[sr-dev] DMQ security

Peter Dunkley peter.dunkley at crocodilertc.net
Thu Oct 31 14:12:48 CET 2013


In my opinion being able to choose to use DMQ over TCP, TLS, or UDP
through setting the ";transport=" URI parameter in the modparams, and being
able to validate the TLS certificate in the configuration file (in the same
way as you do for all other traffic) is a good solution.  Flexibility is
good and TLS isn't always necessary and doesn't have to be used.  It should
be easy to use TLS when you want and easy to not use it when you want, and
no-one (however well intentioned) should ever be able to force me to build
my network by their rules.  Also, this will mean that any future TLS
enhancements (for example, validation of certificate on outgoing messages
and DANE) will automatically be picked up too.

DMQ is a very advanced module and I don't think there should be too much
concern over students who can't edit config files.  If they can't work that
out they are never going to be able to use Kamailio properly anyway.  The
fact that Kamailio is "hard" is a necessary function of its flexibility -
it is because Kamailio doesn't do anything clever by default that makes it
so powerful (because you can have full control over all the behaviour).

And none of this stops a teacher providing their students with good example
configuration files for things like DMQ that do all of these things
properly.  Or even providing configuration file libraries (using
"import_file" and check_route_exists()/route_if_exists()) that do all of
the right stuff for them.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.sip-router.org/pipermail/sr-dev/attachments/20131031/1858ebb7/attachment.html>


More information about the sr-dev mailing list