[asterisk-dev] res_pjsip_acl: endpoint specific ACL

Joshua Colp jcolp at digium.com
Tue Mar 24 07:20:42 CDT 2015 

Dmitriy Serov wrote:

<snip>

> The proposed decision confuses me two things:
> 1. There is one section of the ACL and one endpoint, which pointed to
> ACL section by name. Now I remove the line with the name of ACL in the
> endpoint section.
> And... ACL becoming global, preventing the registration of all existing
> endpoints. Administrator can get very unexpected behavior :(
> Somehow, in the case of Identify section was chosen another decision:
> Identify section refers to the section of the Endpoint.

Yes, in that case it was because the performance penalty of going 
through every endpoint to do an identification check is greater than 
simply looking at identify sections. If you have 2 identify sections 
it's quick. If you moved that to the endpoint and you had 100 endpoints 
- that's slower. Especially when it comes from a database.

> 2. Performance issue. In your proposal for EACH incoming packet to check
> EACH ACL will have iterated on ALL endpoint and compare the name of the
> current ACL section.

Nope! Incoming traffic is ALWAYS associated with an endpoint. You can 
get the endpoint and see if any ACL names are configured on it. If there 
are you can get each individual ACL and apply it. If not the way it 
works now can be used.

>
> I see it more suitable solution:
> 1. ACL has refs to endpoints by name. This is more consistent with
> accepted refs architecture.

Given the following scenario:
1. An ACL with no endpoint names configured
2. An ACL with endpoint names configured
3. Packet comes in and the ACL without endpoint names is queried first

How do I know that that ACL shouldn't be applied since another ACL has 
explicitly stated that ACL should be applied instead?

> 2. Endpoint has vector of callbacks to check ACL. These procedures are
> called in registrar_on_rx_reguest method, which is already knows the
> particular endpoint (with different identification methods)

Why does the res_pjsip_registrar module need to do this?

> 3. Loading ACL sections searching endpoints by name and setting callbacks
> This solution will protect against unexpected ACL globalization, leave
> endpont independence of the ACL, not require additional search endpoint
> checking ACL.

I don't understand what you mean here.

Cheers,

-- 
Joshua Colp
Digium, Inc. | Senior Software Developer
445 Jan Davis Drive NW - Huntsville, AL 35806 - US
Check us out at: www.digium.com & www.asterisk.org

More information about the asterisk-dev mailing list