21 Apr
2015
21 Apr
'15
6:04 p.m.
Hello,
what do you think about opening all RTP ports for rtpengine on Internet, is
it a bad practice ?
I wonder if it's possible to use rtpengine with all ports closed.
Maybe someone could explain how rtpengine learn the source address when the
SDP contains a local address.
If your rtpengine server is under attack, could rtpengine choose the wrong
ip source for RTP ?
Thanks.
22 Apr
22 Apr
2:22 a.m.
On 21/04/15 11:04 AM, GG GG wrote:
Hello,
what do you think about opening all RTP ports for rtpengine on Internet,
is it a bad practice ?
I wonder if it's possible to use rtpengine with all ports closed.
Not sure what you mean with "ports closed." How would rtpengine, or any
other RTP proxy/client for that matter, receive any media traffic if the
ports are closed?
Maybe someone could explain how rtpengine learn the
source address when
the SDP contains a local address.
For the first 2-3 seconds after the media session has been established,
it listens for incoming UDP packets and will learn the endpoint address
from the source address of the received packets. After 2-3 seconds this
learning stops and the endpoint is locked in place.
If your rtpengine server is under attack, could
rtpengine choose the
wrong ip source for RTP ?
If the attacker is fast enough, yes. You can disable learning of
endpoint addresses using the asynchronous flag, but obviously this will
break NAT'd media. You can also use the strict-source flag to make
rtpengine drop packets received from a mismatched source address.
Cheers
3506
days inactive
3506
days old
1 comments
2 participants
participants (2)
-
GG GG -
Richard Fuchs