Search code examples
sip

Why doesn't a SIP server require authorization for this INVITE?

I am using Telephone softphone on macOS. When making a call, it sends the following INVITE request:

INVITE sip:login@sip.antisip.com SIP/2.0
Via: SIP/2.0/UDP 192.168.1.13:63980;rport;branch=z9hG4bKPj1J2vaemfz28guXCjwsCNuCM4K7AGksTF
Max-Forwards: 70
From: "Andriy Makukha" <sip:nickname@sip.linphone.org>;tag=CK3y0yotv2v1AclTF2sBahkYcA721X7t
To: <sip:login@sip.antisip.com>
Contact: "Andriy Makukha" <sip:nickname@192.168.1.13:63980;ob>
Call-ID: Tu2FDGIveVVM1BZFKY1IUYFxkxuBWZU5
CSeq: 18057 INVITE
Allow: PRACK, INVITE, ACK, BYE, CANCEL, UPDATE, INFO, SUBSCRIBE, NOTIFY, REFER, MESSAGE, OPTIONS
Supported: replaces, 100rel, norefersub
User-Agent: Telephone 1.4
Content-Type: application/sdp
Content-Length:   541

...

As you can see, the request doesn't have neither Proxy-Authorization nor Authorization header. However, the server never challenges this request with a 407 Proxy Authentication Required response. The call always goes through directly.

On the other hand, when I use another SIP client, the server always sends Proxy Authentication Required response.

What does Telephone do that allows it to avoid authentication while making a call?

Additional information:

  • after launch, the softphone sends a REGISTER request and receives a 401 Unathorized response and then resends the REGISTER with the Authorization header
  • the REGISTER request is sent to 91.121.209.194, which is the A-record for the domain sip.linphone.org (domain of the caller)
  • however, the INVITE request is being sent directly to 91.121.30.149 which is the A-record for the domain sip.antisip.com (domain of the callee).
Solution

  • Here are the headers in the incoming INVITE:

    From: "Andriy Makukha" <sip:nickname@sip.linphone.org>;tag=...
To: <sip:login@sip.antisip.com>

    In theory, the above INVITE should be:

    • sent to sip.linphone.org first
    • challenged with a 407 by sip.linphone.org
    • sent to sip.linphone.org with credential
    • forwarded from sip.linphone.org to sip.antisip.com
    • NOT challenged by sip.antisip.com

    Reading your description of your issue, it is possible that you have misconfigured your application and your SIP identity (in From header) is wrong? If Telephone is configured to send directly to sip.antisip.com then, the call will be forwarded by sip.antisip.com without 407.

    As the owner of sip.antisip.com, I could (should?) reject incoming call to my users if they appear to not come from the service of the From header. But I have not implemented such anti-spam policy. I would love to add some restrictions in my policy to prevent unwanted configuration, but my users will complain... Even if they are wrong!

    Some reading:

    • rfc5039 - The Session Initiation Protocol (SIP) and Spam
    • rfc8197 - A SIP Response Code for Unwanted Calls