[sr-dev] why new tcp connection?

Iñaki Baz Castillo ibc at aliax.net
Fri Nov 6 15:02:11 CET 2009


El Viernes, 6 de Noviembre de 2009, Klaus Darilion escribió:
> I do not remember anymore in detail, but I think by spoofing aliases
> (and the proxy accepts the spoofed alias) it could be possible to
> intercept SIP messages which are targeted to another user/client behind
> the same NAT.

ok.

 

> > What about if the server doesn't challenge the client? XDD
> 
> No problem - at least for xlite. It does:
> 1. REGISTER with local socket
> 2. 407
> 3. REGISTER with local socket
> 4. 200 ok (learn public socket)
> 5. deREGISTER local socket
> 6. 200 ok
> 7. REGISTER with public socket
> 8. 200 ok

That's really ugly! XDD
 


> > However, the fact is that during a TCP dialog there "should" exist *two*
> > TCP connections (assuming binding port = 5060):
> >
> > a) UA:random_port - Proxy:5060
> > b) Proxy:random_port - UA:5060
> 
> that's the broken idea of RFC 3261.

It's not a broken idea since in IETF world there is no NAT.
But yes, the fact is that it's ridiculous!!! How is possible that a TCP 
communication between two nodes could require two TCP connections??? Terrible 
design...


> In fact that will never work due to
> NAT/FW. The un-standardized approaches are described above and work
> well. The standardized approach would be sip-outbound, which gives the
> same result than the un-standardized approach.

The only difference is that the un-standardized approach forcing the same 
standardized approach without requiring "alias" parameter in Via header :)


Thanks.


-- 
Iñaki Baz Castillo <ibc at aliax.net>



More information about the sr-dev mailing list