23 Jul
2007
23 Jul
'07
11:06 a.m.
Hi, I want to mantain independent domains in OpenSer. In my case I've a
OpenSer with a single DNS A record and various CNAME (I still don't want to
play with SRV and so).
so:
DNS A = openser.domain.org
CNAME = sip1.domain.org
CNAME = sip2.domain.org
And I want users of sip1.domain.org and sip2.domain.org, as independent
groups.
I just want to avoid SIP interdomain messages, so 200(a)sip1.domain.org CAN'T
invite 300(a)sip2.domain.org even if he does authentication.
I've loaded "domain" module and use "is_uri_host_local()"
and "is_from_local()" functions, but for now I only used one domain.
My question is very general: for implement (or avoid) interdomain
comunication, do I need to use the "domainpolicy" [1] module? I've read its
doc and know it's based in 3 drafts [2][3][4], but all of them seems to be
based in the complex NAPTR record and so. Is it the way?
I think I could just compare the FROM domain with the TO domain in order to
avoid interdomain communication, but of course I'd like in the future the
possiblity of allowing some domains to contact some other domains. Is
then "domainpolicy" the solution I should learn?
Any other doc about it?
Thanks for any help.
[1] http://www.openser.org/docs/modules/1.2.x/domainpolicy.html
[2] http://tools.ietf.org/id/draft-lendl-domain-policy-ddds-02.txt
[3] http://tools.ietf.org/id/draft-lendl-speermint-federations-02.txt
[4] http://tools.ietf.org/html/draft-lendl-speermint-technical-policy-00
--
Iñaki Baz Castillo
ibc(a)in.ilimit.es
23 Jul
23 Jul
11:50 a.m.
Iñaki Baz Castillo wrote:
Hi, I want to mantain independent domains in OpenSer.
In my case I've a
OpenSer with a single DNS A record and various CNAME (I still don't want to
play with SRV and so).
so:
DNS A = openser.domain.org
CNAME = sip1.domain.org
CNAME = sip2.domain.org
And I want users of sip1.domain.org and sip2.domain.org, as independent
groups.
I just want to avoid SIP interdomain messages, so 200(a)sip1.domain.org CAN'T
invite 300(a)sip2.domain.org even if he does authentication.
I've loaded "domain" module and use "is_uri_host_local()"
and "is_from_local()" functions, but for now I only used one domain.
My question is very general: for implement (or avoid) interdomain
comunication, do I need to use the "domainpolicy" [1] module?
no
I've read its
doc and know it's based in 3 drafts [2][3][4], but all of them seems to be
based in the complex NAPTR record and so. Is it the way?
if you only want to prevent calls from sip1 to sip2 just compare the
from domain with the domain in the ruri
if ( $rd != $fd) {
sl_send_reply("403","forbidden");
exit;
}
I think I could just compare the FROM domain with the TO domain in order to
avoid interdomain communication, but of course I'd like in the future the
possiblity of allowing some domains to contact some other domains. Is
then "domainpolicy" the solution I should learn?
no. it would be easier to just put all the allowed domains into a table:
A | B
---------------
sip1 | sip2
sip1 | sip3
sip5 | sip6
the code would be somehow like this (from the logic . I do not know the
exact syntax by heart):
if ( $rd != $fd) {
# lookup table with raw_query from avp_ops module:
... SELECT count(*) from table WHERE ($rd=A and $fd=B) OR ($rd=B and
$fd=A);
if count == 0 {
sl_send_reply("403","forbidden");
exit;
}
}
regards
klaus
12:44 p.m.
El Monday 23 July 2007 17:50:58 Klaus Darilion escribió:
Iñaki Baz Castillo wrote:
Ok, very clear. Thanks a lot.
Regards.
--
Iñaki Baz Castillo
ibc(a)in.ilimit.es
Hi, I want to mantain independent domains in
OpenSer. In my case I've a
OpenSer with a single DNS A record and various CNAME (I still don't want
to play with SRV and so).
so:
DNS A = openser.domain.org
CNAME = sip1.domain.org
CNAME = sip2.domain.org
And I want users of sip1.domain.org and sip2.domain.org, as independent
groups.
I just want to avoid SIP interdomain messages, so 200(a)sip1.domain.org
CAN'T invite 300(a)sip2.domain.org even if he does authentication.
I've loaded "domain" module and use "is_uri_host_local()"
and "is_from_local()" functions, but for now I only used one domain.
My question is very general: for implement (or avoid) interdomain
comunication, do I need to use the "domainpolicy" [1] module?
no
I've read its
doc and know it's based in 3 drafts [2][3][4], but all of them seems to
be based in the complex NAPTR record and so. Is it the way?
if you only want to prevent calls from sip1 to sip2 just compare the
from domain with the domain in the ruri
if ( $rd != $fd) {
sl_send_reply("403","forbidden");
exit;
}
I think I could just compare the FROM domain with
the TO domain in order
to avoid interdomain communication, but of course I'd like in the future
the possiblity of allowing some domains to contact some other domains. Is
then "domainpolicy" the solution I should learn?
no. it would be easier to just put all the allowed domains into a table:
A | B
---------------
sip1 | sip2
sip1 | sip3
sip5 | sip6
the code would be somehow like this (from the logic . I do not know the
exact syntax by heart):
if ( $rd != $fd) {
# lookup table with raw_query from avp_ops module:
... SELECT count(*) from table WHERE ($rd=A and $fd=B) OR ($rd=B and
$fd=A);
if count == 0 {
sl_send_reply("403","forbidden");
exit;
}
}
25 Jul
25 Jul
3:49 a.m.
El Monday 23 July 2007 17:50:58 Klaus Darilion escribió:
if you only want to prevent calls from sip1 to sip2
just compare the
from domain with the domain in the ruri
if ( $rd != $fd) {
sl_send_reply("403","forbidden");
exit;
}
Hi again, let me just improving a little that solution because comparing $rd
and $fd I had problems with presence.
I think it's better (and it's working perfect for me) to compare $fd and $td.
Note that the parameter:
modparam("presence","server_address","sip:openser.domain.org")
is the <Contact> header the clients will contact for future subscription, so
in that cases the $rd will be "openser.domain.org" even if the From:
is "user1(a)sip1.domain.org" who is subscribing to the presence of a
To: "user2(a)sip1.domain.org".org".
In that case $fd = sip1.domain.org and $rd = openser.domain.org, so it will
fail.
Because of it, IMHO is better to compare $fd with $td.
Just it, regads. :)
--
ilimit...
*Iñaki Baz Castillo*
ibc(a)in.ilimit.es
ÀREA SISTEMES
0034 937 333 375
VOLTA 1, PIS 5
08224 TERRASSA.BCN
Aquest enviament és confidencial i està destinat únicament a la persona a qui
s'ha enviat.
Pot contenir informació privada sotmesa al secret professional, la distribució
de la qual està prohibida per la legislació vigent.
6377
days inactive
6379
days old
3 comments
2 participants
participants (2)
-
Iñaki Baz Castillo -
Klaus Darilion