[sr-dev] source port for TCP & TLS connections

Daniel-Constantin Mierla miconda at gmail.com
Wed Dec 7 09:36:57 CET 2016


Hello,

I will try to follow up with more on this discussion after I get the
time to check the resources at the links you mentioned. I know that
forcing a source port for a tcp connection was not reliable, but things
may have changed with newer versions of kernels.

Cheers,
Daniel


On 05/12/2016 14:01, Daniel Pocock wrote:
>
> RFC 3261 doesn't appear to require anything more than the default random
> selection of source port for transports like TCP and TLS
>
> Section 18[1] even appears to anticipate that two proxies communicating
> over reliable transports may have two different connections open at the
> same time, one for requests initiated in each direction.
>
> However, I've seen a couple of situations where using the listening port
> as the source port would be beneficial:
>
> - peer has buggy implementation that tries to connect back to source
> port / rport (which should only happen for unreliable transports),
> observed in reSIProcate[2]
>
> - firewall policy is particularly strict and prefers or even expects
> specific source ports to be used
>
> - potentially halves the number of sockets / FDs required (better use of
> system resources)
>
>
> It is not hard to configure a TCP (or TLS) client socket to use a
> specific[3] source port, although as that example[3] demonstrates, there
> could be situations where a socket is not fully closed and a new one
> can't be opened immediately for the same source/dest port combination. 
> That type of issue doesn't arise for randomly selected source ports.
>
>
> Has anybody else tried setting a fixed source port for TCP/TLS
> connections and can you share any observations about this for better or
> worse?
>
> Has anybody seen similar behaviour to the bug[2] in other SIP
> implementations?
>
> We are thinking about implementing this as an optional feature in
> reSIProcate, partly to help people mitigate the impact of peers who have
> the bug #137.
>
> Regards,
>
> Daniel
>
>
> 1. https://tools.ietf.org/html/rfc3261#section-18
>
> 2. https://www.resiprocate.org/bugzilla/show_bug.cgi?id=137
>
> 3.
> http://stackoverflow.com/questions/2605182/when-binding-a-client-tcp-socket-to-a-specific-local-port-with-winsock-so-reuse
>
>
>
> _______________________________________________
> sr-dev mailing list
> sr-dev at lists.sip-router.org
> http://lists.sip-router.org/cgi-bin/mailman/listinfo/sr-dev

-- 
Daniel-Constantin Mierla
www.twitter.com/miconda -- www.linkedin.com/in/miconda
Kamailio World Conference - May 8-10, 2017 - www.kamailioworld.com




More information about the sr-dev mailing list