[asterisk-dev] IPv4 and IPv6 preference

Marc Blanchet marc.blanchet at viagenie.ca
Mon Jul 19 10:29:38 CDT 2010 

further to Simon comment, using a link-local v6 address on asterisk with 
all phones on the same vlan add a very good level of security for remote 
attacks, since these addresses are never routed by routers. in fact, we 
should probably write a small paper/faq discussing such configuration 
which makes a lot of sense in a context of a private pbx.

Marc.

Le 10-07-19 08:58, Simon Perreault a écrit :
> On 2010-07-19 08:53, Klaus Darilion wrote:
>> What is the default bindaddr? 0.0.0.0 or :: ?
>
> It is 0.0.0.0. See here:
>
>> [simon at ringo trunk]$ grep bindaddr configs/sip.conf.sample
>> udpbindaddr=0.0.0.0             ; IP address to bind UDP listen socket to (0.0.0.0 binds to all)
>> tcpbindaddr=0.0.0.0             ; IP address for TCP server to bind to (0.0.0.0 binds to all interfaces)
>> ;tlsbindaddr=0.0.0.0            ; IP address for TLS server to bind to (0.0.0.0) binds to all interfaces)
>
>
>> I think, even if bindaddr is ::, it should be checked if the server
>> really has a global IPv6 address - not only a link-local address, before
>> trying to send SIP over v6.
>
> I disagree.
>
> - Since bindaddr=0.0.0.0 by default, one must consciously set it to an
> IPv6 address to enable IPv6. We can expect such a person who consciously
> enables IPv6 to also fix its IPv6 configuration.
>
> - IPv6 address that are configured on a system may change dynamically.
> We don't want to perform the numerous ioctls required to check that
> there is a global-scope IPv6 address on the system each time we have a
> packet to send. Doing it periodically would not solve the problem
> completely.
>
> - Trying to work around a broken setup this way would be a disservice to
> users. We want users to notice bugs in their setup and fix them. Users
> don't want Asterisk to try to outsmart them.
>
> Here's an alternative proposal: when parsing the configuration, if
> bindaddr=::, check that there is indeed a non-link-local address
> configured on the system. If not, print a warning, and continue on your way.
>
> (This check could also be done for IPv4, by the way. There is nothing
> specific to IPv6 here.)
>
> It is perfectly valid, and I can imagine circumstances where I would
> want to do it, to have Asterisk bind on a link-local address.
>
> Simon


-- 
=========
IPv6 book: Migrating to IPv6, Wiley. http://www.ipv6book.ca
Stun/Turn server for VoIP NAT-FW traversal: http://numb.viagenie.ca
DTN news service: http://reeves.viagenie.ca
NAT64-DNS64 Opensource: http://ecdysis.viagenie.ca

More information about the asterisk-dev mailing list