On Tue, Sep 26, 2017 at 11:27 AM, Guido Falsi <madpilot_at_freebsd.org> wrote: > On 09/26/2017 10:35, O. Hartmann wrote: > > > of the RTP connection doesn't make it through IPFW/NAT. As often I > search the > > net, I always get informed this is a typical problem and solutions are > > provided by so called ALGs - since SIP protocol's SDP indicates within > the > > This would require coding it in IPFW, and the load on the firewall could > be significant. > > It could be done in userland maybe, leveraging divert(4) and having a > daemon listening there and doing the extra work, but this would be quite > expensive. Depending on your call volume the load could be too much for > your firewall. > > SIP headers like Proxy-Authorization need to send a cryptographic quality hash of data that includes the password and the SDP when qop=auth-int, and the ALG needs to change the IP address and port in the SDP, which changes this hash. The ALG would have to know your password to calculate the new hash. A SIP ALG can thus only work with the weaker qop=auth protection, which doesn't hash the SDP and is thus less secure (MITM attacks can capture/modify RTP in transit), and even then it would have to be careful not to change the SIP headers which are included in the hash. Since it is the provider that chooses the allowed qop, a general SIP ALG is impossible unless the ALG knows the password. Linux has a SIP ALG in iptables, and it's full of problems and best disabled.Received on Wed Sep 27 2017 - 10:13:22 UTC
This archive was generated by hypermail 2.4.0 : Wed May 19 2021 - 11:41:13 UTC