[asterisk-dev] the strictrtp feature is almost useless
Klaus Darilion
klaus.mailinglists at pernau.at
Fri Oct 15 10:26:45 CDT 2010
Am 14.10.2010 22:52, schrieb Kevin P. Fleming:
> On 10/14/2010 03:40 PM, Benny Amorsen wrote:
>> "Olle E. Johansson"<oej at edvina.net> writes:
>>
>>> As Kevin said, there's no connection between the SDP and the RTP stream more than the port number.
>>> With SRTP we will finally get that, regardless if you use encryption or not.
>>
>> Yet it sees unlikely that other vendors accept audio from random
>> endpoints, just because a port number matches. It also seems unlikely
>> that they could be DoS'ed by a 65k packet flood. Surely e.g. Cisco has
>> some kind of work around?
>
> "Surely"? The point we've been trying to make here is that that the
> receiver of the stream has *zero* information it can use to determine
> whether the stream is arriving from a legitimate source, in the case
> where the receiver is expected to support comedia (NAT) mode.
Theoretically you are correct, but practically the peers IP address used
for SIP signaling is a good hint were the RTP will come from.
This is e.g. used in rtpproxy to allow "latching" only from the clients
IP address.
Of course this again give problems if the attacker is behind the same
NAT as the user, but practically it solves many scenarios...
regards
Klaus
> I suspect if you try this with any other SIP/RTP endpoint that can be
> configured to allow for remote endpoints that are behind NAT devices to
> interoperate, they will also accept RTP packets from any routable
> destination. Certainly there could be some basic network-mask type
> filtering (don't allow anything on the local network, for example), but
> that's about it.
More information about the asterisk-dev
mailing list