[asterisk-dev] res_pjsip_acl: endpoint specific ACL

Dmitriy Serov serov.d.p at gmail.com
Tue Mar 24 07:08:01 CDT 2015


24.03.2015 3:44, Joshua Colp пишет:
> Dmitriy Serov wrote:
>> Hello.
>> And Sorry for my english :)
>>
>> https://issues.asterisk.org/jira/browse/ASTERISK-24890
>>
>> I continue to migrate from asterisk 11 to 13.2 and continues to face
>> problems of compatibility.
>> chan_sip has a very good ability to limit registration for a particular
>> PEER to the specified set of IP addresses. I have not found such an
>> opportunity in res_pjsip.
>> ACL offers only limit of the IP packet or contact without being tied to
>> a particular endpoint. Because registration restrictions by IP require
>> only part of endpoints, then using version 13.2 all registrations are
>> unprotected, insecure.
>> I propose to implement an option to specify the endpoint in ACL section.
>
> I think from a user perspective the nicest way is to just specify a 
> list of ACLs on the endpoint itself. Specifying endpoints in the ACLs 
> is cumbersome and doesn't feel right. It would also be hard to maintain.
>
> From an implementation perspective it's not hard. Allow ACLs to be 
> specified on the endpoint. This can be a vector of strings. In 
> res_pjsip_acl check the endpoint for ACLs and enforce their 
> restrictions. If no ACLs are present on the endpoint enforce the 
> global ACLs.
>

The proposed decision confuses me two things:
1. There is one section of the ACL and one endpoint, which pointed to 
ACL section by name. Now I remove the line with the name of ACL in the 
endpoint section.
And... ACL becoming global, preventing the registration of all existing 
endpoints. Administrator can get very unexpected behavior :(
Somehow, in the case of Identify section was chosen another decision: 
Identify section refers to the section of the Endpoint.
2. Performance issue. In your proposal for EACH incoming packet to check 
EACH ACL will have iterated on ALL endpoint and compare the name of the 
current ACL section.

I see it more suitable solution:
1. ACL has refs to endpoints by name. This is more consistent with 
accepted refs architecture.
2. Endpoint has vector of callbacks to check ACL. These procedures are 
called in registrar_on_rx_reguest method, which is already knows the 
particular endpoint (with different identification methods)
3. Loading ACL sections searching endpoints by name and setting callbacks
This solution will protect against unexpected ACL globalization, leave 
endpont independence of the ACL, not require additional search endpoint 
checking ACL.

But Joshua Kolp proposed solution is suitable for me personally, because 
will solve the problem of testing the ACL in relation to endpoint. If 
only it were implemented :)
Thank you very much that did not leave a letter unanswered.

Dmitriy Serov.




More information about the asterisk-dev mailing list