22 Apr
2015
22 Apr
'15
5:40 a.m.
By port closed, I mean that ports are normally closed, but when rtpengine
send the first rtp packets to the client, it opens a pinhole in the
firewall, and the matching incoming packets from the client will make the
connection established,related in iptables. I think symmetric nat permits
that.
But now I'm thinking that it's impossible for rtpengine to know the
client's destination port at the learning phase if the client's rtp packets
can't reach rtpengine.
Rtpengine can learn the IP Address from kamailio through the --sip-source
CLI switch, but can't guess the port, right ?
So, playing with established,related is not possible.
If the attacker is fast enough, yes. You can disable
learning of
endpoint addresses using the asynchronous flag, but obviously this will
break NAT'd media. You can also use the strict-source flag to make
rtpengine drop packets received from a mismatched source address.
So if I don't use strict-source flag, an attacker could merge any garbage
of data in an existing RTP stream ?
Thanks.
22 Apr
22 Apr
3:55 p.m.
You might want to read up on ICE (STUN & TURN) and SRTP / DTLS which
broadly resolve your issues.
On 21 April 2015 at 23:40, GG GG <ggcoding(a)gmail.com> wrote:
By port closed, I mean that ports are normally closed,
but when rtpengine
send the first rtp packets to the client, it opens a pinhole in the
firewall, and the matching incoming packets from the client will make the
connection established,related in iptables. I think symmetric nat permits
that.
But now I'm thinking that it's impossible for rtpengine to know the
client's destination port at the learning phase if the client's rtp packets
can't reach rtpengine.
Rtpengine can learn the IP Address from kamailio through the --sip-source
CLI switch, but can't guess the port, right ?
So, playing with established,related is not possible.
If the attacker is fast enough, yes. You can
disable learning of
endpoint addresses using the asynchronous flag, but obviously this will
break NAT'd media. You can also use the strict-source flag to make
rtpengine drop packets received from a mismatched source address.
So if I don't use strict-source flag, an attacker could merge any garbage
of data in an existing RTP stream ?
Thanks.
_______________________________________________
SIP Express Router (SER) and Kamailio (OpenSER) - sr-users mailing list
sr-users(a)lists.sip-router.org
http://lists.sip-router.org/cgi-bin/mailman/listinfo/sr-users
4:48 p.m.
On 21/04/15 10:40 PM, GG GG wrote:
By port closed, I mean that ports are normally closed,
but when
rtpengine send the first rtp packets to the client, it opens a pinhole
in the firewall, and the matching incoming packets from the client will
make the connection established,related in iptables. I think symmetric
nat permits that.
Yes, but rtpengine doesn't send any RTP or RTCP by itself. It only
forwards RTP and RTCP, and in order to forward it, it first must receive
it. If all ports are closed then nothing can ever be received and
nothing can ever be forwarded or sent.
Cheers
3505
days inactive
3505
days old
2 comments
3 participants
participants (3)
-
Ben Langfeld -
GG GG -
Richard Fuchs