[asterisk-dev] SIP, NAT, security concerns, oh my!

Walter Doekes walter+asterisk-dev at osso.nl
Mon Oct 24 02:48:21 CDT 2011 

My 2 cents on the issue:

I always *default* to nat=yes. First when we see a client that really 
wants the reply on the Via port, we set nat=no on a peer level

This does occur, and option 3 would come natural to me.

Like already stated: generally, there are only a few peers using this 
option, so the likelyhood of these usernames being guessed is small. If 
you have many users set up like this, you'll want to reverse the global 
option. But since it's configurable, you can.

Here I must add that it would appropriate if the IP-ACL's are respected 
when replying: if no-ACL-match then use-global-option. (I suspect this 
is not done right now.)


I've seen a couple of comments in the thread, I'd like to address:

> Replying to both ports.

-1, I fear the packet multiplication could aid in DDoSing a third party. 
We already send out the extra 100 Trying(*) first, so we would be 
sending out 4 packets now for one incoming.


> Forcing the option on the user (option 2)

-1, if you have poor usernames and poor passwords, you could be less 
secure then when you have proper usernames + password but the 
possibility of username leaks.

If you're going to enforce this, you may as well enforce strong 
usernames and passwords as well.


> Remove or strongly discourage the use of the per-peer setting. This would ensure consistent behaviour for every extension, and leave the behaviour configurable globally. I can live with that personally. Strongly discouraging could be accomplished by linking to this thread from the default config file comments.
(Simon's option 4)

-1, removing is not an option for me. And *enabling* the 
global-force_rport by *default* has a clear benefit: it decreases the 
likelyhood of people configuring the peers to nat=yes one-by-one. 
Linking to a thread will probably not help those that do not read.


Regards,
Walter Doekes

(*) The 100 Trying (registertrying=) is another option that does 
information disclosure if set different from the global setting. FWIW, 
this is already more broken than the nat config right now:
- bad username: 100 trying
- good username: no 100

trunk-latest: register_verify():
   if (!peer && sip_cfg.alwaysauthreject) {
    //always send 100 without checking the SIP_PAGE2_REGISTERTRYING
   }
By default a peer has registertrying=no and you can *only* set this on a 
per-peer level.

But! It's impossible to set it on the peer, because p->flags[1] does not 
even get the REGISTERTRYING flag. Here peer->flags[1] should have been 
checked. Yuck.

More information about the asterisk-dev mailing list