[asterisk-dev] Summary: SIP, NAT, security concerns, oh my!

Terry Wilson twilson at digium.com
Thu Nov 10 01:28:09 CST 2011

> * For Asterisk trunk (and possibly Asterisk 10), consider sending
> failure responses to *both* the port the request was received from
> *and*
> the port listed in the top-most Via header. This would only be done
> for
> non-authenticated requests, e.g. any request that cannot be
> definitively
> associated with a user/peer/friend (through actual authentication, or
> IP
> address/port matching, or any other valid mechanism). A configuration
> option (valid only at the [general] level) would be provided to
> disable
> this behavior if necessary.

I would assume that the average setup could have nat=yes for everyone, so this feature wouldn't necessarily need to be enabled by default. Or, perhaps if we really wanted to get sneaky we could enable it only if we detect that we have added peers with different nat= settings. There is something about the respond-to-two-different-places option that I really don't like, but I can think of no serious reasons why we shouldn't do it. Since it appears that it is an aesthetic distaste on my part, I am happy to favor function over form and just go with it. With that said, I would prefer that it either be disabled by default, or only used when absolutely necessary to prevent discovery and also be disable-able. We would also need to make sure we didn't do this for connection-oriented protocols.

More information about the asterisk-dev mailing list