[asterisk-dev] SIP, NAT, security concerns, oh my!

Steve Totaro stotaro at asteriskhelpdesk.com
Mon Oct 24 09:13:52 CDT 2011


On Mon, Oct 24, 2011 at 8:12 AM, Simon Perreault
<simon.perreault at viagenie.ca> wrote:
> On 2011-10-24 03:48, Walter Doekes wrote:
>>> Remove or strongly discourage the use of the per-peer setting. This
>>> would ensure consistent behaviour for every extension, and leave the
>>> behaviour configurable globally. I can live with that personally.
>>> Strongly discouraging could be accomplished by linking to this thread
>>> from the default config file comments.
>> (Simon's option 4)
>>
>> -1, removing is not an option for me. And *enabling* the
>> global-force_rport by *default* has a clear benefit: it decreases the
>> likelyhood of people configuring the peers to nat=yes one-by-one.
>
> Of course. But it also has the disadvantage of increasing the likelihood
> of people configuring the peers to nat=no one-by-one. That's the same
> security issue, just reversed.
>
> Simon
> --
> DTN made easy, lean, and smart --> http://postellation.viagenie.ca
> NAT64/DNS64 open-source        --> http://ecdysis.viagenie.ca
> STUN/TURN server               --> http://numb.viagenie.ca
>

I have brought this exact subject up.  You can read the list history
and get some of the previous input into the subject.

The only argument against nat=yes as a default was it broke Asterisk's
compliance with the RFC which was not really written with NAT in mind.

Nobody could give a solid reason why not to it, one person cited
better security with nat=yes.

http://tinyurl.com/4x8xkrk

I asked or proposed in November of 2008.

Thanks,
Steve Totaro



More information about the asterisk-dev mailing list