SIP Trunk Authentication Methods

Owned by Kelly Evans (Unlicensed)
Last updated: Sept 30, 2022 by Rob Whyte (Unlicensed)
1 min read

SIP Trunk Registration

The Peeredge SBC supports username / password-based registration of SIP Trunk Members (i.e. SBC/PBXs). Successful registration of a SIP Trunk results in an Address of Record (AOR) that can only be used to route PSTN Inbound (Originating Customer) calls to the customer SBC/PBX/SBCs/PBXs. PSTN Outbound (Terminating Customer) calls do not use the Address of Records (AORs). All SIP Invites from the customer SBC/PBX must be authenticated. 

The Peeredge SBC responds to all unauthenticated SIP Invites with a SIP 401 Unauthorized message. The SIP 401 message includes a WWW-Authenticate header with a Realm and Nonce. The SBC/PBX uses this information to generate a response (a 32-byte hash of the SIP Digest username, password, realm nc, nounce, cnouce, uri and response) encrypted by the MD5 algorithm. This response and other hashed fields, and encryption algorithms (i.e. MD5) are included in an Authorization Header in a follow-up SIP Invite. If the Peeredge SBC calculated response matches the response in the Authorization Header, the SIP Invite is accepted.

When configured for username/password-based registration, each SBC/PBX must use a unique username.

IP address, Port, and Protocol

The most common authentication method is to match the source IP address, source port (UDP only), and protocol (i.e. UDP, TCP, or TLS). With this method, only SIP messages from the customer SBCsPBXs IP addresses are accepted.

Recommendations

If the SBC/PBX IP addresses are statically defined, 46 Labs recommends authenticating with the source IP address, source port (UDP only), and protocol.