[asterisk-dev] SIP, NAT, security concerns, oh my!

Simon Perreault simon.perreault at viagenie.ca
Mon Oct 24 09:27:05 CDT 2011


On 2011-10-24 10:13, Steve Totaro wrote:
> On Mon, Oct 24, 2011 at 8:12 AM, Simon Perreault
> <simon.perreault at viagenie.ca> wrote:
>> On 2011-10-24 03:48, Walter Doekes wrote:
>>>> Remove or strongly discourage the use of the per-peer setting. This
>>>> would ensure consistent behaviour for every extension, and leave the
>>>> behaviour configurable globally. I can live with that personally.
>>>> Strongly discouraging could be accomplished by linking to this thread
>>>> from the default config file comments.
>>> (Simon's option 4)
>>>
>>> -1, removing is not an option for me. And *enabling* the
>>> global-force_rport by *default* has a clear benefit: it decreases the
>>> likelyhood of people configuring the peers to nat=yes one-by-one.
>>
>> Of course. But it also has the disadvantage of increasing the likelihood
>> of people configuring the peers to nat=no one-by-one. That's the same
>> security issue, just reversed.
> 
> I have brought this exact subject up.  You can read the list history
> and get some of the previous input into the subject.
> 
> The only argument against nat=yes as a default was it broke Asterisk's
> compliance with the RFC which was not really written with NAT in mind.

I'm not arguing against having nat=yes as a default. I actually think
it's a good idea. I'm saying it doesn't fix the OP's security issue.

Simon
-- 
DTN made easy, lean, and smart --> http://postellation.viagenie.ca
NAT64/DNS64 open-source        --> http://ecdysis.viagenie.ca
STUN/TURN server               --> http://numb.viagenie.ca



More information about the asterisk-dev mailing list