=rtpmap:101 telephone-event/8000 a=fmtp:101 0-15 a=sendrecv a=maxptime:20 Dec 5 17:39:52: //284/8408FCBA8359/SIP/Msg/ccsipDisplayMsg: Received: SIP/2.0 200 OK To: <sip:+18001234567@yourname.pstn.twilio.com>;tag=56440050_6772d868_6c0350d8-3472-4d54-b30d-aafcebaf0605 Timestamp: 1417801190 Via: SIP/2.0/UDP X.X.X.X:5060;branch=z9hG4bK11E173 Record-Route: <sip:54.84.237.137:5060;lr;ftag=655DFE64-B2A> CSeq: 102 INVITE Call-ID: 8C0B2A64-7BDC11E4-835EED1E-7210D108@X.X.X.X From: <sip:1234567890@X.X.X.X>;tag=655DFE64-B2A Contact: <sip:172.18.16.165:5060> Content-Type: application/sdp X-Twilio-CallSid: CA64fa8633f28286b7946a7fca8891e8e8 Content-Length: 240 v=0 o=- 1489146381 1489146381 IN IP4 54.173.13.104 s=SIP Media Capabilities c=IN IP4 54.173.13.104 t=0 0 m=audio 14350 RTP/AVP 0 101 a=rtpmap:0 PCMU/8000 a=rtpmap:101 telephone-event/8000 a=fmtp:101 0-15 a=sendrecv a=maxptime:20 Dec 5 17:39:52: //284/8408FCBA8359/SIP/Msg/ccsipDisplayMsg: Sent: ACK sip:172.18.16.165:5060 SIP/2.0 Via: SIP/2.0/UDP X.X.X.X:5060;branch=z9hG4bK11F655 From: <sip:1234567890@X.X.X.X>;tag=655DFE64-B2A To: <sip:+18001234567@yourname.pstn.twilio.com>;tag=56440050_6772d868_6c0350d8-3472-4d54-b30d-aafcebaf0605 Date: Fri, 05 Dec 2014 17:39:50 GMT Call-ID: 8C0B2A64-7BDC11E4-835EED1E-7210D108@X.X.X.X Route: <sip:54.84.237.137:5060;lr;ftag=655DFE64-B2A> Max-Forwards: 70 CSeq: 102 ACK Proxy-Authorization: Digest username="yourname",realm="sip.twilio.com", uri="sip:+18001234567@yourname.pstn.twilio.com:5060",response="0a8ba46efb08ac3a85d5514b1d541393",nonce="559389cd4b456fe70b70959fd9b16c9e",opaque="1a6d40a6ea756edc34b787452d0f36fe",cnonce="0347557B",qop=auth,algorithm=md5,nc=00000001 Allow-Events: telephone-event Content-Length: 0Copyright ©1993-2024 Joey E Whelan, All rights reserved.
