[asterisk-dev] SIP, NAT, security concerns, oh my!

Steve Totaro stotaro at asteriskhelpdesk.com
Mon Oct 24 09:36:30 CDT 2011


On Mon, Oct 24, 2011 at 10:27 AM, Simon Perreault
<simon.perreault at viagenie.ca> wrote:
> On 2011-10-24 10:13, Steve Totaro wrote:
>> On Mon, Oct 24, 2011 at 8:12 AM, Simon Perreault
>> <simon.perreault at viagenie.ca> wrote:
>>> On 2011-10-24 03:48, Walter Doekes wrote:
>>>>> Remove or strongly discourage the use of the per-peer setting. This
>>>>> would ensure consistent behaviour for every extension, and leave the
>>>>> behaviour configurable globally. I can live with that personally.
>>>>> Strongly discouraging could be accomplished by linking to this thread
>>>>> from the default config file comments.
>>>> (Simon's option 4)
>>>>
>>>> -1, removing is not an option for me. And *enabling* the
>>>> global-force_rport by *default* has a clear benefit: it decreases the
>>>> likelyhood of people configuring the peers to nat=yes one-by-one.
>>>
>>> Of course. But it also has the disadvantage of increasing the likelihood
>>> of people configuring the peers to nat=no one-by-one. That's the same
>>> security issue, just reversed.
>>
>> I have brought this exact subject up.  You can read the list history
>> and get some of the previous input into the subject.
>>
>> The only argument against nat=yes as a default was it broke Asterisk's
>> compliance with the RFC which was not really written with NAT in mind.
>
> I'm not arguing against having nat=yes as a default. I actually think
> it's a good idea. I'm saying it doesn't fix the OP's security issue.
>
> Simon
> --
> DTN made easy, lean, and smart --> http://postellation.viagenie.ca
> NAT64/DNS64 open-source        --> http://ecdysis.viagenie.ca
> STUN/TURN server               --> http://numb.viagenie.ca
>

Simon,

I was not actually replying directly to your post or points, I know
that was confusing.

I was tossing out some history on the nat=yes default thing for the
entire discussion, I just replied to your post because it was last in
line.  There was some good input on those threads.

Thanks,
Steve Totaro



More information about the asterisk-dev mailing list