[asterisk-dev] SIP, NAT, security concerns, oh my!

Benny Amorsen benny+usenet at amorsen.dk
Sun Oct 23 16:03:33 CDT 2011


Artem Makhutov <artem at makhutov.org> writes:

> I don't like this idea. What if a phone is behind a nat router which
> is running a sip server? So in this case the sip server of the nat
> router will get one packet and also the phone behind the nat router
> will also receive one.

An unsolicited authentication required reply should be harmless. The SIP
server receiving the reply will not be able to match it to any requests,
so it will drop it on the floor. It is also not a security risk, because
after authentication packets will only go to the right port, so even
insecure=invite should be ok.

The only way I can see this going badly is with a buggy implementation
of a SIP ALG. If we worry about those, no changes can ever be made to
the SIP stack, because there are just too many strange behaviours to
worry about.


/Benny




More information about the asterisk-dev mailing list