Call Flow examples

SIP Digest authentication

This example explains the SIP INVITE authentication flow from customer gateway with IP address 192.0.2.10 to destination number 12345678910 with caller-id 9876543210.

During the first step, the UAC sends an INVITE without Authorization header:

192.0.2.10.5060 > 46.19.209.44.5060: SIP, length: 992
    INVITE sip:12345678910@out.didww.com SIP/2.0
    Via: SIP/2.0/UDP 192.0.2.10:5060;branch=z9hG4bK48496580;rport
    Max-Forwards: 70
    From: <sip:9876543210@sbc.customer.com>;tag=as1fc3fe35
    To: <sip:12345678910@out.didww.com>
    Contact: <sip:9876543210@192.0.2.10:5060>
    Call-ID: 479b59102ffeda0c04eed76d17304eb5@sbc.customer.com
    CSeq: 102 INVITE
    User-Agent: customer-switch v1.22
    Date: Wed, 03 Mar 2021 17:53:43 GMT
    Allow: INVITE, ACK, CANCEL, OPTIONS, BYE, REFER, SUBSCRIBE, NOTIFY, INFO, PUBLISH, MESSAGE
    Supported: replaces, timer
    Content-Type: application/sdp
    Content-Length: 325

    v=0
    o=root 2120298149 2120298149 IN IP4 192.0.2.10
    s=customer-switch 1.22
    c=IN IP4 192.0.2.10
    t=0 0
    m=audio 12348 RTP/AVP 18 0 8 101
    a=rtpmap:18 G729/8000
    a=fmtp:18 annexb=no
    a=rtpmap:0 PCMU/8000
    a=rtpmap:8 PCMA/8000
    a=rtpmap:101 telephone-event/8000
    a=fmtp:101 0-16
    a=ptime:20
    a=maxptime:150
    a=sendrecv

46.19.209.44.5060 > 192.0.2.10.5060: SIP, length: 334
    SIP/2.0 100 Trying
    Via: SIP/2.0/UDP 192.0.2.10:5060;branch=z9hG4bK48496580;rport=5060;received=192.0.2.10
    From: <sip:9876543210@sbc.customer.com>;tag=as1fc3fe35
    To: <sip:12345678910@out.didww.com>
    Call-ID: 479b59102ffeda0c04eed76d17304eb5@sbc.customer.com
    CSeq: 102 INVITE
    Server: Y balancing node
    Content-Length: 0

46.19.209.44.5060 > 192.0.2.10.5060: SIP, length: 609
    SIP/2.0 401 Unauthorized
    Record-Route: <sip:46.19.209.8;r2=on;lr;ftag=as1fc3fe35>
    Record-Route: <sip:46.19.209.44;r2=on;lr;ftag=as1fc3fe35>
    Via: SIP/2.0/UDP 192.0.2.10:5060;received=192.0.2.10;branch=z9hG4bK48496580;rport=5060
    From: <sip:9876543210@sbc.customer.com>;tag=as1fc3fe35
    To: <sip:12345678910@out.didww.com>;tag=10-67E5E9A8-603FCD270008B2AB-ED917700
    Call-ID: 479b59102ffeda0c04eed76d17304eb5@sbc.customer.com
    CSeq: 102 INVITE
    WWW-Authenticate: Digest realm="out.didww.com", qop="auth", nonce="603FCD4151d08b2d92526f23f65208788a5425a1"
    Server: DIDWW Y SBC node
    Content-Length: 0

192.0.2.10.5060 > 46.19.209.44.5060: SIP, length: 441
    ACK sip:12345678910@out.didww.com SIP/2.0
    Via: SIP/2.0/UDP 192.0.2.10:5060;branch=z9hG4bK48496580;rport
    Max-Forwards: 70
    From: <sip:9876543210@sbc.customer.com>;tag=as1fc3fe35
    To: <sip:12345678910@out.didww.com>;tag=10-67E5E9A8-603FCD270008B2AB-ED917700
    Contact: <sip:9876543210@192.0.2.10:5060>
    Call-ID: 479b59102ffeda0c04eed76d17304eb5@sbc.customer.com
    CSeq: 102 ACK
    User-Agent: customer-switch v1.22
    Content-Length: 0

If the username/password authentication is enabled on the DIDWW side, the initial INVITE will be rejected with 401 Unauthorized response. In the response the DIDWW system will send the following nonce value: 603FCD4151d08b2d92526f23f65208788a5425a1. Once UAC receives this data, it will be able to calculate the response to build the Authorization header:

192.0.2.10.5060 > 46.19.209.44.5060: SIP, length: 1251
    INVITE sip:12345678910@out.didww.com SIP/2.0
    Via: SIP/2.0/UDP 192.0.2.10:5060;branch=z9hG4bK34d0ea96;rport
    Max-Forwards: 70
    From: <sip:9876543210@sbc.customer.com>;tag=as1fc3fe35
    To: <sip:12345678910@out.didww.com>
    Contact: <sip:9876543210@192.0.2.10:5060>
    Call-ID: 479b59102ffeda0c04eed76d17304eb5@sbc.customer.com
    CSeq: 103 INVITE
    User-Agent: customer-switch v1.22
    Authorization: Digest username="WwAPO4asrLsk5Mhv", realm="out.didww.com", algorithm=MD5, uri="sip:12345678910@out.didww.com", nonce="603FCD4151d08b2d92526f23f65208788a5425a1", response="78381cc4a3258cc5418888988ad68552567", qop=auth, cnonce="58c9df37", nc=00000001
    Date: Wed, 03 Mar 2021 17:53:43 GMT
    Allow: INVITE, ACK, CANCEL, OPTIONS, BYE, REFER, SUBSCRIBE, NOTIFY, INFO, PUBLISH, MESSAGE
    Supported: replaces, timer
    Content-Type: application/sdp
    Content-Length: 325

    v=0
    o=root 2120298149 2120298150 IN IP4 192.0.2.10
    s=customer-switch 1.22
    c=IN IP4 192.0.2.10
    t=0 0
    m=audio 12348 RTP/AVP 18 0 8 101
    a=rtpmap:18 G729/8000
    a=fmtp:18 annexb=no
    a=rtpmap:0 PCMU/8000
    a=rtpmap:8 PCMA/8000
    a=rtpmap:101 telephone-event/8000
    a=fmtp:101 0-16
    a=ptime:20
    a=maxptime:150
    a=sendrecv

46.19.209.44.5060 > 192.0.2.10.5060: SIP, length: 334
    SIP/2.0 100 Trying
    Via: SIP/2.0/UDP 192.0.2.10:5060;branch=z9hG4bK34d0ea96;rport=5060;received=192.0.2.10
    From: <sip:9876543210@sbc.customer.com>;tag=as1fc3fe35
    To: <sip:12345678910@out.didww.com>
    Call-ID: 479b59102ffeda0c04eed76d17304eb5@sbc.customer.com
    CSeq: 103 INVITE
    Server: Y balancing node
    Content-Length: 0

The DIDWW system will check the username and response values of the Authorization header and will be able authenticate this INVITE by matching the username/password values on the trunk.