[Spce-user] always_use_rtpproxy

Graham Nelson-Zutter grahamsnz at gmail.com
Mon Jun 3 15:53:31 EDT 2013 

Hi John and Andrew, 

This does not relate to ICE support with rtpproxy, but it might be relevant. 

Although it provides less flexibility, from a security perspective, it could make more sense to keep the ‘always_use_rtpproxy’ under the Domain Preferences, under admin-only control.

If a subscriber's account has been compromised, there is a chance that the account could be set to  ‘always_use_rtpproxy’ = never. This could potentially allow for SIP INVITE SDP spoofing where RTP could be set to transmit from an unauthorized, outside IP.  

My understanding is that having  ‘always_use_rtpproxy’ = always forces your sipwise:ce server to be in the middle of the RTP path. This eliminates the possibility for RTP to pas through an unauthorized IP.

Perhaps this scenario is a little paranoid based on my experiences. I'd love to hear opinions anyone of the list might have on this subject. 

thanks,
Graham


On 2013-06-03, at 11:06 AM, Andrew Pogrebennyk <apogrebennyk at sipwise.com> wrote:

> John,
> 
> On 06/03/2013 04:12 PM, John Murray wrote:
>> The subscriber preferences ‘always_use_rtpproxy’ and
>> ‘never_use_rtpproxy’ seem to have disappeared in version 2.8.
>> 
>> I this intentional? What is the default behaviour now?
> 
> There is a use_rtpproxy preference with drop-down list of all possible
> modes in 2.8. The default is use rtpproxy and do not add any ICE candidates.
> 
>> Also OPTIONS pings from peers to an unknown domain would give ‘403
>> Domain not served here’ on 2.7 and before whereas now there is no response.
>> 
>> This causes my peers to see the SPCE as down. Unfortunately I can’t
>> enter the domain as the peer uses ‘To: sip:ping at skyrack2’ which is a
>> format I can’t enter and they claim this is a limitation of their SBC.
>> 
>> Is this a security mechanism?
> 
> I think that's how Jon wanted it to work. I'll have to search the
> archives for his posts on this subject or wait for him to comment :o)
> 
> Andrew
> 
> 
> _______________________________________________
> Spce-user mailing list
> Spce-user at lists.sipwise.com
> http://lists.sipwise.com/listinfo/spce-user

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.sipwise.com/pipermail/spce-user_lists.sipwise.com/attachments/20130603/6eef6b15/attachment-0001.html>

More information about the Spce-user mailing list