[Serusers] NAT ping and consumer router

Jiri Kuthan jiri at iptel.org
Mon Aug 23 21:14:46 CEST 2004


At 08:50 PM 8/23/2004, John Todd wrote:
>I agree.  However, I don't see ICE or any of the other extensions becoming part of most UA implementations for at least another >1.5 years (assuming that approvals happen quickly at IETF) but those of us with customers have to come out with solutions faster than that in this quickly-solidifying market.

agreed.


>> >The manner in which Asterisk handles this type of keepalive is somewhat simple but novel, and may be worth examination.   Every X seconds, an OPTIONS request is made to the remote UA by the server. Even if the UA does not support the OPTIONS query, it typically hands back a SIP error, which serves the purpose of keeping the NAT translations open.  If the device supports OPTIONS, then a "normal" SIP reply is sent, also serving the intended purpose.
>>
>>Its great it mostly works but it is a hack. It introduces lot of brittlenes -- it will
>>fail whenever NAT bindings change: if NAT reboots, it will fail if NAT is not too
>>deterministic, it will fail if forcible IP address change occurs, etc. Getting it
>>robust is simply hard without client support. (Which is BTW a simple application of the e2e
>>principle.)
>
>I agree that it is a hack, but so is any solution that tries to solve this problem from the "outside" of the NAT.  Using OPTIONS is perhaps just a slightly different hack that may make more NAT boxes do the right thing.
>
>(Side note: has anyone generated a list of NAT boxes/software which require outbound packets for translations to stay open?  In other words: where, exactly, does SER's method NOT work?)

I'm unfortunately not aware of such.

>>I'm not familiar with what you reference here; are you talking about cached credentials, or some other method that isn't a full authentication lookup for REGISTER requests which "appear" to have the same characteristics as prior registrations?  (danger!  I've imagined what you might be talking about, and in my (perhaps incorrect) assumptions, I can see some security problems.  With this method, it would probably be easy to "take over" a SIP UA's identity for inbound calls without password authentication if the attacker was behind the same NAT external address.)

Well, the assumption would be that contacts (including port) have not changed.
If that is the case, skipping authentication introduces rather slight security
risks.

-jiri 




More information about the sr-users mailing list