[asterisk-dev] SIP, NAT, security concerns, oh my!

Kevin P. Fleming kpfleming at digium.com
Sat Oct 22 09:46:18 CDT 2011 

On 10/22/2011 09:31 AM, Yaroslav Panych wrote:
> Hi, sorry for inserting my, probably incompetent, 2 cents.
>
> For me as for potential implementer of SIP UAC, option #3 is more
> preferred. But in variant when force_rport is disabled by default.
> Personally I dislike very much rport option. As said, it was
> introduced because of no NAT-aware clients will be unreachable for
> responses. And I asked myself "who's its fault? server or client?" My
> answer was "client". Why program/developer which uses connection less
> transport protocol(UDP) does not care about reverse route? Because
> developer was so lazy that he decide not to implement NAT traverse
> technologies.
> Then, when appeared rport option, this lazy developers have real
> reason to be lazy in future(reason to do something if it already works
> somehow?)
> If force_rport will be defaulted or hardcoded, this means admirations
> of UACs developers laziness. Its UAC's problem to be reachable from
> server, UAC should care to redirect answers to right port on all
> potential NATs. I personally will never use SIP-client which is unable
> to do that.

In general I agree with your concern here, but in reality, it's nearly 
impossible for a SIP client to do what you are proposing. There are some 
mechanisms that would allow it, including:

* If the SIP server supports STUN on its SIP port, the SIP client can 
send a STUN binding request to the SIP server to 'discover' the IP 
address/port combination that the SIP server saw the request coming from 
(which the NAT device assigned).

* If the SIP client's NAT device supports a port control protocol (like 
the one being worked on by the IETF PCP working group), then the client 
can explicitly request a mapping to be created, and then it will know 
the IP/address port combination that the SIP server will see.

Without a mechanism such as one of these, if the NAT device does not (or 
cannot) map the SIP client's request port to the same port on the other 
side of the NAT, what you are proposing is not possible. In these cases 
(which are very common), the SIP client doesn't have any way to tell the 
server the proper port number to respond to.

-- 
Kevin P. Fleming
Digium, Inc. | Director of Software Technologies
Jabber: kfleming at digium.com | SIP: kpfleming at digium.com | Skype: kpfleming
445 Jan Davis Drive NW - Huntsville, AL 35806 - USA
Check us out at www.digium.com & www.asterisk.org

More information about the asterisk-dev mailing list