[Serusers] Re: [Serdev] Auth* changes
Greger V. Teigre
greger at teigre.com
Fri Apr 22 16:58:04 CEST 2005
My 2 cents worth:
Also we experienced the problem of SIP-Rpid suddenly not working. (It took
some time and some code reading to figure out that the problem was to be
found in the auth_db module, even though auth_radius also was updated.) It
was Martin Koenig's serdev posting regarding CVS HEAD that pointed me in the
right direction.
IMHO, the committed changes done by Bogdan did not only fix Rpid issues, but
also introduced new functionality in the auth_radius module (i.e. ability to
load SIP-AVPs as part of a radius auth). Before the discussion started on
these mailing lists, I was surprised that such functionality was introduced
so close to release. I did not really expect such an extensive code
upgrade, and admittedly I would prefer not to get surprises like this... ;-)
The loading of SIP-Rpid as part of auth and having to use a separate
function in avp_radius for loading SIP-AVPs for caller has seemed a bit odd
and makes it a bit difficult on the RADIUS side (we use a commerical RADIUS
server). So, I agree with Bogdan that introducing SIP-AVP loading in
authentication is a clean up that makes sense. However, I believed that the
avp_radius module was a way to introduce avp loading in 0.9.0 without
changing the code of the auth modules?! Why not address this earlier?
My personal opinion: Despite the latest commits, AVP loading from RADIUS is
still in transition from being an add-on (avp_radius module) to being
integrated in auth_radius and uri_radius. I would love to get rid of one
auth (we have three today for each INVITE).
As long as the backwards SIP-Rpid compatibility is there, I'm fine with the
commits done.
So, some comments to how I view the RADIUS-based avpair loading in
ser-0.9.0:
It looks like the loading of SIP-AVPs in auth_radius load all attributes
without the "caller_" prefix, while our scripts use caller_* and callee_*
prefixed AVPs. This results in the need for renaming all ser.cfg avp
references when moving from avp_load_radius("caller") to loading through
radius_proxy_authorize().
Also, it seems that both radius_www_authorize and radius_proxy_authorize
will load the same set of SIP-AVPs. Both use SIP-Session as Service-Type and
it is thus not possible to avoid returning SIP-AVPs for a REGISTER, but do
so for INVITEs. Though not directly a critical problem, our RADIUS servers
do complex configuration evaluations and use Session-Type to filter out
which evaluations and thus avpairs to return. A REGISTER is a plain
authentication + authorization on the SIP service, while an INVITE is a more
complex evaluation (that is: if SIP-AVPs are to be returned.)
Another question is if it is always so that SIP-AVPs should be returned when
Session-Type=SIP-Session. The avp_radius module uses SIP-Caller-AVPs and
SIP-Callee-AVPs, thus giving a great deal of flexibility.
Ok, finally, loading SIP-AVPs as part of the auth makes sense, but from a
user point of view it would be natural to phase out the avp_radius module
when doing so. Now avp_load_radius("callee") is still left
(radius_does_uri_exist seems to be the natural replacement). This gives
another question: Should Session-Type=Call-check always indicate that
SIP-AVPs for callee should be returned, or is there other scenarios? (I
don't really know, we haven't, but others may?)
g-)
Bogdan-Andrei Iancu wrote:
> Juha Heinanen wrote:
>
>> Bogdan-Andrei Iancu writes:
>>
>>> What you miss here - or I haven't made it clear enough - is that the
>>> auth* commit doesn't backport any new features, improvements, etc,
>>> but backports a *cleanup* of these modules, cleanup which fixes a
>>> lot of inconsistencies - which in my opinion goes into fixing area.
>>
>> as i said, auth commit was not backwards compatible with what we had
>> before the commit. more specifically, before the commit, rpid was
>> returned from radius in SIP-RPID reply attribute to authentication
>> query, whereas it now is returned in SIP-AVP attribute. thus all
>> proxies that use radius for authentication stopped working after the
>> commit.
>>
>> in order to maintain backwards compatibility at radius level, perhaps
>> you could add a check for existence of SIP-RPID attribute in the
>> reply and if it exists, assign its value to rpid avp?
>>
>>
> I have to agree with you are this point. I failed to notice this since
> it is rather a incompatibility at Radius server level - it's about how
> exactly the RPID value is sent: old version, as standalone A_SIP_RPID
> Radius attr, now as A_SIP_AVP Radius attr in "rpid:value" format.
> As far as I found out, this is the only issue, right? And can be
> easyly fixed - before loading all general Radius attributes from
> A_SIP_AVP, also look for A_SIP_RPID for backward compat. (maybe
> configurable)..
> Do you find this acceptable from all point of view - compatibility and
> cvs ruling?
>
> bogdan
>
> _______________________________________________
> Serusers mailing list
> serusers at lists.iptel.org
> http://lists.iptel.org/mailman/listinfo/serusers
More information about the sr-users
mailing list