[asterisk-dev] SIP, NAT, security concerns, oh my!

Kevin P. Fleming kpfleming at digium.com
Tue Oct 25 08:03:25 CDT 2011 

On 10/25/2011 01:53 AM, Olle E. Johansson wrote:
> I think we need to divide this discussion into two parts:
>
> 1) NAT handling for SIP
> 2) NAT handling for media

This discussion has only been about SIP signaling, not media. If there 
are security issues related to NAT settings for media handling, please 
bring those up in a separate thread.

> We should also discuss
>
> a) NAT handling before authentication
> b) NAT handling after authentication and device matching
> c) NAT handling with peer matching on IP and no AUTH
> d) NAT handling with user matching on name and no AUTH

That's what this entire thread is about.

> I think 2d - media handling for users matching on username and no auth is where we really end up in dangerous waters.
> The SIP part is much easier to handle and say
>   -  if we match a peer on IP and port, follow those settings
>   - otherwise always follow [general] settings before auth

I've received an email (not to the list) from a user who has a set of 
devices that will not work with 'nat=force_rport' or 'nat=yes' in place 
(they send their SIP requests from a random port number but require 
replies to the port included in the top-most Via header). These devices 
would be unable to authenticate with a [general] setting that forced 
rport-style behavior. The devices in question are recent-model Cisco 
phones with SIP firmware; Olle, since you are at SIPit 29 right now, can 
you ask the Cisco guys there if this behavior is configurable or optional?

As I've thought about Tilghman's proposal to reply to *both* ports in 
cases where we cannot be sure which one we should reply to, I'm starting 
to think that might be a good option (but optional... we'd need a 
configuration item to disable it). Yes, it is a small traffic 
amplification attack vector, but a very small one (and SIP over UDP is 
already a traffic amplification attack vector by its very nature anyway).

-- 
Kevin P. Fleming
Digium, Inc. | Director of Software Technologies
Jabber: kfleming at digium.com | SIP: kpfleming at digium.com | Skype: kpfleming
445 Jan Davis Drive NW - Huntsville, AL 35806 - USA
Check us out at www.digium.com & www.asterisk.org

More information about the asterisk-dev mailing list