[SR-Users] rtpengine and security

GG GG ggcoding at gmail.com
Wed Apr 22 04:40:49 CEST 2015

By port closed, I mean that ports are normally closed, but when rtpengine
send the first rtp packets to the client, it opens a pinhole in the
firewall, and the matching incoming packets from the client will make the
connection established,related in iptables. I think symmetric nat permits

But now I'm thinking that it's impossible for rtpengine to know the
client's destination port at the learning phase if the client's rtp packets
can't reach rtpengine.

Rtpengine can learn the IP Address from kamailio through the --sip-source
CLI switch, but can't guess the port, right ?

So, playing with established,related is not possible.

> If the attacker is fast enough, yes. You can disable learning of
> endpoint addresses using the asynchronous flag, but obviously this will
> break NAT'd media. You can also use the strict-source flag to make
> rtpengine drop packets received from a mismatched source address.

So if I don't use strict-source flag, an attacker could merge any garbage
of data in an existing RTP stream ?

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.sip-router.org/pipermail/sr-users/attachments/20150421/641f60c3/attachment.html>

More information about the sr-users mailing list