diff options
author | Jenkins2 <jenkins2@gerrit.asterisk.org> | 2018-01-11 08:42:52 -0600 |
---|---|---|
committer | Gerrit Code Review <gerrit2@gerrit.digium.api> | 2018-01-11 08:42:52 -0600 |
commit | 97a0e8591ff3b2c0970ae2eeed4a26d207370431 (patch) | |
tree | 924b8f9a571599e76ff6d63966e677b4f2d15078 /res/res_pjsip.c | |
parent | f94c56d388fba40369987f2e2144ceffac6f5e5e (diff) | |
parent | 8f3167c5f17a5c85bd7d6c42f3c22f56e081eaba (diff) |
Merge "res_pjsip.c: Update the endpoint identification documentation."
Diffstat (limited to 'res/res_pjsip.c')
-rw-r--r-- | res/res_pjsip.c | 93 |
1 files changed, 57 insertions, 36 deletions
diff --git a/res/res_pjsip.c b/res/res_pjsip.c index 56255bae8..0311dfd4b 100644 --- a/res/res_pjsip.c +++ b/res/res_pjsip.c @@ -269,45 +269,60 @@ <configOption name="ice_support" default="no"> <synopsis>Enable the ICE mechanism to help traverse NAT</synopsis> </configOption> - <configOption name="identify_by" default="username,ip"> - <synopsis>Way(s) for Endpoint to be identified</synopsis> - <description><para> - Endpoints and aors can be identified in multiple ways. Currently, the supported - options are <literal>username</literal>, which matches the endpoint or aor id based on - the username and domain in the From header (or To header for aors), - <literal>auth_username</literal>, which matches the endpoint or aor id based on the - username and realm in the Authentication header, and <literal>ip</literal> which matches - an endpoint based on the source IP address. In the <literal>username</literal> and - <literal>auth_username</literal> cases, if an exact match on both username and - domain/realm fails, the match will be retried with just the username. + <configOption name="identify_by"> + <synopsis>Way(s) for the endpoint to be identified</synopsis> + <description> + <para>Endpoints and AORs can be identified in multiple ways. This + option is a comma separated list of methods the endpoint can be + identified. </para> <note><para> - Identification by auth_username has some security considerations because an - Authentication header is not present on the first message of a dialog when - digest authentication is used. The client can't generate it until the server - sends the challenge in a 401 response. Since Asterisk normally sends a security - event when an incoming request can't be matched to an endpoint, using auth_username - requires that the security event be deferred until a request is received with - the Authentication header and only generated if the username doesn't result in a - match. This may result in a delay before an attack is recognized. You can control - how many unmatched requests are received from a single ip address before a security - event is generated using the unidentified_request parameters in the "global" - configuration object. + This option controls both how an endpoint is matched for incoming + traffic and also how an AOR is determined if a registration + occurs. You must list at least one method that also matches for + AORs or the registration will fail. </para></note> - <note><para>Endpoints can also be identified by IP address; however, that method - of identification is not configured but simply allowed by this configuration option. - See the documentation for the <literal>identify</literal> configuration section for - more details on that method of endpoint identification.</para></note> - <note><para> - This option controls both how an endpoint is matched for incoming traffic and also how - an AoR is determined if a registration occurs. If <literal>ip</literal> is set alone - then incoming registration will not find an AoR and the registration attempt will fail. - If you want to allow incoming registrations to succeed you must set a second identify - method such as <literal>username</literal> in this case.</para></note> <enumlist> - <enum name="username" /> - <enum name="auth_username" /> - <enum name="ip" /> + <enum name="username"> + <para>Matches the endpoint or AOR ID based on the username + and domain in the From header (or To header for AORs). If + an exact match on both username and domain/realm fails, the + match is retried with just the username. + </para> + </enum> + <enum name="auth_username"> + <para>Matches the endpoint or AOR ID based on the username + and realm in the Authentication header. If an exact match + on both username and domain/realm fails, the match is + retried with just the username. + </para> + <note><para>This method of identification has some security + considerations because an Authentication header is not + present on the first message of a dialog when digest + authentication is used. The client can't generate it until + the server sends the challenge in a 401 response. Since + Asterisk normally sends a security event when an incoming + request can't be matched to an endpoint, using this method + requires that the security event be deferred until a request + is received with the Authentication header and only + generated if the username doesn't result in a match. This + may result in a delay before an attack is recognized. You + can control how many unmatched requests are received from + a single ip address before a security event is generated + using the <literal>unidentified_request</literal> + parameters in the "global" configuration object. + </para></note> + </enum> + <enum name="ip"> + <para>Matches the endpoint based on the source IP address. + </para> + <para>This method of identification is not configured here + but simply allowed by this configuration option. See the + documentation for the <literal>identify</literal> + configuration section for more details on this method of + endpoint identification. + </para> + </enum> </enumlist> </description> </configOption> @@ -1676,7 +1691,7 @@ <synopsis>Enable/Disable SIP debug logging. Valid options include yes|no or a host address</synopsis> </configOption> - <configOption name="endpoint_identifier_order" default="ip,username,anonymous"> + <configOption name="endpoint_identifier_order"> <synopsis>The order by which endpoint identifiers are processed and checked. Identifier names are usually derived from and can be found in the endpoint identifier module itself (res_pjsip_endpoint_identifier_*). @@ -1804,9 +1819,15 @@ <parameter name="Endpoint"> <para><xi:include xpointer="xpointer(/docs/configInfo[@name='res_pjsip_endpoint_identifier_ip']/configFile[@name='pjsip.conf']/configObject[@name='identify']/configOption[@name='endpoint']/synopsis/node())"/></para> </parameter> + <parameter name="SrvLookups"> + <para><xi:include xpointer="xpointer(/docs/configInfo[@name='res_pjsip_endpoint_identifier_ip']/configFile[@name='pjsip.conf']/configObject[@name='identify']/configOption[@name='srv_lookups']/synopsis/node())"/></para> + </parameter> <parameter name="Match"> <para><xi:include xpointer="xpointer(/docs/configInfo[@name='res_pjsip_endpoint_identifier_ip']/configFile[@name='pjsip.conf']/configObject[@name='identify']/configOption[@name='match']/synopsis/node())"/></para> </parameter> + <parameter name="MatchHeader"> + <para><xi:include xpointer="xpointer(/docs/configInfo[@name='res_pjsip_endpoint_identifier_ip']/configFile[@name='pjsip.conf']/configObject[@name='identify']/configOption[@name='match_header']/synopsis/node())"/></para> + </parameter> <parameter name="EndpointName"> <para>The name of the endpoint associated with this information.</para> </parameter> |