[asterisk-dev] SIP, NAT, security concerns, oh my!

Olle E. Johansson oej at edvina.net
Tue Oct 25 02:53:05 CDT 2011


I think we need to divide this discussion into two parts:

1) NAT handling for SIP
2) NAT handling for media

We should also discuss

a) NAT handling before authentication
b) NAT handling after authentication and device matching
c) NAT handling with peer matching on IP and no AUTH
d) NAT handling with user matching on name and no AUTH

I think 2d - media handling for users matching on username and no auth is where we really end up in dangerous waters.
The SIP part is much easier to handle and say 
 -  if we match a peer on IP and port, follow those settings
 - otherwise always follow [general] settings before auth 

Kill the user. Deprecate it as "dangerous in unmanaged networks".

/O


More information about the asterisk-dev mailing list