6 Nov
2009
6 Nov
'09
7:32 p.m.
El Viernes, 6 de Noviembre de 2009, Klaus Darilion escribió:
That's really ugly! XDD
It's not a broken idea since in IETF world there is no NAT.
But yes, the fact is that it's ridiculous!!! How is possible that a TCP
communication between two nodes could require two TCP connections??? Terrible
design...
I do not remember anymore in detail, but I think by
spoofing aliases
(and the proxy accepts the spoofed alias) it could be possible to
intercept SIP messages which are targeted to another user/client behind
the same NAT.
ok.
What about if
the server doesn't challenge the client? XDD
No problem - at least for xlite. It does:
1. REGISTER with local socket
2. 407
3. REGISTER with local socket
4. 200 ok (learn public socket)
5. deREGISTER local socket
6. 200 ok
7. REGISTER with public socket
8. 200 ok However, the
fact is that during a TCP dialog there "should" exist *two*
TCP connections (assuming binding port = 5060):
a) UA:random_port - Proxy:5060
b) Proxy:random_port - UA:5060
that's the broken idea of RFC 3261. In fact that will never work due to
NAT/FW. The un-standardized approaches are described above and work
well. The standardized approach would be sip-outbound, which gives the
same result than the un-standardized approach.
The only difference is that the un-standardized approach forcing the same
standardized approach without requiring "alias" parameter in Via header :)
Thanks.
--
Iñaki Baz Castillo <ibc(a)aliax.net>