[asterisk-dev] SIP, NAT, security concerns, oh my!

[Kevin P. Fleming]

On 10/22/2011 03:10 AM, Olle E. Johansson wrote:
> Without spending too much thinking power on this, but just adding to the solution mix:
>
> We could have one behaviour before auth and another after auth.
>
> Meaning that we ALWAYS do it one way - maybe following the general section, before auth. After successful authentication we follow the device setting. Before auth we have no media issues that need NAT support.
>
> This means that devices without a secret (no auth) will be an issue.
>
> I've seen this behaviour in 1.4 and reported it a long time ago, but never had time to go through all the details and run tests with newer versions. Thanks for spending time on it and trying to solve it.

This could be an option, but only if the 'before auth' behavior was 
'nat=force_rport' (or 'nat=yes', which implies 'force_rport'). If the 
'before auth' behavior was anything else, and the UAC sending the 
request did not include 'rport' in the top-most Via header, and it is 
located behind a NAT device, then the 401/407 response from Asterisk 
won't get delivered back to the UAC.

I know that's a lot of 'ifs' strung together there, but unfortunately 
that combination (UAC behind NAT does not include 'rport' in its Via 
header) is extremely common.

As far as Asterisk versions go... this behavior hasn't changed at all, 
for the reasons I outlined in the original email. It's not a bug, it's 
intended behavior based on the setting of the 'nat' option.

-- 
Kevin P. Fleming
Digium, Inc. | Director of Software Technologies
Jabber: kfleming at digium.com | SIP: kpfleming at digium.com | Skype: kpfleming
445 Jan Davis Drive NW - Huntsville, AL 35806 - USA
Check us out at www.digium.com & www.asterisk.org