The release for Project Clearwater sprint “Galadriel” has been cut. The code for this release is tagged as release-124 in GitHub.
In this release we have enhanced Clearwater’s security by changing the way the Clearwater S-CSCF treats requests from endpoints that authenticate using the SIP digest scheme. When such an endpoint registers, the P-CSCF will typically record the IP address and port that the endpoint used. When it makes a subsequent request (such as a call setup or re-registration) the P-CSCF spots that the request is from the same IP and port and marks the request as “integrity protected” before forwarding to the S-CSCF, with the intention that the S-CSCF will not authenticate the request. Unfortunately this type of integrity protection is not completely secure – for example if another device stole a the endpoint’s IP address, it could steal service. To prevent this:
- It is now possible to configure Clearwater to authenticate initial non-REGISTER requests (such as call setup requests) from these endpoints. If the request does not contain authentication information, the request is challenged with a 407 response, prompting the endpoint to re-submit its request with a proper authentication response.To enable this behaviour, set the ` non_register_authentication` config option to ` initial_req_from_req_digest_endpoint` (see http://clearwater.readthedocs.io/en/latest/Clearwater_Configuration_Options_Reference.html for more details).
- The S-CSCF now authenticates all REGISTER messages from these endpoints (including challenging them if necessary).
This change is in line with Release 13 of the TS 24.229.
We also added a new feature, which gives Clearwater the ability to support Shared iFC Sets.
Shared iFC Sets are a set of iFCs, which are represented by a single number – the Shared iFC Set ID. This ID, which is much smaller than the list of iFCs it represents, can be used in place of that list both within the HSS, and over the interface between the HSS and Clearwater. This has the benefit of reducing both the used storage space in the HSS, and reducing the bandwidth of the interface between the HSS and Clearwater
We also added the ability to support barring of IMPUs (IMS Public Identities), as per TS 24.229 and TS 29.228.
Finally, this release includes the following bug fixes:
- clearwater-diags-monitor doesn’t collect cassandra or memcached diags from vellum nodes
- Cassandra monitoring, provisioning and configuration isn’t as expected on the new Vellum nodes
- clearwater-etcd.init.d may report warnings when used as an etcd_proxy
- A sprout alarm has misleading help text
- There should be an alias for the script gather_diags_and_report_location
- dns_config should be dns.json
- sub_max_expires should default to something similar to reg_max_expires
- Config manager does not cope with blank entries for local and remote_site_names
- Sprout will perform an ENUM lookup for the following: “wildcard-psi12321421”
- check_cluster_state reports state “in site site1” on single-site deployments
To upgrade to this release, follow the instructions at http://docs.projectclearwater.org/en/stable/Upgrading_a_Clearwater_deployment.html. If you are deploying an all-in-one node, the standard image (http://vm-images.cw-ngv.com/cw-aio.ova) has been updated for this release.