From: "Rémi Denis-Courmont" <rdenis@simphalempin.com>
To: "Tomas Mandys" <tomas.mandys@2p.cz>
Cc: netfilter-devel@lists.netfilter.org
Subject: Re: lib_RTPPROXY module
Date: Wed, 27 Jun 2007 21:57:27 +0300 [thread overview]
Message-ID: <200706272157.30448@auguste.remlab.net> (raw)
In-Reply-To: <002901c7b8e9$7f806480$1401a8c0@nyala>
[-- Attachment #1: Type: text/plain, Size: 918 bytes --]
Le mercredi 27 juin 2007, Tomas Mandys a écrit :
> Hi,
> so I've finally "finished" work on RTPPROXY module, it seems it works
> now for kernel 2.6.17.8.
(...)
> http://www.2p.cz/tmp/netfilter-rtpproxy.tgz.
"RTP proxy is vulnerable for a while when is waiting for data to learn
source address. We can decrease probability by reasonable learning
timeout."
I disagree here. Do the math, or run the attack tests yourself, it takes
quite little bandwidth to denial (and hijack calls from)
a "promiscuous" RTP proxy, even with randomized ports numbers within a
large port range. 12 or even 14 bits of entropy are seldom acceptable.
Like it or not, the only "safe" ways to run SIP behind NATs requires
either, encryption (e.g. SRTP), some NAT traversal mechanism on the
clients (e.g. ICE) or an ALG within the client's own NAT.
Regards,
--
Rémi Denis-Courmont
http://www.remlab.net/
[-- Attachment #2: This is a digitally signed message part. --]
[-- Type: application/pgp-signature, Size: 197 bytes --]
next prev parent reply other threads:[~2007-06-27 18:57 UTC|newest]
Thread overview: 9+ messages / expand[flat|nested] mbox.gz Atom feed top
2006-10-08 23:13 RTP proxy module Tomas Mandys
2006-10-09 3:47 ` Glen Turner
2006-10-10 4:59 ` Patrick McHardy
2006-10-10 7:51 ` Tomas Mandys
2006-10-11 10:07 ` Patrick McHardy
2007-06-27 18:32 ` lib_RTPPROXY module Tomas Mandys
2007-06-27 18:55 ` Jan Engelhardt
2007-06-27 18:57 ` Rémi Denis-Courmont [this message]
-- strict thread matches above, loose matches on Subject: below --
2007-06-30 17:08 2.6.22-rc6: local_bh_enable warning Russell King
2007-07-02 14:09 ` lib_RTPPROXY module Tomas Mandys
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=200706272157.30448@auguste.remlab.net \
--to=rdenis@simphalempin.com \
--cc=netfilter-devel@lists.netfilter.org \
--cc=tomas.mandys@2p.cz \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.