lib_RTPPROXY module
Rémi Denis-Courmont
rdenis at simphalempin.com
Wed Jun 27 20:57:27 CEST 2007
Le mercredi 27 juin 2007, Tomas Mandys a écrit :
> Hi,
> so I've finally "finished" work on RTPPROXY module, it seems it works
> now for kernel 2.6.17.8.
(...)
> http://www.2p.cz/tmp/netfilter-rtpproxy.tgz.
"RTP proxy is vulnerable for a while when is waiting for data to learn
source address. We can decrease probability by reasonable learning
timeout."
I disagree here. Do the math, or run the attack tests yourself, it takes
quite little bandwidth to denial (and hijack calls from)
a "promiscuous" RTP proxy, even with randomized ports numbers within a
large port range. 12 or even 14 bits of entropy are seldom acceptable.
Like it or not, the only "safe" ways to run SIP behind NATs requires
either, encryption (e.g. SRTP), some NAT traversal mechanism on the
clients (e.g. ICE) or an ALG within the client's own NAT.
Regards,
--
Rémi Denis-Courmont
http://www.remlab.net/
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 197 bytes
Desc: This is a digitally signed message part.
Url : /pipermail/netfilter-devel/attachments/20070627/c7415b7d/attachment.pgp
More information about the netfilter-devel
mailing list