22 Apr
2015
22 Apr
'15
3:55 p.m.
You might want to read up on ICE (STUN & TURN) and SRTP / DTLS which
broadly resolve your issues.
On 21 April 2015 at 23:40, GG GG <ggcoding(a)gmail.com> wrote:
By port closed, I mean that ports are normally closed,
but when rtpengine
send the first rtp packets to the client, it opens a pinhole in the
firewall, and the matching incoming packets from the client will make the
connection established,related in iptables. I think symmetric nat permits
that.
But now I'm thinking that it's impossible for rtpengine to know the
client's destination port at the learning phase if the client's rtp packets
can't reach rtpengine.
Rtpengine can learn the IP Address from kamailio through the --sip-source
CLI switch, but can't guess the port, right ?
So, playing with established,related is not possible.
If the attacker is fast enough, yes. You can
disable learning of
endpoint addresses using the asynchronous flag, but obviously this will
break NAT'd media. You can also use the strict-source flag to make
rtpengine drop packets received from a mismatched source address.
So if I don't use strict-source flag, an attacker could merge any garbage
of data in an existing RTP stream ?
Thanks.
_______________________________________________
SIP Express Router (SER) and Kamailio (OpenSER) - sr-users mailing list
sr-users(a)lists.sip-router.org
http://lists.sip-router.org/cgi-bin/mailman/listinfo/sr-users