[asterisk-dev] SIP listen on multiple ports

[Kevin P. Fleming]

On 01/10/2012 05:36 AM, Benny Amorsen wrote:
> "Olle E. Johansson"<oej at edvina.net>  writes:
>
>> That hack makes it possible to receive on the port, but not send from the port, which may cause issues.
>
> This is almost but not completely true.
>
> Imagine we are trying to get around an ISP blocking UDP port 5060.
>
> Client: 1.2.3.4, sends SIP with source port 6000, destination port 7000
>
> Server: 5.6.7.8, listens on 5060 but has a DNAT passing port 7000 to
> port 5060.
>
> The client sends a SIP packet, it starts out as src 6000 dst 7000, gets
> translated to src 6000 dst 5060. Asterisk, depending on NAT setting,
> hopefully sends a reply src 5060 dst 6000. The Linux kernel will
> intercept that packet and change it to src 7000 dst 6000, because it
> matches an existing connection. *poof* now no port 5060 traffic hits the
> wire.
>
> However, other outbound packets from Asterisk to the same IP with
> different source or destination ports will not get translated.

But because we are talking about SIP, this will result in broken SIP 
packets, because the Via headers (and other places) in the SIP packets 
generated by Asterisk won't indicate that replies should be sent to port 
7000. The Contact URI in an outbound INVITE, for example, won't have a 
port specified at all; an RFC compliant UA that received such an INVITE 
would have to send its responses to port 5060, not port 7000.

This is one (of many) issues that SIP ALGs attempt to solve, although I 
am in no way suggesting that such a thing should be used (ever).

I think Olle's proposed solution has a lot of merit (and for other 
reasons beyond just multiple bindings).

-- 
Kevin P. Fleming
Digium, Inc. | Director of Software Technologies
Jabber: kfleming at digium.com | SIP: kpfleming at digium.com | Skype: kpfleming
445 Jan Davis Drive NW - Huntsville, AL 35806 - USA
Check us out at www.digium.com & www.asterisk.org