[asterisk-dev] IPv4 and IPv6 preference
Marc Blanchet
marc.blanchet at viagenie.ca
Mon Jul 19 10:29:38 CDT 2010
further to Simon comment, using a link-local v6 address on asterisk with
all phones on the same vlan add a very good level of security for remote
attacks, since these addresses are never routed by routers. in fact, we
should probably write a small paper/faq discussing such configuration
which makes a lot of sense in a context of a private pbx.
Marc.
Le 10-07-19 08:58, Simon Perreault a écrit :
> On 2010-07-19 08:53, Klaus Darilion wrote:
>> What is the default bindaddr? 0.0.0.0 or :: ?
>
> It is 0.0.0.0. See here:
>
>> [simon at ringo trunk]$ grep bindaddr configs/sip.conf.sample
>> udpbindaddr=0.0.0.0 ; IP address to bind UDP listen socket to (0.0.0.0 binds to all)
>> tcpbindaddr=0.0.0.0 ; IP address for TCP server to bind to (0.0.0.0 binds to all interfaces)
>> ;tlsbindaddr=0.0.0.0 ; IP address for TLS server to bind to (0.0.0.0) binds to all interfaces)
>
>
>> I think, even if bindaddr is ::, it should be checked if the server
>> really has a global IPv6 address - not only a link-local address, before
>> trying to send SIP over v6.
>
> I disagree.
>
> - Since bindaddr=0.0.0.0 by default, one must consciously set it to an
> IPv6 address to enable IPv6. We can expect such a person who consciously
> enables IPv6 to also fix its IPv6 configuration.
>
> - IPv6 address that are configured on a system may change dynamically.
> We don't want to perform the numerous ioctls required to check that
> there is a global-scope IPv6 address on the system each time we have a
> packet to send. Doing it periodically would not solve the problem
> completely.
>
> - Trying to work around a broken setup this way would be a disservice to
> users. We want users to notice bugs in their setup and fix them. Users
> don't want Asterisk to try to outsmart them.
>
> Here's an alternative proposal: when parsing the configuration, if
> bindaddr=::, check that there is indeed a non-link-local address
> configured on the system. If not, print a warning, and continue on your way.
>
> (This check could also be done for IPv4, by the way. There is nothing
> specific to IPv6 here.)
>
> It is perfectly valid, and I can imagine circumstances where I would
> want to do it, to have Asterisk bind on a link-local address.
>
> Simon
--
=========
IPv6 book: Migrating to IPv6, Wiley. http://www.ipv6book.ca
Stun/Turn server for VoIP NAT-FW traversal: http://numb.viagenie.ca
DTN news service: http://reeves.viagenie.ca
NAT64-DNS64 Opensource: http://ecdysis.viagenie.ca
More information about the asterisk-dev
mailing list