[prev in list] [next in list] [prev in thread] [next in thread] 

List:       netfilter-devel
Subject:    Re: lib_RTPPROXY module
From:       <rdenis () simphalempin ! com>
Date:       2007-06-27 18:57:27
Message-ID: 200706272157.30448 () auguste ! remlab ! net
[Download RAW message or body]


Le mercredi 27 juin 2007, Tomas Mandys a écrit :
> Hi,
> so I've finally "finished" work on RTPPROXY module, it seems it works
> now for kernel 2.6.17.8.
(...)
> http://www.2p.cz/tmp/netfilter-rtpproxy.tgz.

 "RTP proxy is vulnerable for a while when is waiting for data to learn
  source address. We can decrease probability by reasonable learning
  timeout."

I disagree here. Do the math, or run the attack tests yourself, it takes 
quite little bandwidth to denial (and hijack calls from) 
a "promiscuous" RTP proxy, even with randomized ports numbers within a 
large port range. 12 or even 14 bits of entropy are seldom acceptable.

Like it or not, the only "safe" ways to run SIP behind NATs requires 
either, encryption (e.g. SRTP), some NAT traversal mechanism on the 
clients (e.g. ICE) or an ALG within the client's own NAT.

Regards,

-- 
Rémi Denis-Courmont
http://www.remlab.net/

["signature.asc" (application/pgp-signature)]

[prev in list] [next in list] [prev in thread] [next in thread]