[asterisk-dev] Re: IAX native bridge and NAT

Benny Amorsen benny+usenet at amorsen.dk
Sat Jun 17 23:09:12 MST 2006


>>>>> "TD" == Tim Davies <tim at opensystems.net.au> writes:

TD> Not that I have cut any code yet, but... As far as I know, the
TD> current transfer code only uses the call number and a transfer id
TD> to verify the host. Hardly a security measure, it is really just
TD> to make sure the correct channel is bridged. I hadn't intended on
TD> changing this.

It can be a perfectly good security measure; it can prevent attacks
coming from third-parties which are unable to listen in. Assuming that
the call number and transfer ID are sufficiently hard to predict, of
course.

If the attacker can listen in on the original path, all bets are off
though. Cryptography would be needed to defend against that.


/Benny





More information about the asterisk-dev mailing list