[asterisk-bugs] [JIRA] (ASTERISK-22236) REGISTER reply send to bad port with nat=yes(or force_rport, comedia) in 11.5.0

Michael L. Young (JIRA) noreply at issues.asterisk.org
Fri Sep 6 10:55:03 CDT 2013 

    [ https://issues.asterisk.org/jira/browse/ASTERISK-22236?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=210021#comment-210021 ] 

Michael L. Young edited comment on ASTERISK-22236 at 9/6/13 10:53 AM:
----------------------------------------------------------------------

@wdoekes

You are always spot on... so I went and actually looked into the code instead of trying to troubleshoot based on this info attached.  A full debug log (not just SIP debug) would probably have helped us out as well...

Let me explain my thinking and why I initially recommended what I did to Filip.

I so much dislike these NAT settings since one person's setup can work perfectly and then another combination of the settings doesn't quite work.  Here is the comment from the UPGRADE.txt file:

{quote}
------------------------------------------------------------------------------
--- Functionality changes from Asterisk 1.6.2 to Asterisk 1.8 ----------------
------------------------------------------------------------------------------

SIP Changes
-----------
 * Due to potential username discovery vulnerabilities, the 'nat' setting in sip.conf
   now defaults to force_rport. It is very important that phones requiring nat=no be
   specifically set as such instead of relying on the default setting. If at all
   possible, all devices should have nat settings configured in the general section as
   opposed to configuring nat per-device.

{quote}

The recommended way to setting the nat settings, if I understand the above comment correctly, is to use the global settings (general section) and then turn it off per peer when necessary, if I am reading things correctly.  Also, Filip is probably getting messages in his logs about the default nat settings being different from his peer settings and that this combination is not recommended.

The combinations became more complex with the addition of these auto_force_rport and auto_comedia settings that showed up in 11 and at the same time the auto_force_rport became the default setting.  Hence, all the work that was done to try to make the nat settings work as they were intended.

I see this in the code which changed from 11.4 to 11.5, the addition of the conditional:

{noformat}
 if (p->natdetected && ast_test_flag(&p->flags[2], SIP_PAGE3_NAT_AUTO_RPORT)) {
                                ast_copy_flags(&p->flags[0], &peer->flags[0], SIP_NAT_FORCE_RPORT);
                        }
{noformat}

Therefore, I will admit that the patch you mentioned in an earlier comment which references this change above, was probably not tested by turning on nat per device as opposed to turning it off per device since that does not seem to be the recommended method.  The issue here is probably from the fact that the peer's flags are never being copied to the dialog.  So, in this particular setup, it is causing a problem.

So, I am thinking that the correct solution would be to revert that change and always copy the peer's flags?  That is the change that I see that happened which would affect this particular setup.  We should also be encouraging user's to use the recommended way of setting nat.  Just some thoughts... kind of typing out loud here.
                
      was (Author: elguero):
    @wdoekes

You are always spot on... so I went and actually looked into the code instead of trying to troubleshoot based on this info attached.  A full debug log (not just SIP debug) would probably have helped us out as well...

Let me explain my thinking and why I initially recommended what I did to Filip.

I so much dislike these NAT settings since one person's setup can work perfectly and then another combination of the settings doesn't quite work.  Here is the comment from the UPGRADE.txt file:

{quote}
------------------------------------------------------------------------------
--- Functionality changes from Asterisk 1.6.2 to Asterisk 1.8 ----------------
------------------------------------------------------------------------------

SIP Changes
-----------
 * Due to potential username discovery vulnerabilities, the 'nat' setting in sip.conf
   now defaults to force_rport. It is very important that phones requiring nat=no be
   specifically set as such instead of relying on the default setting. If at all
   possible, all devices should have nat settings configured in the general section as
   opposed to configuring nat per-device.

{quote}

The recommended way to setting the nat settings, if I understand the above comment correctly, is to use the global settings (general section) and then turn it off per peer when necessary, if I am reading things correctly.  Also, Filip is probably getting messages in his logs about the default nat settings being different from his peer settings and that this combination is not recommended.

The combinations became more complex with the addition of these auto_force_rport and auto_comedia settings that showed up in 11 and at the same time the auto_force_rport became the default setting.  Hence, all the work that was done to try to make the nat settings work as they were intended.

I see this in the code which changed from 11.4 to 11.5, the addition of the conditional:

{noformat}
 if (p->natdetected && ast_test_flag(&p->flags[2], SIP_PAGE3_NAT_AUTO_RPORT)) {
                                ast_copy_flags(&p->flags[0], &peer->flags[0], SIP_NAT_FORCE_RPORT);
                        }
{noformat}

Therefore, I will admit that the patch you mentioned in an earlier comment which references this change above, was probably not tested by turning on nat per device as opposed to turning it off per device since that does not seem to be the recommended method.  The issue here is probably from the fact that the peer's flags are never being copied to the dialog.  So, in this particular setup, it is causing a problem.

So, I am thinking that the correct solution would be to make this conditional do some extra checking, ie dialogs that have SIP_NAT_AUTO_RPORT flag off and SIP_NAT_FORCE_RPORT flag off (which comes from the default global setting), should use the peer's flag?  That is the change that I see that happened which would affect this particular setup.  Or do we encourage user's to use the recommended way of setting nat?  Just some thoughts... kind of typing out loud here.
                  
> REGISTER reply send to bad port with nat=yes(or force_rport,comedia) in 11.5.0
> ------------------------------------------------------------------------------
>
>                 Key: ASTERISK-22236
>                 URL: https://issues.asterisk.org/jira/browse/ASTERISK-22236
>             Project: Asterisk
>          Issue Type: Bug
>      Security Level: None
>          Components: Channels/chan_sip/Registration
>    Affects Versions: 11.5.0
>            Reporter: Filip Frank
>            Assignee: Filip Frank
>            Severity: Critical
>         Attachments: debug_log, debug.txt, iptel412_11_5_0.txt, iptel421_11_5_0.txt, peers_settings.txt, sip_settings_11_5_0.txt
>
>
> I have 2 peers after NAT with same IP, one registers from source port 5060, second registers from port 1114. After upgrade to 11.5.0 only first peer is registered, asterisk send register reply both to 5060 port. I using nat=yes, i try new nat=force_rport,comedia but not helps, I think this is issue in 11.5.0, after downgrade back to 11.4.0 its ok. In 11.4.0 both peers are correctly registered and Asterisk send reply first peer to destination port 5060, second peer to 1114.

--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators: https://issues.asterisk.org/jira/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira

More information about the asterisk-bugs mailing list