Restrict Simultaneous-Use

classic Classic list List threaded Threaded
32 messages Options
12
Reply | Threaded
Open this post in threaded view
|

Restrict Simultaneous-Use

Robert Borz
Hi,

currently I'm using a FreeRADIUS server for authentication and billing purposes. Now I want to restrict the count of simultaneous calls a user can do. For this I implemented it with the "Simultaneous-Use" check in FreeRADIUS and it works fine, for outgoing calls initiated from my customers. Just trying to initiate a second call when one is still up, the request is rejected (Proxy authorization fails for the new call).

But incoming calls from the PSTN come in over an Asterisk machine. There's no proxy authorization for invites from the Asterisk, just a from_gw() check. So how I can restrict the amount of simultaneous calls per user for incoming _and_ outgoing calls?

Any hint would be really appreciated...


Regards,
Robert


_______________________________________________
Users mailing list
[hidden email]
http://lists.opensips.org/cgi-bin/mailman/listinfo/users
Reply | Threaded
Open this post in threaded view
|

Re: Restrict Simultaneous-Use

Bogdan-Andrei Iancu
Hi Robert,

You do not need Radius for this. OpenSIPS can do this by itself. See a
nice tutorial on this topic:
    http://www.opensips.org/index.php?n=Resources.DocsTutConcurrentCalls

Regards,
Bogdan

Robert Borz wrote:

> Hi,
>
> currently I'm using a FreeRADIUS server for authentication and billing purposes. Now I want to restrict the count of simultaneous calls a user can do. For this I implemented it with the "Simultaneous-Use" check in FreeRADIUS and it works fine, for outgoing calls initiated from my customers. Just trying to initiate a second call when one is still up, the request is rejected (Proxy authorization fails for the new call).
>
> But incoming calls from the PSTN come in over an Asterisk machine. There's no proxy authorization for invites from the Asterisk, just a from_gw() check. So how I can restrict the amount of simultaneous calls per user for incoming _and_ outgoing calls?
>
> Any hint would be really appreciated...
>
>
> Regards,
> Robert
>
>
> _______________________________________________
> Users mailing list
> [hidden email]
> http://lists.opensips.org/cgi-bin/mailman/listinfo/users
>
>  


_______________________________________________
Users mailing list
[hidden email]
http://lists.opensips.org/cgi-bin/mailman/listinfo/users
Reply | Threaded
Open this post in threaded view
|

Re: Restrict Simultaneous-Use

Robert Borz
Hi Bogdan,

thanks a lot. Looks really pretty with the example you showed.

My problem is that, depending on the amount of concurrent calls a user can do, the user belongs to a different group in radius. Imagine a user belonging to the group 'pots' has a simultaneous call limit of 1, a user belonging to the group 'isdn' has a limit of 2 concurrent calls...

All rate information/customer attributes is/are stored in the radius and we want to keep it like this. So I think I've to get the information about how many calls the user can do out of the radius into SER to use the example. Any idea how to do that?


Regards,
Robert

-----Original Message-----
From: [hidden email] [mailto:[hidden email]]
Sent: Thursday, March 05, 2009 12:49 PM
To: [hidden email]
Cc: [hidden email]
Subject: Re: [OpenSIPS-Users] Restrict Simultaneous-Use

Hi Robert,

You do not need Radius for this. OpenSIPS can do this by itself. See a
nice tutorial on this topic:
    http://www.opensips.org/index.php?n=Resources.DocsTutConcurrentCalls

Regards,
Bogdan

Robert Borz wrote:

> Hi,
>
> currently I'm using a FreeRADIUS server for authentication and billing purposes. Now I want to restrict the count of simultaneous calls a user can do. For this I implemented it with the "Simultaneous-Use" check in FreeRADIUS and it works fine, for outgoing calls initiated from my customers. Just trying to initiate a second call when one is still up, the request is rejected (Proxy authorization fails for the new call).
>
> But incoming calls from the PSTN come in over an Asterisk machine. There's no proxy authorization for invites from the Asterisk, just a from_gw() check. So how I can restrict the amount of simultaneous calls per user for incoming _and_ outgoing calls?
>
> Any hint would be really appreciated...
>
>
> Regards,
> Robert
>
>
> _______________________________________________
> Users mailing list
> [hidden email]
> http://lists.opensips.org/cgi-bin/mailman/listinfo/users
>
>  



_______________________________________________
Users mailing list
[hidden email]
http://lists.opensips.org/cgi-bin/mailman/listinfo/users
Reply | Threaded
Open this post in threaded view
|

Re: Restrict Simultaneous-Use

Iñaki Baz Castillo
In reply to this post by Bogdan-Andrei Iancu
2009/3/5 Bogdan-Andrei Iancu <[hidden email]>:
> Hi Robert,
>
> You do not need Radius for this. OpenSIPS can do this by itself. See a
> nice tutorial on this topic:
>    http://www.opensips.org/index.php?n=Resources.DocsTutConcurrentCalls

Hi, this is very interesting but I wonder how "dangerous" is a proxy
trying to count the simultaneous calls.

If for example alice calls to bob through OpenSIPs, how can OpenSIPS
know if the call is really alive or not? imagine neither alice or bob
are using SessionTimers.

OpenSIPS cannot assume that it will receive an in-dialog request which
would refresh the dialog expire time, so this time must be very long
(hours). What about if alice and bob crash without sending a BYE? The
call will remain "alive" in OpenSIPS until the dialog expires (various
hours), so alice couldn't call bob again during this time.


--
Iñaki Baz Castillo
<[hidden email]>

_______________________________________________
Users mailing list
[hidden email]
http://lists.opensips.org/cgi-bin/mailman/listinfo/users
Reply | Threaded
Open this post in threaded view
|

Re: Restrict Simultaneous-Use

Brett Nemeroff
Just chiming in here.. See, I'm having a problem with my provider who isn't properly adhering to Record-Routing (see previous thread). And so sometimes I don't get that BYE and it goes direct to my customer! So in that case, the dialog gets left open permanently. 

There is a notable danger in allowing a proxy to do this job. If everyone is following the rules, it should be pretty good. I'd be interested in hearing about other people's experiences with this..

BTW, I've spoken with my provider, who admitted it was a problem and fixed it. so, yay. Thanks for the support everyone. :)
-Brett


On Thu, Mar 5, 2009 at 6:54 AM, Iñaki Baz Castillo <[hidden email]> wrote:
2009/3/5 Bogdan-Andrei Iancu <[hidden email]>:
> Hi Robert,
>
> You do not need Radius for this. OpenSIPS can do this by itself. See a
> nice tutorial on this topic:
>    http://www.opensips.org/index.php?n=Resources.DocsTutConcurrentCalls

Hi, this is very interesting but I wonder how "dangerous" is a proxy
trying to count the simultaneous calls.

If for example alice calls to bob through OpenSIPs, how can OpenSIPS
know if the call is really alive or not? imagine neither alice or bob
are using SessionTimers.

OpenSIPS cannot assume that it will receive an in-dialog request which
would refresh the dialog expire time, so this time must be very long
(hours). What about if alice and bob crash without sending a BYE? The
call will remain "alive" in OpenSIPS until the dialog expires (various
hours), so alice couldn't call bob again during this time.


--
Iñaki Baz Castillo
<[hidden email]>

_______________________________________________
Users mailing list
[hidden email]
http://lists.opensips.org/cgi-bin/mailman/listinfo/users


_______________________________________________
Users mailing list
[hidden email]
http://lists.opensips.org/cgi-bin/mailman/listinfo/users
Reply | Threaded
Open this post in threaded view
|

Re: Restrict Simultaneous-Use

Bogdan-Andrei Iancu
In reply to this post by Iñaki Baz Castillo
Hi Inaki,

This is an old, hot topic.

There are many services that are more appropriate via a B2BUA  (like
acc, dialog stuff, security, etc) - last time the discussion started
from the question if a proxy is the best place to do accounting.

In all the case is about compromising - how much you are willing to
lose. You may loose time/resources to build and implement a platform
were there is no way for bad thinks to happen (you deal with all corner
cases) - and you end up with a huge platform, very complex, difficult to
maintain, expensive to run, etc .

Or you can loose some corner cases and build a simpler and more
efficient platform.

The whole idea is if it pays to spend 1 million $ to save one $ :)..

Regards,
Bogdan

Iñaki Baz Castillo wrote:

> 2009/3/5 Bogdan-Andrei Iancu <[hidden email]>:
>  
>> Hi Robert,
>>
>> You do not need Radius for this. OpenSIPS can do this by itself. See a
>> nice tutorial on this topic:
>>    http://www.opensips.org/index.php?n=Resources.DocsTutConcurrentCalls
>>    
>
> Hi, this is very interesting but I wonder how "dangerous" is a proxy
> trying to count the simultaneous calls.
>
> If for example alice calls to bob through OpenSIPs, how can OpenSIPS
> know if the call is really alive or not? imagine neither alice or bob
> are using SessionTimers.
>
> OpenSIPS cannot assume that it will receive an in-dialog request which
> would refresh the dialog expire time, so this time must be very long
> (hours). What about if alice and bob crash without sending a BYE? The
> call will remain "alive" in OpenSIPS until the dialog expires (various
> hours), so alice couldn't call bob again during this time.
>
>
>  


_______________________________________________
Users mailing list
[hidden email]
http://lists.opensips.org/cgi-bin/mailman/listinfo/users
Reply | Threaded
Open this post in threaded view
|

Re: Restrict Simultaneous-Use

Iñaki Baz Castillo
2009/3/5 Bogdan-Andrei Iancu <[hidden email]>:

> Hi Inaki,
>
> This is an old, hot topic.
>
> There are many services that are more appropriate via a B2BUA  (like acc,
> dialog stuff, security, etc) - last time the discussion started from the
> question if a proxy is the best place to do accounting.
>
> In all the case is about compromising - how much you are willing to lose.
> You may loose time/resources to build and implement a platform were there is
> no way for bad thinks to happen (you deal with all corner cases) - and you
> end up with a huge platform, very complex, difficult to maintain, expensive
> to run, etc .
>
> Or you can loose some corner cases and build a simpler and more efficient
> platform.

Yes Bogdan, also the approach described in the wiki is really
appropiate and valid when the caller or callee is a PSTN gateway which
sends a BYE if RTP is lost.

But as always, pure "Internet" calls (between users) are really
difficult to monitorize and control by a proxy.

--
Iñaki Baz Castillo
<[hidden email]>

_______________________________________________
Users mailing list
[hidden email]
http://lists.opensips.org/cgi-bin/mailman/listinfo/users
Reply | Threaded
Open this post in threaded view
|

Re: Restrict Simultaneous-Use

Bogdan-Andrei Iancu
In reply to this post by Robert Borz
Hi Robert,

Well, you can use the avp_radius module to load from a RADIUS server the
number of maximum allowed calls:
    http://www.opensips.org/html/docs/modules/devel/avp_radius.html

This is the most generic way to do it.

Do you do auth via RADIUS also ?

Regards,
Bogdan

Robert Borz wrote:

> Hi Bogdan,
>
> thanks a lot. Looks really pretty with the example you showed.
>
> My problem is that, depending on the amount of concurrent calls a user can do, the user belongs to a different group in radius. Imagine a user belonging to the group 'pots' has a simultaneous call limit of 1, a user belonging to the group 'isdn' has a limit of 2 concurrent calls...
>
> All rate information/customer attributes is/are stored in the radius and we want to keep it like this. So I think I've to get the information about how many calls the user can do out of the radius into SER to use the example. Any idea how to do that?
>
>
> Regards,
> Robert
>
> -----Original Message-----
> From: [hidden email] [mailto:[hidden email]]
> Sent: Thursday, March 05, 2009 12:49 PM
> To: [hidden email]
> Cc: [hidden email]
> Subject: Re: [OpenSIPS-Users] Restrict Simultaneous-Use
>
> Hi Robert,
>
> You do not need Radius for this. OpenSIPS can do this by itself. See a
> nice tutorial on this topic:
>     http://www.opensips.org/index.php?n=Resources.DocsTutConcurrentCalls
>
> Regards,
> Bogdan
>
> Robert Borz wrote:
>  
>> Hi,
>>
>> currently I'm using a FreeRADIUS server for authentication and billing purposes. Now I want to restrict the count of simultaneous calls a user can do. For this I implemented it with the "Simultaneous-Use" check in FreeRADIUS and it works fine, for outgoing calls initiated from my customers. Just trying to initiate a second call when one is still up, the request is rejected (Proxy authorization fails for the new call).
>>
>> But incoming calls from the PSTN come in over an Asterisk machine. There's no proxy authorization for invites from the Asterisk, just a from_gw() check. So how I can restrict the amount of simultaneous calls per user for incoming _and_ outgoing calls?
>>
>> Any hint would be really appreciated...
>>
>>
>> Regards,
>> Robert
>>
>>
>> _______________________________________________
>> Users mailing list
>> [hidden email]
>> http://lists.opensips.org/cgi-bin/mailman/listinfo/users
>>
>>  
>>    
>
>
>
>  


_______________________________________________
Users mailing list
[hidden email]
http://lists.opensips.org/cgi-bin/mailman/listinfo/users
Reply | Threaded
Open this post in threaded view
|

Re: Restrict Simultaneous-Use

Bogdan-Andrei Iancu
In reply to this post by Iñaki Baz Castillo
Iñaki Baz Castillo wrote:

> 2009/3/5 Bogdan-Andrei Iancu <[hidden email]>:
>  
>> Hi Inaki,
>>
>> This is an old, hot topic.
>>
>> There are many services that are more appropriate via a B2BUA  (like acc,
>> dialog stuff, security, etc) - last time the discussion started from the
>> question if a proxy is the best place to do accounting.
>>
>> In all the case is about compromising - how much you are willing to lose.
>> You may loose time/resources to build and implement a platform were there is
>> no way for bad thinks to happen (you deal with all corner cases) - and you
>> end up with a huge platform, very complex, difficult to maintain, expensive
>> to run, etc .
>>
>> Or you can loose some corner cases and build a simpler and more efficient
>> platform.
>>    
>
> Yes Bogdan, also the approach described in the wiki is really
> appropiate and valid when the caller or callee is a PSTN gateway which
> sends a BYE if RTP is lost.
>
> But as always, pure "Internet" calls (between users) are really
> difficult to monitorize and control by a proxy.
>  

I agree on this. But this is SIP - from signalling level only you do not
have information about the call status (during the call).

Regards,
Bogdan

_______________________________________________
Users mailing list
[hidden email]
http://lists.opensips.org/cgi-bin/mailman/listinfo/users
Reply | Threaded
Open this post in threaded view
|

Re: Restrict Simultaneous-Use

Brett Nemeroff
Question, do SST help the situation? Is it widely accepted enough in the protocol to provide some backup mechanism to maintaining dialog state in the event of a lost BYE.

BTW, how is a BYE accounted for in ACC when generated locally because of an expired dialog?


On Thu, Mar 5, 2009 at 10:00 AM, Bogdan-Andrei Iancu <[hidden email]> wrote:
Iñaki Baz Castillo wrote:
> 2009/3/5 Bogdan-Andrei Iancu <[hidden email]>:
>
>> Hi Inaki,
>>
>> This is an old, hot topic.
>>
>> There are many services that are more appropriate via a B2BUA  (like acc,
>> dialog stuff, security, etc) - last time the discussion started from the
>> question if a proxy is the best place to do accounting.
>>
>> In all the case is about compromising - how much you are willing to lose.
>> You may loose time/resources to build and implement a platform were there is
>> no way for bad thinks to happen (you deal with all corner cases) - and you
>> end up with a huge platform, very complex, difficult to maintain, expensive
>> to run, etc .
>>
>> Or you can loose some corner cases and build a simpler and more efficient
>> platform.
>>
>
> Yes Bogdan, also the approach described in the wiki is really
> appropiate and valid when the caller or callee is a PSTN gateway which
> sends a BYE if RTP is lost.
>
> But as always, pure "Internet" calls (between users) are really
> difficult to monitorize and control by a proxy.
>

I agree on this. But this is SIP - from signalling level only you do not
have information about the call status (during the call).

Regards,
Bogdan

_______________________________________________
Users mailing list
[hidden email]
http://lists.opensips.org/cgi-bin/mailman/listinfo/users


_______________________________________________
Users mailing list
[hidden email]
http://lists.opensips.org/cgi-bin/mailman/listinfo/users
Reply | Threaded
Open this post in threaded view
|

Re: Restrict Simultaneous-Use

Robert Borz
In reply to this post by Bogdan-Andrei Iancu
Hi Bogdan,

thank you for this hint. I'll check it out.

Yes, I also do auth over radius. Currently I've still OpenSER v1.3.2 installed on debian/lenny and it is working fine.

Currently I'm thinking of updating to the latest OpenSIPS release. What's the current schedule for the first stable 1.5 release?


Regards,
Bogdan


-----Original Message-----
From: [hidden email] [mailto:[hidden email]] On Behalf Of Bogdan-Andrei Iancu
Sent: Thursday, March 05, 2009 4:57 PM
To: [hidden email]
Cc: [hidden email]
Subject: Re: [OpenSIPS-Users] Restrict Simultaneous-Use

Hi Robert,

Well, you can use the avp_radius module to load from a RADIUS server the
number of maximum allowed calls:
    http://www.opensips.org/html/docs/modules/devel/avp_radius.html

This is the most generic way to do it.

Do you do auth via RADIUS also ?

Regards,
Bogdan

Robert Borz wrote:

> Hi Bogdan,
>
> thanks a lot. Looks really pretty with the example you showed.
>
> My problem is that, depending on the amount of concurrent calls a user can do, the user belongs to a different group in radius. Imagine a user belonging to the group 'pots' has a simultaneous call limit of 1, a user belonging to the group 'isdn' has a limit of 2 concurrent calls...
>
> All rate information/customer attributes is/are stored in the radius and we want to keep it like this. So I think I've to get the information about how many calls the user can do out of the radius into SER to use the example. Any idea how to do that?
>
>
> Regards,
> Robert
>
> -----Original Message-----
> From: [hidden email] [mailto:[hidden email]]
> Sent: Thursday, March 05, 2009 12:49 PM
> To: [hidden email]
> Cc: [hidden email]
> Subject: Re: [OpenSIPS-Users] Restrict Simultaneous-Use
>
> Hi Robert,
>
> You do not need Radius for this. OpenSIPS can do this by itself. See a
> nice tutorial on this topic:
>     http://www.opensips.org/index.php?n=Resources.DocsTutConcurrentCalls
>
> Regards,
> Bogdan
>
> Robert Borz wrote:
>  
>> Hi,
>>
>> currently I'm using a FreeRADIUS server for authentication and billing purposes. Now I want to restrict the count of simultaneous calls a user can do. For this I implemented it with the "Simultaneous-Use" check in FreeRADIUS and it works fine, for outgoing calls initiated from my customers. Just trying to initiate a second call when one is still up, the request is rejected (Proxy authorization fails for the new call).
>>
>> But incoming calls from the PSTN come in over an Asterisk machine. There's no proxy authorization for invites from the Asterisk, just a from_gw() check. So how I can restrict the amount of simultaneous calls per user for incoming _and_ outgoing calls?
>>
>> Any hint would be really appreciated...
>>
>>
>> Regards,
>> Robert
>>
>>
>> _______________________________________________
>> Users mailing list
>> [hidden email]
>> http://lists.opensips.org/cgi-bin/mailman/listinfo/users
>>
>>  
>>    
>
>
>
>  


_______________________________________________
Users mailing list
[hidden email]
http://lists.opensips.org/cgi-bin/mailman/listinfo/users


_______________________________________________
Users mailing list
[hidden email]
http://lists.opensips.org/cgi-bin/mailman/listinfo/users
Reply | Threaded
Open this post in threaded view
|

Re: Restrict Simultaneous-Use

Iñaki Baz Castillo
In reply to this post by Brett Nemeroff
2009/3/5 Brett Nemeroff <[hidden email]>:
> Question, do SST help the situation? Is it widely accepted enough in the
> protocol to provide some backup mechanism to maintaining dialog state in the
> event of a lost BYE.

Sure, but keep in mind that a proxy CANNOT generate in-dialog
requests, so SessionTimers must be suppoerted (and enabled) in caller
and/or callee. If no one of them supports/uses SST then the proxy can
do *nothing*.
For example, a B2BUA *can* use SST in both legs to check the dialog
state since a B2BUA behaves as a callee for the caller and as a caller
for the callee. This is never possible with a proxy.


> BTW, how is a BYE accounted for in ACC when generated locally because of an
> expired dialog?

Use local_route to account it as any other BYE.

--
Iñaki Baz Castillo
<[hidden email]>

_______________________________________________
Users mailing list
[hidden email]
http://lists.opensips.org/cgi-bin/mailman/listinfo/users
Reply | Threaded
Open this post in threaded view
|

Re: Restrict Simultaneous-Use

Bogdan-Andrei Iancu
In reply to this post by Brett Nemeroff
It does help, but it is still not accurate. you can reduce the interval
for re-INVITEs, but you overload the proxy and network -> smallest error
in detecting errs; if you use big intervals for re-INVITEs, you get less
load, but the error gets higher.

For accounting the BYEs generated by dialog module, use local_route.

Regards,
Bogdan

Brett Nemeroff wrote:

> Question, do SST help the situation? Is it widely accepted enough in
> the protocol to provide some backup mechanism to maintaining dialog
> state in the event of a lost BYE.
>
> BTW, how is a BYE accounted for in ACC when generated locally because
> of an expired dialog?
>
>
> On Thu, Mar 5, 2009 at 10:00 AM, Bogdan-Andrei Iancu
> <[hidden email] <mailto:[hidden email]>> wrote:
>
>     Iñaki Baz Castillo wrote:
>     > 2009/3/5 Bogdan-Andrei Iancu <[hidden email]
>     <mailto:[hidden email]>>:
>     >
>     >> Hi Inaki,
>     >>
>     >> This is an old, hot topic.
>     >>
>     >> There are many services that are more appropriate via a B2BUA
>      (like acc,
>     >> dialog stuff, security, etc) - last time the discussion started
>     from the
>     >> question if a proxy is the best place to do accounting.
>     >>
>     >> In all the case is about compromising - how much you are
>     willing to lose.
>     >> You may loose time/resources to build and implement a platform
>     were there is
>     >> no way for bad thinks to happen (you deal with all corner
>     cases) - and you
>     >> end up with a huge platform, very complex, difficult to
>     maintain, expensive
>     >> to run, etc .
>     >>
>     >> Or you can loose some corner cases and build a simpler and more
>     efficient
>     >> platform.
>     >>
>     >
>     > Yes Bogdan, also the approach described in the wiki is really
>     > appropiate and valid when the caller or callee is a PSTN gateway
>     which
>     > sends a BYE if RTP is lost.
>     >
>     > But as always, pure "Internet" calls (between users) are really
>     > difficult to monitorize and control by a proxy.
>     >
>
>     I agree on this. But this is SIP - from signalling level only you
>     do not
>     have information about the call status (during the call).
>
>     Regards,
>     Bogdan
>
>     _______________________________________________
>     Users mailing list
>     [hidden email] <mailto:[hidden email]>
>     http://lists.opensips.org/cgi-bin/mailman/listinfo/users
>
>


_______________________________________________
Users mailing list
[hidden email]
http://lists.opensips.org/cgi-bin/mailman/listinfo/users
Reply | Threaded
Open this post in threaded view
|

Re: Restrict Simultaneous-Use

Brett Nemeroff
In reply to this post by Iñaki Baz Castillo
I'm a little confused here. I haven't used SST before so I'm sure I'm missing some background here.. But if I enable SST module, and set an expires at say, 120 seconds, don't I get an invite refresh roughly every 120 seconds? then if I don't I send a BYE out both ways.

What part of that may be unsupported. Part I'd be worried about is if I tell the UAC "Session-expires: 120" and it simply doesn't care, doesn't send the refresh and then BYEs get sent out and the dialog is torn down..

?
-Brett


On Thu, Mar 5, 2009 at 10:47 AM, Iñaki Baz Castillo <[hidden email]> wrote:
2009/3/5 Brett Nemeroff <[hidden email]>:
> Question, do SST help the situation? Is it widely accepted enough in the
> protocol to provide some backup mechanism to maintaining dialog state in the
> event of a lost BYE.

Sure, but keep in mind that a proxy CANNOT generate in-dialog
requests, so SessionTimers must be suppoerted (and enabled) in caller
and/or callee. If no one of them supports/uses SST then the proxy can
do *nothing*.
For example, a B2BUA *can* use SST in both legs to check the dialog
state since a B2BUA behaves as a callee for the caller and as a caller
for the callee. This is never possible with a proxy.


> BTW, how is a BYE accounted for in ACC when generated locally because of an
> expired dialog?

Use local_route to account it as any other BYE.

--
Iñaki Baz Castillo
<[hidden email]>

_______________________________________________


_______________________________________________
Users mailing list
[hidden email]
http://lists.opensips.org/cgi-bin/mailman/listinfo/users
Reply | Threaded
Open this post in threaded view
|

Re: Restrict Simultaneous-Use

Bogdan-Andrei Iancu
In reply to this post by Robert Borz
Robert,

if you do auth via RADIUS, you can push some AVPs in the reply:
   
http://www.opensips.org/html/docs/modules/1.4.x/auth_radius.html#id227162

The 1.5.0 is plan to be release in 2 weeks from now, if no major bugs
are discovered :)

Regards,
Bogdan

Robert Borz wrote:

> Hi Bogdan,
>
> thank you for this hint. I'll check it out.
>
> Yes, I also do auth over radius. Currently I've still OpenSER v1.3.2 installed on debian/lenny and it is working fine.
>
> Currently I'm thinking of updating to the latest OpenSIPS release. What's the current schedule for the first stable 1.5 release?
>
>
> Regards,
> Bogdan
>
>
> -----Original Message-----
> From: [hidden email] [mailto:[hidden email]] On Behalf Of Bogdan-Andrei Iancu
> Sent: Thursday, March 05, 2009 4:57 PM
> To: [hidden email]
> Cc: [hidden email]
> Subject: Re: [OpenSIPS-Users] Restrict Simultaneous-Use
>
> Hi Robert,
>
> Well, you can use the avp_radius module to load from a RADIUS server the
> number of maximum allowed calls:
>     http://www.opensips.org/html/docs/modules/devel/avp_radius.html
>
> This is the most generic way to do it.
>
> Do you do auth via RADIUS also ?
>
> Regards,
> Bogdan
>
> Robert Borz wrote:
>  
>> Hi Bogdan,
>>
>> thanks a lot. Looks really pretty with the example you showed.
>>
>> My problem is that, depending on the amount of concurrent calls a user can do, the user belongs to a different group in radius. Imagine a user belonging to the group 'pots' has a simultaneous call limit of 1, a user belonging to the group 'isdn' has a limit of 2 concurrent calls...
>>
>> All rate information/customer attributes is/are stored in the radius and we want to keep it like this. So I think I've to get the information about how many calls the user can do out of the radius into SER to use the example. Any idea how to do that?
>>
>>
>> Regards,
>> Robert
>>
>> -----Original Message-----
>> From: [hidden email] [mailto:[hidden email]]
>> Sent: Thursday, March 05, 2009 12:49 PM
>> To: [hidden email]
>> Cc: [hidden email]
>> Subject: Re: [OpenSIPS-Users] Restrict Simultaneous-Use
>>
>> Hi Robert,
>>
>> You do not need Radius for this. OpenSIPS can do this by itself. See a
>> nice tutorial on this topic:
>>     http://www.opensips.org/index.php?n=Resources.DocsTutConcurrentCalls
>>
>> Regards,
>> Bogdan
>>
>> Robert Borz wrote:
>>  
>>    
>>> Hi,
>>>
>>> currently I'm using a FreeRADIUS server for authentication and billing purposes. Now I want to restrict the count of simultaneous calls a user can do. For this I implemented it with the "Simultaneous-Use" check in FreeRADIUS and it works fine, for outgoing calls initiated from my customers. Just trying to initiate a second call when one is still up, the request is rejected (Proxy authorization fails for the new call).
>>>
>>> But incoming calls from the PSTN come in over an Asterisk machine. There's no proxy authorization for invites from the Asterisk, just a from_gw() check. So how I can restrict the amount of simultaneous calls per user for incoming _and_ outgoing calls?
>>>
>>> Any hint would be really appreciated...
>>>
>>>
>>> Regards,
>>> Robert
>>>
>>>
>>> _______________________________________________
>>> Users mailing list
>>> [hidden email]
>>> http://lists.opensips.org/cgi-bin/mailman/listinfo/users
>>>
>>>  
>>>    
>>>      
>>
>>  
>>    
>
>
> _______________________________________________
> Users mailing list
> [hidden email]
> http://lists.opensips.org/cgi-bin/mailman/listinfo/users
>
>
>  


_______________________________________________
Users mailing list
[hidden email]
http://lists.opensips.org/cgi-bin/mailman/listinfo/users
Reply | Threaded
Open this post in threaded view
|

Re: Restrict Simultaneous-Use

Iñaki Baz Castillo
In reply to this post by Brett Nemeroff
El Jueves, 5 de Marzo de 2009, Brett Nemeroff escribió:
> I'm a little confused here. I haven't used SST before so I'm sure I'm
> missing some background here.. But if I enable SST module, and set an
> expires at say, 120 seconds, don't I get an invite refresh roughly every
> 120 seconds? then if I don't I send a BYE out both ways.
>
> What part of that may be unsupported. Part I'd be worried about is if I
> tell the UAC "Session-expires: 120" and it simply doesn't care, doesn't
> send the refresh and then BYEs get sent out and the dialog is torn down..

Hi, I recommend you reading the RFC 4028 (Session Timers):
  http://tools.ietf.org/html/rfc4028

It explains clearly the limited role of a proxy when handling with
SessionTimers.

As I already said before, SST only works if caller and/or callee supports it
(and uses it).

--
Iñaki Baz Castillo

_______________________________________________
Users mailing list
[hidden email]
http://lists.opensips.org/cgi-bin/mailman/listinfo/users
Reply | Threaded
Open this post in threaded view
|

Re: Restrict Simultaneous-Use

Ovidiu Sas
On Thu, Mar 5, 2009 at 3:56 PM, Iñaki Baz Castillo <[hidden email]> wrote:

> El Jueves, 5 de Marzo de 2009, Brett Nemeroff escribió:
>> I'm a little confused here. I haven't used SST before so I'm sure I'm
>> missing some background here.. But if I enable SST module, and set an
>> expires at say, 120 seconds, don't I get an invite refresh roughly every
>> 120 seconds? then if I don't I send a BYE out both ways.
>>
>> What part of that may be unsupported. Part I'd be worried about is if I
>> tell the UAC "Session-expires: 120" and it simply doesn't care, doesn't
>> send the refresh and then BYEs get sent out and the dialog is torn down..
>
> Hi, I recommend you reading the RFC 4028 (Session Timers):
>  http://tools.ietf.org/html/rfc4028
>
> It explains clearly the limited role of a proxy when handling with
> SessionTimers.
>
> As I already said before, SST only works if caller and/or callee supports it
> (and uses it).

That's the role of the sst module: to enforce sst if one of the
participants supports it.

Regards,
Ovidiu Sas

_______________________________________________
Users mailing list
[hidden email]
http://lists.opensips.org/cgi-bin/mailman/listinfo/users
Reply | Threaded
Open this post in threaded view
|

Re: Restrict Simultaneous-Use

Iñaki Baz Castillo
El Jueves, 5 de Marzo de 2009, Ovidiu Sas escribió:

> > Hi, I recommend you reading the RFC 4028 (Session Timers):
> >  http://tools.ietf.org/html/rfc4028
> >
> > It explains clearly the limited role of a proxy when handling with
> > SessionTimers.
> >
> > As I already said before, SST only works if caller and/or callee supports
> > it (and uses it).
>
> That's the role of the sst module: to enforce sst if one of the
> participants supports it.

Yes, and a proxy can not force the caller/callee to use SST, so SST is not a
solution for a proxy to control/monitorice a dialog status.

Regards.


--
Iñaki Baz Castillo

_______________________________________________
Users mailing list
[hidden email]
http://lists.opensips.org/cgi-bin/mailman/listinfo/users
Reply | Threaded
Open this post in threaded view
|

Re: Restrict Simultaneous-Use

Robert Borz
In reply to this post by Bogdan-Andrei Iancu
Hi Bogdan,

now I'm currently using the svn head of opensips version 1.5.

I succeeded in pushing the channel value from the radius server into opensips by an SIP-AVP in the auth-reply. :-)

But I've got problems with the dialog profiling. Maybe I'm missing something here. At the moment I've got the following configuration for the dialog module:

----------------------------------------------------------------------------
loadmodule "dialog.so"
modparam("dialog", "dlg_flag", 4)
modparam("dialog", "profiles_with_value", "caller")
----------------------------------------------------------------------------


Following the link you told me I do the following in my invite-route after radius_proxy_authorize():

----------------------------------------------------------------------------
if (create_dialog() && set_dlg_profile("caller", "$fu")) {
        xlog("L_INFO", "created dialog/added profile");
}
xlog("L_INFO", "SIP-AVP ===> $avp(s:channels)");

if (is_avp_set("$avp(s:channels)/n") && avp_check("$avp(s:channels)", "gt/i:0")) {
        get_profile_size("caller", "$fu", "$avp(s:active_channels)");
        xlog("L_INFO", "===> User has $avp(s:active_channels) active channels!");
}
setflag(4);
----------------------------------------------------------------------------

The log statements prints "===> User has 1 active channels!" when the first invite comes in. But the number doesn't decrease when the dialog gets finished. With the next invite (doesn't matter if the previous dialog is alive), it prints " ===> User has 2 active channels!" and so forth.

Any idea what's wrong here?


Regards,
Robert


-----Original Message-----
From: [hidden email] [mailto:[hidden email]]
Sent: Thursday, March 05, 2009 5:55 PM
To: [hidden email]
Cc: [hidden email]
Subject: Re: [OpenSIPS-Users] Restrict Simultaneous-Use

Robert,

if you do auth via RADIUS, you can push some AVPs in the reply:
   
http://www.opensips.org/html/docs/modules/1.4.x/auth_radius.html#id227162

The 1.5.0 is plan to be release in 2 weeks from now, if no major bugs
are discovered :)

Regards,
Bogdan

Robert Borz wrote:

> Hi Bogdan,
>
> thank you for this hint. I'll check it out.
>
> Yes, I also do auth over radius. Currently I've still OpenSER v1.3.2 installed on debian/lenny and it is working fine.
>
> Currently I'm thinking of updating to the latest OpenSIPS release. What's the current schedule for the first stable 1.5 release?
>
>
> Regards,
> Bogdan
>
>
> -----Original Message-----
> From: [hidden email] [mailto:[hidden email]] On Behalf Of Bogdan-Andrei Iancu
> Sent: Thursday, March 05, 2009 4:57 PM
> To: [hidden email]
> Cc: [hidden email]
> Subject: Re: [OpenSIPS-Users] Restrict Simultaneous-Use
>
> Hi Robert,
>
> Well, you can use the avp_radius module to load from a RADIUS server the
> number of maximum allowed calls:
>     http://www.opensips.org/html/docs/modules/devel/avp_radius.html
>
> This is the most generic way to do it.
>
> Do you do auth via RADIUS also ?
>
> Regards,
> Bogdan
>
> Robert Borz wrote:
>  
>> Hi Bogdan,
>>
>> thanks a lot. Looks really pretty with the example you showed.
>>
>> My problem is that, depending on the amount of concurrent calls a user can do, the user belongs to a different group in radius. Imagine a user belonging to the group 'pots' has a simultaneous call limit of 1, a user belonging to the group 'isdn' has a limit of 2 concurrent calls...
>>
>> All rate information/customer attributes is/are stored in the radius and we want to keep it like this. So I think I've to get the information about how many calls the user can do out of the radius into SER to use the example. Any idea how to do that?
>>
>>
>> Regards,
>> Robert
>>
>> -----Original Message-----
>> From: [hidden email] [mailto:[hidden email]]
>> Sent: Thursday, March 05, 2009 12:49 PM
>> To: [hidden email]
>> Cc: [hidden email]
>> Subject: Re: [OpenSIPS-Users] Restrict Simultaneous-Use
>>
>> Hi Robert,
>>
>> You do not need Radius for this. OpenSIPS can do this by itself. See a
>> nice tutorial on this topic:
>>     http://www.opensips.org/index.php?n=Resources.DocsTutConcurrentCalls
>>
>> Regards,
>> Bogdan
>>
>> Robert Borz wrote:
>>  
>>    
>>> Hi,
>>>
>>> currently I'm using a FreeRADIUS server for authentication and billing purposes. Now I want to restrict the count of simultaneous calls a user can do. For this I implemented it with the "Simultaneous-Use" check in FreeRADIUS and it works fine, for outgoing calls initiated from my customers. Just trying to initiate a second call when one is still up, the request is rejected (Proxy authorization fails for the new call).
>>>
>>> But incoming calls from the PSTN come in over an Asterisk machine. There's no proxy authorization for invites from the Asterisk, just a from_gw() check. So how I can restrict the amount of simultaneous calls per user for incoming _and_ outgoing calls?

>>>
>>> Any hint would be really appreciated...
>>>
>>>
>>> Regards,
>>> Robert
>>>
>>>
>>> _______________________________________________
>>> Users mailing list
>>> [hidden email]
>>> http://lists.opensips.org/cgi-bin/mailman/listinfo/users
>>>
>>>  
>>>    
>>>      
>>
>>  
>>    
>
>
> _______________________________________________
> Users mailing list
> [hidden email]
> http://lists.opensips.org/cgi-bin/mailman/listinfo/users
>
>
>  


_______________________________________________
Users mailing list
[hidden email]
http://lists.opensips.org/cgi-bin/mailman/listinfo/users
Reply | Threaded
Open this post in threaded view
|

Re: Restrict Simultaneous-Use

Brett Nemeroff
Check to be sure you really get the BYE at the end of the call.

Also take a look at the bye and see if the 'did=' is in there, if it's not (ie: if the other end UAC removes it, which it really shouldn't) then you may need to change your dialog match mode. See the dialog module docs for that.

-Brett


On Fri, Mar 6, 2009 at 7:25 AM, Robert Borz <[hidden email]> wrote:
Hi Bogdan,

now I'm currently using the svn head of opensips version 1.5.

I succeeded in pushing the channel value from the radius server into opensips by an SIP-AVP in the auth-reply. :-)

But I've got problems with the dialog profiling. Maybe I'm missing something here. At the moment I've got the following configuration for the dialog module:

----------------------------------------------------------------------------
loadmodule "dialog.so"
modparam("dialog", "dlg_flag", 4)
modparam("dialog", "profiles_with_value", "caller")
----------------------------------------------------------------------------


Following the link you told me I do the following in my invite-route after radius_proxy_authorize():

----------------------------------------------------------------------------
if (create_dialog() && set_dlg_profile("caller", "$fu")) {
       xlog("L_INFO", "created dialog/added profile");
}
xlog("L_INFO", "SIP-AVP ===> $avp(s:channels)");

if (is_avp_set("$avp(s:channels)/n") && avp_check("$avp(s:channels)", "gt/i:0")) {
       get_profile_size("caller", "$fu", "$avp(s:active_channels)");
       xlog("L_INFO", "===> User has $avp(s:active_channels) active channels!");
}
setflag(4);
----------------------------------------------------------------------------

The log statements prints "===> User has 1 active channels!" when the first invite comes in. But the number doesn't decrease when the dialog gets finished. With the next invite (doesn't matter if the previous dialog is alive), it prints " ===> User has 2 active channels!" and so forth.

Any idea what's wrong here?


Regards,
Robert


-----Original Message-----
From: [hidden email] [mailto:[hidden email]]
Sent: Thursday, March 05, 2009 5:55 PM
To: [hidden email]
Cc: [hidden email]
Subject: Re: [OpenSIPS-Users] Restrict Simultaneous-Use

Robert,

if you do auth via RADIUS, you can push some AVPs in the reply:

http://www.opensips.org/html/docs/modules/1.4.x/auth_radius.html#id227162

The 1.5.0 is plan to be release in 2 weeks from now, if no major bugs
are discovered :)

Regards,
Bogdan

Robert Borz wrote:
> Hi Bogdan,
>
> thank you for this hint. I'll check it out.
>
> Yes, I also do auth over radius. Currently I've still OpenSER v1.3.2 installed on debian/lenny and it is working fine.
>
> Currently I'm thinking of updating to the latest OpenSIPS release. What's the current schedule for the first stable 1.5 release?
>
>
> Regards,
> Bogdan
>
>
> -----Original Message-----
> From: [hidden email] [mailto:[hidden email]] On Behalf Of Bogdan-Andrei Iancu
> Sent: Thursday, March 05, 2009 4:57 PM
> To: [hidden email]
> Cc: [hidden email]
> Subject: Re: [OpenSIPS-Users] Restrict Simultaneous-Use
>
> Hi Robert,
>
> Well, you can use the avp_radius module to load from a RADIUS server the
> number of maximum allowed calls:
>     http://www.opensips.org/html/docs/modules/devel/avp_radius.html
>
> This is the most generic way to do it.
>
> Do you do auth via RADIUS also ?
>
> Regards,
> Bogdan
>
> Robert Borz wrote:
>
>> Hi Bogdan,
>>
>> thanks a lot. Looks really pretty with the example you showed.
>>
>> My problem is that, depending on the amount of concurrent calls a user can do, the user belongs to a different group in radius. Imagine a user belonging to the group 'pots' has a simultaneous call limit of 1, a user belonging to the group 'isdn' has a limit of 2 concurrent calls...
>>
>> All rate information/customer attributes is/are stored in the radius and we want to keep it like this. So I think I've to get the information about how many calls the user can do out of the radius into SER to use the example. Any idea how to do that?
>>
>>
>> Regards,
>> Robert
>>
>> -----Original Message-----
>> From: [hidden email] [mailto:[hidden email]]
>> Sent: Thursday, March 05, 2009 12:49 PM
>> To: [hidden email]
>> Cc: [hidden email]
>> Subject: Re: [OpenSIPS-Users] Restrict Simultaneous-Use
>>
>> Hi Robert,
>>
>> You do not need Radius for this. OpenSIPS can do this by itself. See a
>> nice tutorial on this topic:
>>     http://www.opensips.org/index.php?n=Resources.DocsTutConcurrentCalls
>>
>> Regards,
>> Bogdan
>>
>> Robert Borz wrote:
>>
>>
>>> Hi,
>>>
>>> currently I'm using a FreeRADIUS server for authentication and billing purposes. Now I want to restrict the count of simultaneous calls a user can do. For this I implemented it with the "Simultaneous-Use" check in FreeRADIUS and it works fine, for outgoing calls initiated from my customers. Just trying to initiate a second call when one is still up, the request is rejected (Proxy authorization fails for the new call).
>>>
>>> But incoming calls from the PSTN come in over an Asterisk machine. There's no proxy authorization for invites from the Asterisk, just a from_gw() check. So how I can restrict the amount of simultaneous calls per user for incoming _and_ outgoing calls?

>>>
>>> Any hint would be really appreciated...
>>>
>>>
>>> Regards,
>>> Robert
>>>
>>>
>>> _______________________________________________
>>> Users mailing list
>>> [hidden email]
>>> http://lists.opensips.org/cgi-bin/mailman/listinfo/users
>>>
>>>
>>>
>>>
>>
>>
>>
>
>
> _______________________________________________
> Users mailing list
> [hidden email]
> http://lists.opensips.org/cgi-bin/mailman/listinfo/users
>
>
>


_______________________________________________
Users mailing list
[hidden email]
http://lists.opensips.org/cgi-bin/mailman/listinfo/users


_______________________________________________
Users mailing list
[hidden email]
http://lists.opensips.org/cgi-bin/mailman/listinfo/users
12