Sie sind auf Seite 1von 2

Registration:

Before we describe the flow of a typical SIP call, let's have a look at how SIP user agents
register with a SIP registrar. The example below shows a situation where an SIP softphone
(namely, the Ekiga client) registers with an Asterisk PBX. The Asterisk's IP address is
10.10.1.99, while the client is at 10.10.1.13 and wants to register the telephone number
13.
In order to register, the SIP telephone needs the send the REGISTER request:

The registrar server will immediately reply with the provisional response "100 Trying". This
indicates that the request has been received (and thus the client does not need to
retransmit it) and that it is being processed. While processing the request, the registrar
discovers that the user agent needs to authenticate. It therefore responds with "401
Unauthorized". For the user agent, this means that it has to send the REGISTER request
once more, this time providing authentication.
REGISTER sip: 10.10.1.99 SIP/2.0
CSeq: 1 REGISTER
Via: SIP/2.0/UDP 10.10.1.13:5060;
branch=z9hG4bK78946131-99e1-de11-8845-080027608325;rport
User-Agent: Ekiga/3.2.5
From: <sip:13@10.10.1.99>
;tag=d60e6131-99e1-de11-8845-080027608325
Call-ID: e4ec6031-99e1-de11-8845-080027608325@vvt-laptop
To: <sip:13@10.10.1.99>
Contact: <sip:13@10.10.1.13>;q=1
Expires: 3600
Content-Length: 0
Max-Forwards: 70
We probably do not need to show the "100 Trying" response. The text of the "401
Unauthorized" message is as follows:
SIP/2.0 401 Unauthorized
Via: SIP/2.0/UDP 10.10.1.13:5060;
branch=z9hG4bK78946131-99e1-de11-8845-080027608325;
received=10.10.1.13;rport=5060
From: <sip:13@10.10.1.99>;
tag=d60e6131-99e1-de11-8845-080027608325

To: <sip:13@10.10.1.99>;tag=as5489aead
Call-ID: e4ec6031-99e1-de11-8845-080027608325@vvt-laptop
CSeq: 1 REGISTER
User-Agent: Asterisk PBX
Supported: replaces
WWW-Authenticate: Digest realm="atlanta.example.com", qop="auth",
nonce="ea9c8e88df84f1cec4341ae6cbe5a359", opaque="", stale=FALSE,
algorithm=MD5
Content-Length: 0
In the "401 Unauthorized" response, the important header is WWW-Authenticate:. It
instructs the client to authenticate using the digest authentication (RFC2617). The nonce (a
short for "number used once") parameter is a "challenge string". The client will combine the
challenge string with the user's password and compute the MD5 hash of the resulting string.
The server will compute its own hash using the same method and compare it with the MD5
hash provided by the client. The digest authentication is the most frequently used method
because the password is never sent over the network in plain text. The "basic"
authentication has been deprecated in SIP 2.0 as it is insecure (sending a password in plain
text is generally a bad idea).
The realm parameter indicates the domain of the proxy server, so that the client knows
which password to use. The qop (quality of protection) parameter indicates that the
server supports integrity protection for either the request line alone (auth) or for both the
request line and the message body (auth-int).
Once the client computes the MD5 digest, it will re-send the REGISTER request. The
message will look like this:
REGISTER sip: 10.10.1.99 SIP/2.0
CSeq: 2 REGISTER
Via: SIP/2.0/UDP 10.10.1.13:5060;
branch=z9hG4bK32366531-99e1-de11-8845-080027608325;rport
User-Agent: Ekiga/3.2.5
From: <sip:13@10.10.1.99>;
tag=d60e6131-99e1-de11-8845-080027608325
Call-ID: e4ec6031-99e1-de11-8845-080027608325@vvt-laptop
To: <sip:13@10.10.1.99>
Contact: <sip:13@10.10.1.13>;q=1
Authorization: Digest username="bob", realm="atlanta.example.com"
nonce="ea9c8e88df84f1cec4341ae6cbe5a359", opaque="",
uri="sips: ss2.biloxi.example.com",
response="dfe56131d1958046689d83306477ecc"
Expires: 3600
Content-Length: 0
Max-Forwards: 70
The registrar server will again first respond with "100 Trying" and then compare the two
MD5 hashes (the one provided by the client with the one computed by the registrar itself).
If they match, the registrar will respond with "200 OK" and insert the endpoint to the
location database. The database is usually shared between the registrar and the proxy
server so that the proxy can use it to contact users. The response "200 OK" contains one
important parameter, Expires. It tells the client that the registration will expire after the
given number of seconds and the client will be required to register again.