Le mercredi 27 juin 2007, Tomas Mandys a écrit :
> Hi,
> so I've finally "finished" work on RTPPROXY
module, it seems it works
> now for kernel 2.6.17.8.
(...)
> http://w
ww.2p.cz/tmp/netfilter-rtpproxy.tgz.
"RTP proxy is vulnerable for a while when is waiting
for data to learn
source address. We can decrease probability by reasonable
learning
timeout."
I disagree here. Do the math, or run the attack tests
yourself, it takes
quite little bandwidth to denial (and hijack calls from)
a "promiscuous" RTP proxy, even with randomized
ports numbers within a
large port range. 12 or even 14 bits of entropy are seldom
acceptable.
Like it or not, the only "safe" ways to run SIP
behind NATs requires
either, encryption (e.g. SRTP), some NAT traversal mechanism
on the
clients (e.g. ICE) or an ALG within the client's own NAT.
Regards,
--
Rémi Denis-Courmont
http://www.remlab.net/
|
