[asterisk-users] Why Nat=yes Nat=no Option?

Klaus Darilion klaus.mailinglists at pernau.at
Thu Nov 13 11:51:41 CST 2008

Alex Balashov schrieb:
> Klaus Darilion wrote:
>> Actually I would nat=yes always, even if clients are not behind NAT os 
>> otherwise the clietn can put some garbage into the contact header (e.g. 
>> IP address of an upstream provider) and influence routing.
> No.  There is a specific reason RFC 3261 says:
>     "Registration creates bindings in a location service for a particular
>     domain that associates an address-of-record URI with one or more
>     contact addresses.  Thus, when a proxy for that domain receives a
>     request whose Request-URI matches the address-of-record, the proxy
>     will forward the request to the contact addresses registered to that
>     address-of-record."
> This gives the UAC the necessary level of control to determine how it is 
> to be contacted.
> Imagine, for a example, a scenario in which incoming registrations are 
> proxied further upstream for whatever reason - load balancer/distributor 
> perhaps? - by an intermediate element.  Do you really want to use that 
> proximate hop's received IP address in place of the ultimate sending 
> UAC's domain?

This is a different scenario. In this case of course I want the public 
IP of the client, not of the load balancer. So, yes - in this case 
nat=no is useful for Asterisk. Nevertheless I ignore the IP provided by 
the client in the contact header completely - I always use the public IP 
of the client. Thus, in a loadbalancer setup I would configure the load 
balancer to ignore the advertised IP but use the "received" IP 
(implementation depends on the actual setup and used components).

But as a basic rule - never ever trust the client. Storing and using the 
Contact provided by the client without any screening is dangerous.


More information about the asterisk-users mailing list