By port closed, I mean that ports are normally closed, but when rtpengine send the first rtp packets to the client, it opens a pinhole in the firewall, and the matching incoming packets from the client will make the connection established,related in iptables. I think symmetric nat permits that.
But now I'm thinking that it's impossible for rtpengine to know the client's destination port at the learning phase if the client's rtp packets can't reach rtpengine.
Rtpengine can learn the IP Address from kamailio through the --sip-source CLI switch, but can't guess the port, right ?
So, playing with established,related is not possible.
If the attacker is fast enough, yes. You can disable learning of endpoint addresses using the asynchronous flag, but obviously this will break NAT'd media. You can also use the strict-source flag to make rtpengine drop packets received from a mismatched source address.
So if I don't use strict-source flag, an attacker could merge any garbage of data in an existing RTP stream ?
Thanks.
You might want to read up on ICE (STUN & TURN) and SRTP / DTLS which broadly resolve your issues.
On 21 April 2015 at 23:40, GG GG ggcoding@gmail.com wrote:
By port closed, I mean that ports are normally closed, but when rtpengine send the first rtp packets to the client, it opens a pinhole in the firewall, and the matching incoming packets from the client will make the connection established,related in iptables. I think symmetric nat permits that.
But now I'm thinking that it's impossible for rtpengine to know the client's destination port at the learning phase if the client's rtp packets can't reach rtpengine.
Rtpengine can learn the IP Address from kamailio through the --sip-source CLI switch, but can't guess the port, right ?
So, playing with established,related is not possible.
If the attacker is fast enough, yes. You can disable learning of endpoint addresses using the asynchronous flag, but obviously this will break NAT'd media. You can also use the strict-source flag to make rtpengine drop packets received from a mismatched source address.
So if I don't use strict-source flag, an attacker could merge any garbage of data in an existing RTP stream ?
Thanks.
SIP Express Router (SER) and Kamailio (OpenSER) - sr-users mailing list sr-users@lists.sip-router.org http://lists.sip-router.org/cgi-bin/mailman/listinfo/sr-users
On 21/04/15 10:40 PM, GG GG wrote:
By port closed, I mean that ports are normally closed, but when rtpengine send the first rtp packets to the client, it opens a pinhole in the firewall, and the matching incoming packets from the client will make the connection established,related in iptables. I think symmetric nat permits that.
Yes, but rtpengine doesn't send any RTP or RTCP by itself. It only forwards RTP and RTCP, and in order to forward it, it first must receive it. If all ports are closed then nothing can ever be received and nothing can ever be forwarded or sent.
Cheers
-
Ben Langfeld -
GG GG -
Richard Fuchs