[SR-Users] rtpengine and security

Ben Langfeld ben at langfeld.co.uk
Wed Apr 22 14:55:33 CEST 2015


You might want to read up on ICE (STUN & TURN) and SRTP / DTLS which
broadly resolve your issues.

On 21 April 2015 at 23:40, GG GG <ggcoding at gmail.com> wrote:

> By port closed, I mean that ports are normally closed, but when rtpengine
> send the first rtp packets to the client, it opens a pinhole in the
> firewall, and the matching incoming packets from the client will make the
> connection established,related in iptables. I think symmetric nat permits
> that.
>
> But now I'm thinking that it's impossible for rtpengine to know the
> client's destination port at the learning phase if the client's rtp packets
> can't reach rtpengine.
>
> Rtpengine can learn the IP Address from kamailio through the --sip-source
> CLI switch, but can't guess the port, right ?
>
> So, playing with established,related is not possible.
>
> > If the attacker is fast enough, yes. You can disable learning of
> > endpoint addresses using the asynchronous flag, but obviously this will
> > break NAT'd media. You can also use the strict-source flag to make
> > rtpengine drop packets received from a mismatched source address.
>
> So if I don't use strict-source flag, an attacker could merge any garbage
> of data in an existing RTP stream ?
>
> Thanks.
>
> _______________________________________________
> SIP Express Router (SER) and Kamailio (OpenSER) - sr-users mailing list
> sr-users at lists.sip-router.org
> http://lists.sip-router.org/cgi-bin/mailman/listinfo/sr-users
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.sip-router.org/pipermail/sr-users/attachments/20150422/f762a353/attachment.html>


More information about the sr-users mailing list