[asterisk-dev] IPv4 and IPv6 preference
Olle E. Johansson
oej at edvina.net
Mon Jul 19 10:33:12 CDT 2010
19 jul 2010 kl. 17.29 skrev Marc Blanchet:
> further to Simon comment, using a link-local v6 address on asterisk with
> all phones on the same vlan add a very good level of security for remote
> attacks, since these addresses are never routed by routers. in fact, we
> should probably write a small paper/faq discussing such configuration
> which makes a lot of sense in a context of a private pbx.
The question is how we then handle "reinvites" of media - optimizing media path - with devices outside.
We might want GRUUs for doing that or something else.
/O
>
> Marc.
>
> Le 10-07-19 08:58, Simon Perreault a écrit :
>> On 2010-07-19 08:53, Klaus Darilion wrote:
>>> What is the default bindaddr? 0.0.0.0 or :: ?
>>
>> It is 0.0.0.0. See here:
>>
>>> [simon at ringo trunk]$ grep bindaddr configs/sip.conf.sample
>>> udpbindaddr=0.0.0.0 ; IP address to bind UDP listen socket to (0.0.0.0 binds to all)
>>> tcpbindaddr=0.0.0.0 ; IP address for TCP server to bind to (0.0.0.0 binds to all interfaces)
>>> ;tlsbindaddr=0.0.0.0 ; IP address for TLS server to bind to (0.0.0.0) binds to all interfaces)
>>
>>
>>> I think, even if bindaddr is ::, it should be checked if the server
>>> really has a global IPv6 address - not only a link-local address, before
>>> trying to send SIP over v6.
>>
>> I disagree.
>>
>> - Since bindaddr=0.0.0.0 by default, one must consciously set it to an
>> IPv6 address to enable IPv6. We can expect such a person who consciously
>> enables IPv6 to also fix its IPv6 configuration.
>>
>> - IPv6 address that are configured on a system may change dynamically.
>> We don't want to perform the numerous ioctls required to check that
>> there is a global-scope IPv6 address on the system each time we have a
>> packet to send. Doing it periodically would not solve the problem
>> completely.
>>
>> - Trying to work around a broken setup this way would be a disservice to
>> users. We want users to notice bugs in their setup and fix them. Users
>> don't want Asterisk to try to outsmart them.
>>
>> Here's an alternative proposal: when parsing the configuration, if
>> bindaddr=::, check that there is indeed a non-link-local address
>> configured on the system. If not, print a warning, and continue on your way.
>>
>> (This check could also be done for IPv4, by the way. There is nothing
>> specific to IPv6 here.)
>>
>> It is perfectly valid, and I can imagine circumstances where I would
>> want to do it, to have Asterisk bind on a link-local address.
>>
>> Simon
>
>
> --
> =========
> IPv6 book: Migrating to IPv6, Wiley. http://www.ipv6book.ca
> Stun/Turn server for VoIP NAT-FW traversal: http://numb.viagenie.ca
> DTN news service: http://reeves.viagenie.ca
> NAT64-DNS64 Opensource: http://ecdysis.viagenie.ca
>
>
> --
> _____________________________________________________________________
> -- Bandwidth and Colocation Provided by http://www.api-digital.com --
>
> asterisk-dev mailing list
> To UNSUBSCRIBE or update options visit:
> http://lists.digium.com/mailman/listinfo/asterisk-dev
---
* Olle E Johansson - oej at edvina.net
* Cell phone +46 70 593 68 51, Office +46 8 96 40 20, Sweden
More information about the asterisk-dev
mailing list