Hello,
what do you think about opening all RTP ports for rtpengine on Internet, is it a bad practice ?
I wonder if it's possible to use rtpengine with all ports closed.
Maybe someone could explain how rtpengine learn the source address when the SDP contains a local address.
If your rtpengine server is under attack, could rtpengine choose the wrong ip source for RTP ?
Thanks.
On 21/04/15 11:04 AM, GG GG wrote:
Hello,
what do you think about opening all RTP ports for rtpengine on Internet, is it a bad practice ?
I wonder if it's possible to use rtpengine with all ports closed.
Not sure what you mean with "ports closed." How would rtpengine, or any other RTP proxy/client for that matter, receive any media traffic if the ports are closed?
Maybe someone could explain how rtpengine learn the source address when the SDP contains a local address.
For the first 2-3 seconds after the media session has been established, it listens for incoming UDP packets and will learn the endpoint address from the source address of the received packets. After 2-3 seconds this learning stops and the endpoint is locked in place.
If your rtpengine server is under attack, could rtpengine choose the wrong ip source for RTP ?
If the attacker is fast enough, yes. You can disable learning of endpoint addresses using the asynchronous flag, but obviously this will break NAT'd media. You can also use the strict-source flag to make rtpengine drop packets received from a mismatched source address.
Cheers
-
GG GG -
Richard Fuchs