Re: [reSIProcate] ACL, StaticRoute and federated SIP use case
On 02/08/12 21:35, Scott Godin wrote:
> Static Routes are followed if the request is deemed to be destined to a
> domain we are responsible for. Requests to be forwarded to other domains
That is the case here: the dest domain is sip5060.net, and the repro
challenging the request is responsible for sip5060.net
However, `From' domain of the request is NOT a domain that this repro is
responsible for.
> are picked off by the Am I Responsible monkey. Since the request is to an
> entity within our domain it is challenged as matter of policy (unless it's
> from a machine/domain on the ACL list). This is fine for routing requests
> from users of our domain, but not helpful for routing requests from unknown
> users. The Static Routes really ought to specify in the web page
> configuration if they are to be challenged or not - perhaps a setting that
> allows the following: Challenge Always (same as today), Don't Challenge
> MTLS peers, Never Challenge, etc... The commented out code was intended
> to provide a place holder for this capability. Ideally this would be per
> route, but a global setting would work as a band aid as well.
I don't mind implementing some basic variation of that if it is not
going to upset anything else
I think the idea should be that if something passes
CertificateAuthenticator, it should pass StaticRoute too, just as if it
had already passed DigestAuthenticator (because in that case,
StaticRoute would not challenge it again)