[asterisk-users] Why Nat=yes Nat=no Option?

Alex Balashov abalashov at evaristesys.com
Thu Nov 13 12:04:35 CST 2008

Klaus Darilion wrote:

> This is a different scenario. In this case of course I want the public 
> IP of the client, not of the load balancer. So, yes - in this case 
> nat=no is useful for Asterisk. Nevertheless I ignore the IP provided by 
> the client in the contact header completely - I always use the public IP 
> of the client. Thus, in a loadbalancer setup I would configure the load 
> balancer to ignore the advertised IP but use the "received" IP 
> (implementation depends on the actual setup and used components).
> But as a basic rule - never ever trust the client. Storing and using the 
> Contact provided by the client without any screening is dangerous.

Hm.  Interesting.  I am curious:  I agree that validation should be in 
place, but why do you think that distrust of the client's contact URI 
should be elevated to a "basic rule?"  What incentive do UACs have to 
provide an illegitimate contact URI?  So the UAS will send responses 
somewhere else, to another UAC that will reject the request because it 
the dialog/transaction parameters do not match?  Man-in-the-middle 
attacks from spoofed requests containing bogus contact domains?  That 
can also be carried out with IP spoofing and other more traditional 
means on the IP layer itself.

But there is a difference between screening and distrusting by default, 
particularly in scenarios where it may be explicitly undesirable for the 
received IP to be used as the contact, such as in switch assemblies 
where the signaling agents are partitioned somehow.

I think the question here really is about good default behaviours and 
assumptions, not whether validation for security is a good idea, though. 
  In the scenario in the last paragraph, I may wish to allow contact 
addresses from other hosts on the same originating subnet but not on 
foreign networks (validation), but not to use the received IP 
(assumption of NAT).

Alex Balashov
Evariste Systems
Web    : http://www.evaristesys.com/
Tel    : (+1) (678) 954-0670
Direct : (+1) (678) 954-0671
Mobile : (+1) (706) 338-8599

More information about the asterisk-users mailing list