On Sun, May 9, 2010 at 5:35 AM, Robert Hoffmann <[email protected]>wrote:
> > It (ALG) gets in the way of sipx in trying to negotiate the sip >> registration >> or media. >> >> > I am a little confused now - when I started gathering info on SIP PBX > deployment an ALG / B2B-UA made sense for me as a means of only opening as > few inbound / outbound ports as possible (which is a good thing, right?). . > You can adjust this setting in sipx dependent upon your needs, but the RTP would not be established until the signalling is sipx actually happens (i.e. a legitimate call had been established). RTP does not get used by itself, it is wholly dependent upon a signalling and call establishment first. > My ALG would basically work as a SBC that acts like a virtual endpoint for > incoming calls, effectively protecting sipX from getting swamped with > illegitimate RTP streams (i.e. a DOS attack) because the ALG only opens the > ports negotiated in the SDP. If I got you right - please correct me here - > you suggest that the typical approach for deploying sipX is more or less > exposing it with 1001 port forwardings (SIP 5060 + RTP 30000 - 31000) and no > outbound port firewall rules (as any destination port number may be needed > for SIP signaling or RTP streams). Would you really do that in a > professional environment? This may sound like criticism but the truth is > that I have absolutely no clue. :-) Please enlighten me! > Yes, this is correct that you would "really do that". You are incorrect in thinking the RTP is "just open". It is open and points to sipx. sipx will not respond to a rtp port probe or anything of the like. A signalling transaction (invite) has to occur, and a call has to be authorized in order for the rtp stream to be offered and used. Putting an alg (proxy) in front of a proxy is not a good idea. Simply put, use a REAL SBC (ingate, opensbc, etc.). Your zyxel ,odem is light years away from being an abs. it was not designed to be a b2bua or an sbc. Just a way to rewrite ports of specific types. You think that opening ports for rtp is a security risk and will prevent a dos attack. You miss the point these are "uninvolved" in a dos attack. Port 5060 is typically the port of interest in a dos attack, to which sipx has its own permissions (authentication would be required to place outbound calls). There is no way with sip to really firewall or filter an illegitimate "invite" if you system is designed to be able to receive calls from any sip based system. If the invite comes in, it would simply do a "404" if the called party in the invite was not real. Your ALG cannot prevent against that either. RTP is never established, so hopw would the rtp ports be of a concern? > > >> Leaving it on will result in broken media for remote users as well as any >> itsp calls. It is a big fat no-no. >> >> > How would a SIP carrier use sipX if it were incompatible to SBCs due to the > fact that you cannot "dumb it down" ? Maybe I did not understand the scope / > goal of sipX? > sipx is designed for enterprises. Not carriers. Even so, some enterprises deploy their own sbc's in front of sipx for other reasons. A consumer modem is not a SBC. I have never seen an instance of an enterprise trying to use a modem as an sbc in front of any sip based system. Stop thinking your modem in an sbc OR a b2bua. It's a basic residential nat device, that's all. -- ====================== Tony Graziano, Manager Telephone: 434.984.8430 sip: [email protected] Fax: 434.984.8431 Email: [email protected] LAN/Telephony/Security and Control Systems Helpdesk: Telephone: 434.984.8426 sip: [email protected] Fax: 434.984.8427 Helpdesk Contract Customers: http://www.myitdepartment.net/gethelp/ Why do mathematicians always confuse Halloween and Christmas? Because 31 Oct = 25 Dec.
_______________________________________________ sipx-users mailing list [email protected] List Archive: http://list.sipfoundry.org/archive/sipx-users Unsubscribe: http://list.sipfoundry.org/mailman/listinfo/sipx-users sipXecs IP PBX -- http://www.sipfoundry.org/
