[asterisk-dev] SIP, NAT, security concerns, oh my!

Simon Perreault simon.perreault at viagenie.ca
Mon Oct 24 07:12:00 CDT 2011


On 2011-10-24 03:48, Walter Doekes wrote:
>> Remove or strongly discourage the use of the per-peer setting. This
>> would ensure consistent behaviour for every extension, and leave the
>> behaviour configurable globally. I can live with that personally.
>> Strongly discouraging could be accomplished by linking to this thread
>> from the default config file comments.
> (Simon's option 4)
> 
> -1, removing is not an option for me. And *enabling* the
> global-force_rport by *default* has a clear benefit: it decreases the
> likelyhood of people configuring the peers to nat=yes one-by-one.

Of course. But it also has the disadvantage of increasing the likelihood
of people configuring the peers to nat=no one-by-one. That's the same
security issue, just reversed.

Simon
-- 
DTN made easy, lean, and smart --> http://postellation.viagenie.ca
NAT64/DNS64 open-source        --> http://ecdysis.viagenie.ca
STUN/TURN server               --> http://numb.viagenie.ca



More information about the asterisk-dev mailing list