On Fri, Sep 1, 2017, at 09:01 AM, Dave Topping wrote: > http:/www.theregister.co.uk/2017/09/01/asterisk_admin_patch/
This specific issue exists in a lot of different implementations and devices. Unfortunately there's nothing within SDP that guarantees or provides what the source of media should be for most things. You can guess that where you are sending (what you are told in the SDP) is the correct source, but in the case of NAT that isn't true. Using SRTP is one way to work around this as mentioned on the disclosure[1] from the reporter. I'm sure the strict RTP implementation will evolve even further, but we also have to ensure that we don't just start blocking all RTP so people can't actually place calls. It's certainly a challenge. This is one of the things that WebRTC got right - information is conveyed that allows you to verify that the sender of media is who you expect. [1] https://github.com/EnableSecurity/advisories/tree/master/ES2017-04-asterisk-rtp-bleed -- Joshua Colp Digium, Inc. | Senior Software Developer 445 Jan Davis Drive NW - Huntsville, AL 35806 - US Check us out at: www.digium.com & www.asterisk.org -- _____________________________________________________________________ -- Bandwidth and Colocation Provided by http://www.api-digital.com -- Check out the new Asterisk community forum at: https://community.asterisk.org/ New to Asterisk? Start here: https://wiki.asterisk.org/wiki/display/AST/Getting+Started asterisk-users mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users
