[asterisk-users] Asterisk bugs make a right mess of RTP

[Joshua Colp]

On Fri, Sep 1, 2017, at 09:01 AM, Dave Topping wrote:
> http:/www.theregister.co.uk/2017/09/01/asterisk_admin_patch/

This specific issue exists in a lot of different implementations and
devices. Unfortunately there's nothing within SDP that guarantees or
provides what the source of media should be for most things. You can
guess that where you are sending (what you are told in the SDP) is the
correct source, but in the case of NAT that isn't true. Using SRTP is
one way to work around this as mentioned on the disclosure[1] from the
reporter. I'm sure the strict RTP implementation will evolve even
further, but we also have to ensure that we don't just start blocking
all RTP so people can't actually place calls. It's certainly a
challenge.

This is one of the things that WebRTC got right - information is
conveyed that allows you to verify that the sender of media is who you
expect.

[1]
https://github.com/EnableSecurity/advisories/tree/master/ES2017-04-asterisk-rtp-bleed

-- 
Joshua Colp
Digium, Inc. | Senior Software Developer
445 Jan Davis Drive NW - Huntsville, AL 35806 - US
Check us out at: www.digium.com & www.asterisk.org