You might want to read up on ICE (STUN & TURN) and SRTP / DTLS which broadly resolve your issues.
On 21 April 2015 at 23:40, GG GG <ggcod...@gmail.com> wrote: > By port closed, I mean that ports are normally closed, but when rtpengine > send the first rtp packets to the client, it opens a pinhole in the > firewall, and the matching incoming packets from the client will make the > connection established,related in iptables. I think symmetric nat permits > that. > > But now I'm thinking that it's impossible for rtpengine to know the > client's destination port at the learning phase if the client's rtp packets > can't reach rtpengine. > > Rtpengine can learn the IP Address from kamailio through the --sip-source > CLI switch, but can't guess the port, right ? > > So, playing with established,related is not possible. > > > If the attacker is fast enough, yes. You can disable learning of > > endpoint addresses using the asynchronous flag, but obviously this will > > break NAT'd media. You can also use the strict-source flag to make > > rtpengine drop packets received from a mismatched source address. > > So if I don't use strict-source flag, an attacker could merge any garbage > of data in an existing RTP stream ? > > Thanks. > > _______________________________________________ > SIP Express Router (SER) and Kamailio (OpenSER) - sr-users mailing list > sr-users@lists.sip-router.org > http://lists.sip-router.org/cgi-bin/mailman/listinfo/sr-users > >
_______________________________________________ SIP Express Router (SER) and Kamailio (OpenSER) - sr-users mailing list sr-users@lists.sip-router.org http://lists.sip-router.org/cgi-bin/mailman/listinfo/sr-users
