[asterisk-users] Why Nat=yes Nat=no Option?
Klaus Darilion
klaus.mailinglists at pernau.at
Thu Nov 13 11:51:41 CST 2008
Alex Balashov schrieb:
> Klaus Darilion wrote:
>
>> Actually I would nat=yes always, even if clients are not behind NAT os
>> otherwise the clietn can put some garbage into the contact header (e.g.
>> IP address of an upstream provider) and influence routing.
>
> No. There is a specific reason RFC 3261 says:
>
> "Registration creates bindings in a location service for a particular
> domain that associates an address-of-record URI with one or more
> contact addresses. Thus, when a proxy for that domain receives a
> request whose Request-URI matches the address-of-record, the proxy
> will forward the request to the contact addresses registered to that
> address-of-record."
>
> This gives the UAC the necessary level of control to determine how it is
> to be contacted.
>
> Imagine, for a example, a scenario in which incoming registrations are
> proxied further upstream for whatever reason - load balancer/distributor
> perhaps? - by an intermediate element. Do you really want to use that
> proximate hop's received IP address in place of the ultimate sending
> UAC's domain?
This is a different scenario. In this case of course I want the public
IP of the client, not of the load balancer. So, yes - in this case
nat=no is useful for Asterisk. Nevertheless I ignore the IP provided by
the client in the contact header completely - I always use the public IP
of the client. Thus, in a loadbalancer setup I would configure the load
balancer to ignore the advertised IP but use the "received" IP
(implementation depends on the actual setup and used components).
But as a basic rule - never ever trust the client. Storing and using the
Contact provided by the client without any screening is dangerous.
klaus
More information about the asterisk-users
mailing list