Re: [OpenIMSCore-HSS] Authentication pending flag not cleared (for Cxinterface)

SourceForge Headquarters 1320 Columbia Street Suite 310 San Diego, CA 92101 +1 (858) 422-6466

Hi Franz,

Thanks for the response. My comments are below.

On Tue, Jul 29, 2008 at 8:51 PM, Franz Edler <fra...@in...> wrote:
> The "Auth-Pending" state is the intermediate state between the two
> registration transactions. The state flag is changed automatically when you
> later succeed with a register transaction (-> "Registered") and when you
> than de-register (-> "Not-Registered") or after timeout (re-registration
> missing). But in TS 29.228 there is no timeout procedure for the
> "Auth-Pending" state defined.

Seems like Server-Assignment-Request with type ==
Authentication-Timeout is the timeout procedure. Per 29.228,
(Section 6.1.2 page 18) this is what the S-CSCF uses to inform the HSS
that the auth-pending flag should be cleared. I think this is hte key
question. Shouldn't the SAR timeout be clearing the auth-pending flag?
The spec says it should. The current code actually clears it from the
IMPI_IMPU which is as it should be. But the problem is we also set the
flag in the IMPU which I believe is the wrong thing to do.

Put another way, we set the flag in two places but we clear it in only one.

>
> If you have no chance to clear it via re-registration and a following
> de-registration and you don't like the "Auth-Pending" state in the database
> you can clear it "by force" in the hss_db database.

Problem is this would have to be done manually whereas I think
handling the SAR timeout is the right way to do it.

> Yes I think so. At the registration there is always an IMPI and an IMPU
> involved (maybe also more IMPUs in case of implicit registration). In TS
> 29.228 you can always read "Public User Identity's authentication pending
> flag" therfore the flag is always associated with the IMPU.

Where exactly in the spec is this? From what I see, they also follow
that up with "specific to the Private User Identity". For example, I
see this in the following 3 places:

(*** below added by me)
In the definitions section (Section 3, page 8), the Authentication
Pending flag is defined as follows:
 "A flag that indicates that the authentication of a ***Public User
Identity - Private User Identity pair*** is pending and waiting for
confirmation."

While processing the MAR and we set the auth-pending flag (Section
6.3.1 page 27)
 " The HSS shall set the Public User Identity's authentication pending
flag ***which is specific to the Private User Identity received in the
request***"

While processing the SAR with Authentication-Timeout and we clear the
auth-pending flag (Section 6.1.2.1, page 18)
"If the Public User Identity's authentication flag ***which is
specific for the Private User Identity*** is set, the HSS shall clear
it"

In the first, they talk of the public -private identity pair. In the
next two, they say "which is specific to the Private User Identity".
So it seems like they are talking about the IMPI_IMPU

If possible, could you please take a look at these places in the spec
and let me know what you think.

Thanks again for the response.

Sundar