[asterisk-dev] SIP, NAT, security concerns, oh my!

Simon Perreault simon.perreault at viagenie.ca
Sat Oct 22 14:41:02 CDT 2011


On 10/22/2011 02:23 PM, Terry Wilson wrote:
> I would not recommend removal since we generally try not to make
> policy decisions for the users. There are tons of ways Asterisk gives
> users enough rope to hang themselves. Discouraging per-peer nat
> setting would be fine.

Agreed.

> I would also change the default to nat=yes
> since it seems to be the more common setting and not likely to break
> any devices.

Yes. 3261 is stupid. If it was rewritten that behaviour would be 
changed. So I think it is fine to break the RFC by default. As long as 
we have a way to be RFC-compliant when needed.

> Of course, that is pretty much option 3 with a warning
> discouraging per-peer setting of nat=. Perhaps we could display a
> warning on initial config parsing for peers set opposite of the
> general setting.

+1

> I would also recommend to people to use TCP. For the
> purposes of SIP signaling I don't see any NAT advantages for UDP over
> TCP like there are for RTP since Asterisk is always in the signaling
> path.

Right, I had forgotten that we were talking about a SIP UAS, not a 
proxy... ;)

Simon
-- 
DTN made easy, lean, and smart --> http://postellation.viagenie.ca
NAT64/DNS64 open-source        --> http://ecdysis.viagenie.ca
STUN/TURN server               --> http://numb.viagenie.ca



More information about the asterisk-dev mailing list