[SR-Users] rtpengine and security
rfuchs at sipwise.com
Wed Apr 22 01:22:20 CEST 2015
On 21/04/15 11:04 AM, GG GG wrote:
> what do you think about opening all RTP ports for rtpengine on Internet,
> is it a bad practice ?
> I wonder if it's possible to use rtpengine with all ports closed.
Not sure what you mean with "ports closed." How would rtpengine, or any
other RTP proxy/client for that matter, receive any media traffic if the
ports are closed?
> Maybe someone could explain how rtpengine learn the source address when
> the SDP contains a local address.
For the first 2-3 seconds after the media session has been established,
it listens for incoming UDP packets and will learn the endpoint address
from the source address of the received packets. After 2-3 seconds this
learning stops and the endpoint is locked in place.
> If your rtpengine server is under attack, could rtpengine choose the
> wrong ip source for RTP ?
If the attacker is fast enough, yes. You can disable learning of
endpoint addresses using the asynchronous flag, but obviously this will
break NAT'd media. You can also use the strict-source flag to make
rtpengine drop packets received from a mismatched source address.
More information about the sr-users