On Mon, 2009-09-21 at 11:49 -0400, Huijun Yang wrote:
> Hello,
>
> I'd like to initiate a discussion for
> http://track.sipfoundry.org/browse/XX-6398 from requirements to
> sipXconfig point of view.
>
> The following are the requirements to sipXconfig for this feature:
>
> - To allow admin to add/delete/config TLS peer system info, which
> include, peer system's name, certificate, and permissions assigned to.
> - Extend site-to-site dialing rule (used by sipXproxy) and sipTrunk (
> used by sipXbridge) to include peer-to-peer parameters, such as source
> peer system, and permissions, etc.
> - Create unique identity for each peer system configured, which does
> not to be visible from the UI, could be something like ~~peer~{peer}
>
> But after thinking it a bit, I am not sure we need to extend
> site-to-site and sipTrunk to include peer system info. To me, a peer
> system will be just like a virtual user to the local system, and admin
> will grant whatever permissions to it to allow it to access dialplans
> on the local systems. For example, if LongDisance permission is
> granted to the peer, then PSTN calls from the peer system will be able
> to access dialplans that require LongDistance permission. In other
> words, peer system will be handled just as it is a user in the local
> system based on its permissions. If we allow to configure permission
> to a peer system, then the existing dialplan handling should be
> sufficient to handle it. There should not be a need to modify
> Site-to-Site or sipTrunk to specially handle the peer system to access
> dialplans.
> I do think there's something special about these 'peer/trunk'
connections.
> I don't think that we want it to be possible to grant PSTN callers
coming in through an unauthenticated gateway the right to make any PSTN
call (other than through our existing authenticated forwarding/transfer
operations).
But I think we have TLS connection between peer systems, so when calls
from a peer system is considerred as authenticated.
> I'm not at all clear on just what you propose to change, though. The
only way to create a set of permissions is to create an identity that
has > them. The peer must have an identity (I'd suggest
~~id~peer~<label> to stick with the two character convention). Are you
suggesting that the peer > system appear as a user in the UI? I think
that would be confusing to most admins...
Sorry that I did not make myself clear. So I am proposing to have a new
page, that you can create a peer, which include peer name, certicate,
permissions, etc. and underneath, system will create an itentity for the
peer, and as you suggested, there is no need to expose the identity on
the UI.
Thanks
Huijun
_______________________________________________
sipx-dev mailing list [email protected]
List Archive: http://list.sipfoundry.org/archive/sipx-dev
Unsubscribe: http://list.sipfoundry.org/mailman/listinfo/sipx-dev
sipXecs IP PBX -- http://www.sipfoundry.org/
