[asterisk-dev] SIP, NAT, security concerns, oh my!
Simon Perreault
simon.perreault at viagenie.ca
Sat Oct 22 14:41:02 CDT 2011
On 10/22/2011 02:23 PM, Terry Wilson wrote:
> I would not recommend removal since we generally try not to make
> policy decisions for the users. There are tons of ways Asterisk gives
> users enough rope to hang themselves. Discouraging per-peer nat
> setting would be fine.
Agreed.
> I would also change the default to nat=yes
> since it seems to be the more common setting and not likely to break
> any devices.
Yes. 3261 is stupid. If it was rewritten that behaviour would be
changed. So I think it is fine to break the RFC by default. As long as
we have a way to be RFC-compliant when needed.
> Of course, that is pretty much option 3 with a warning
> discouraging per-peer setting of nat=. Perhaps we could display a
> warning on initial config parsing for peers set opposite of the
> general setting.
+1
> I would also recommend to people to use TCP. For the
> purposes of SIP signaling I don't see any NAT advantages for UDP over
> TCP like there are for RTP since Asterisk is always in the signaling
> path.
Right, I had forgotten that we were talking about a SIP UAS, not a
proxy... ;)
Simon
--
DTN made easy, lean, and smart --> http://postellation.viagenie.ca
NAT64/DNS64 open-source --> http://ecdysis.viagenie.ca
STUN/TURN server --> http://numb.viagenie.ca
More information about the asterisk-dev
mailing list