why new tcp connection?

i started to test the latest sr_3.0 that includes andrei's tcp/socket
related changes.

twinkle is registered over tcp to sr using source port 59056 destination
port 5060.  in contact uri twinkle has put port 5074 (i need to configure
some fixed port there).

when another ua calls twinkle and i see this in syslog:

Nov  6 07:16:21 localhost /usr/sbin/sip-proxy[30133]: INFO: Routing first INVITE to <sip:[hidden email]:5074;transport=tcp> and <<null>>
Nov  6 07:16:21 localhost /usr/sbin/sip-proxy[30133]: INFO: <core> [tcp_main.c:1928]: tcp_send: quick connect for 0xb54f3e60

when i look wireshark output, i see that sr has created a new tcp
connection to twinkle at port 5074 even when there is already is one, but
not to that port.

is this twinkle's fault, i.e., should it put in contact uri port 59056
instead?

or should sr figure out that twinkle in fact is behind the tcp
connection it created when it registered itself no matter what the port in
contact uri is?

-- juha

_______________________________________________
sr-dev mailing list
[hidden email]
http://lists.sip-router.org/cgi-bin/mailman/listinfo/sr-dev

On Nov 06, 2009 at 08:12, Juha Heinanen <[hidden email]> wrote:
Yes, it should do either that, or add an alias parameter to its Via
(assuming that the port in Via _is_ 5074).
If it does add "alias" to the Via, make sure you have
tcp_accept_aliases=yes in the config.

>
> or should sr figure out that twinkle in fact is behind the tcp
> connection it created when it registered itself no matter what the port in
> contact uri is?

You can force that, using force_tcp_alias() (adds src_ip:port_in_via as
an alias for src_ip:src_port).
If the port in Via is not 5074 then you can work around that too, using
force_tcp_alias(5074) (based maybe on looking at the contact?), but in
this case it's better to reconfigure/fix twinkle.

In general, especially if you have NATed UACs, it's better to always have
force_tcp_alias() in the config. It will cause problems only if you have
 non-NATed broken UACs that don't expect/support symmetric signalling
 over TCP (e.g. open a new connection for each new request and expect
 only replies to that request on the connection).
OTOH if you  don't force_tcp_alias() and the UACs don't add alias to the
Via, it's a very slim chance that NATed UACs will work over tcp.


BTW: this is not a change introduced by my recent tcp
force_send_socket() change. This is the way tcp always worked.
The force_send_socket() change forces the ip of the forced socket. The
difference from k behaviour is that k did that only when opening a new
connection (if an existing connection did exist albeit with a different
src_ip, it would have been used) while sr will reuse a connection only
if the src_ip matches with that of the forced socket.


Andrei

_______________________________________________
sr-dev mailing list
[hidden email]
http://lists.sip-router.org/cgi-bin/mailman/listinfo/sr-dev

Andrei Pelinescu-Onciul writes:

 > Yes, it should do either that, or add an alias parameter to its Via
 > (assuming that the port in Via _is_ 5074).
 > If it does add "alias" to the Via, make sure you have
 > tcp_accept_aliases=yes in the config.

twinkle does not add alias param to via so looks like its tcp
implementation is broken.  this comes from source tcp port 34136 to port
5060 at sr:

+++ 6-11-2009 12:06:27.976341 INFO SIP ::send_sip_tcp
Send to: tcp:192.98.101.10:5060
REGISTER sip:test.fi SIP/2.0
Via: SIP/2.0/TCP 192.98.101.10:5074;rport;branch=z9hG4bKtabgdwsf
Max-Forwards: 70
To: "Juha Heinanen" <sip:[hidden email]>
From: "Juha Heinanen" <sip:[hidden email]>;tag=hqmmp
Call-ID: bmybrkvktynbuma@localhost
CSeq: 668 REGISTER
Contact: <sip:[hidden email]:5074;transport=tcp>;expires=3600

 > > or should sr figure out that twinkle in fact is behind the tcp
 > > connection it created when it registered itself no matter what the port in
 > > contact uri is?
 >
 > You can force that, using force_tcp_alias() (adds src_ip:port_in_via as
 > an alias for src_ip:src_port).

can force_tcp_alias() be called on any register over tcp or should it be
tested first that there is no alias in via and that port in register
contact uri does not match source port?

 > In general, especially if you have NATed UACs, it's better to always have
 > force_tcp_alias() in the config. It will cause problems only if you have
 >  non-NATed broken UACs that don't expect/support symmetric signalling
 >  over TCP (e.g. open a new connection for each new request and expect
 >  only replies to that request on the connection).

ok.

 > OTOH if you  don't force_tcp_alias() and the UACs don't add alias to the
 > Via, it's a very slim chance that NATed UACs will work over tcp.

i'll test next what happens when i put twinkle behind nat.

-- juha

_______________________________________________
sr-dev mailing list
[hidden email]
http://lists.sip-router.org/cgi-bin/mailman/listinfo/sr-dev

On Nov 06, 2009 at 12:20, Juha Heinanen <[hidden email]> wrote:
You can call it always, for all the requests. It just adds a new alias
for the via port if the alias doesn't already exists
(accept_tcp_aliases=yes and alias in via does the same thing).
So the easiest way is just to add force_tcp_alias() at the  beginning of
the route block.

If you want to support non symmetric signalling tcp UACs that are not behind
NAT (they wouldn't work behind a NAT without static port forwarding
rules anyway), you can use force_tcp_alias() only if you detect the UAC
is behind the NAT.

I would look at the contact port only if you have really broken UACs
that use a different port in Via then the one in the contact.

Andrei

_______________________________________________
sr-dev mailing list
[hidden email]
http://lists.sip-router.org/cgi-bin/mailman/listinfo/sr-dev

El Viernes, 6 de Noviembre de 2009, Andrei Pelinescu-Onciul escribió:
Hi, I don't agree with it. When a UA uses TCP for registration the following
occurs (no NAT between UA and proxy):

- UA listens for *incoming* requests on a predefined port (i.e: 5060 UDP/TCP).
- UA sends a TCP REGISTER from a ramdom port (i.e: 12345 TCP).
- The "Via" port of the REGISTER MUST be "5060" (the port in which UA
listens).
- The "Contact" port of the REGISTER MUST be "5060" (the port in which UA
listens). Yes, this is what RFC 3261 states.
- The proxy must send the response of the REGISTER using the existing TCP
connection (as per RFC 3261 18.2.2).
- If the connection is no longer open, the proxy must open a new connection to
the IP address in the "received" parameter, if present, and port in "Via"
"sent-by", and send there the response of the REGISTER.

I think this is totally clear. The problem arises when the proxy must route an
incoming request to the location of this UA. In this case:

- A request arrives to the proxy.
- The proxy must route it to UA's location so it inspects the location
database and fetches the "Contact" value of the UA's REGISTER. The port
retrieved is 5060 rather than 12345.
- So the proxy routes the request there, to UA's port 5060.  Since there is no
TCP connection open it must open a new one. It would work as there is no NAT
and UA is listening in port 5060 TCP.

NOTE: Must of the UA's accept incoming requests arriving to the port from
which they sent the REGISTER, but this is not specified in RFC 3261 at all. Of
course, if NAT exists the only solution is using the connection established by
the registration process as the proxy couldn't open a new connection with
natted UA.


So answering to this question:

> is this twinkle's fault, i.e., should it put in contact uri port 59056
> instead?

Not at all per RFC 3261. Perhaps the hyper-complex draft-outbound states that
the TCP UA must bind on the source port from which the REGISTER is sent, no
idea. But for sure RFC 3261 doesn't say that.



> or add an alias parameter to its Via
> (assuming that the port in Via _is_ 5074).
> If it does add "alias" to the Via, make sure you have
> tcp_accept_aliases=yes in the config.

What is an "alias" parameter in the Via header?

 
> > or should sr figure out that twinkle in fact is behind the tcp
> > connection it created when it registered itself no matter what the port
> > in contact uri is?
>
> You can force that, using force_tcp_alias() (adds src_ip:port_in_via as
> an alias for src_ip:src_port).
> If the port in Via is not 5074 then you can work around that too, using
> force_tcp_alias(5074) (based maybe on looking at the contact?), but in
> this case it's better to reconfigure/fix twinkle.

Please, explain it again as I don't understand what you mean with "adds
src_ip:port_in_via as an alias for src_ip:src_port".
However I ensure that Twinkle behaviour is totally correct when using SIP TCP
and there is nothing to fix here. In short:

- Twinkle binds on port 5060 TCP (and UDP).
- It sends a REGISTER from random port (12345). "Via" and "Contact" contains
port 5060.
- Twinkle would accept incoming requests to both ports 5060 and 12345.
Allowing incoming request to port 12345 helps with NAT, of course, but it's
not specified in RFC 3261 at all, and Twinkle (or any UA) could refuse a
request incoming from a port different than 5060 (the port it has announced as
listening port).

An example of Twinkle TCP REGISTER:

T 2009/11/06 12:13:26.472917 192.168.1.10:38609 -> XX.XX.XX.XX:5062
REGISTER sip:mydomain.net SIP/2.0                                            
Via: SIP/2.0/TCP 192.168.1.10:6060;rport;branch=z9hG4bKsswrheos          
Contact: <sip:[hidden email]:6060;transport=tcp>;expires=600  


 
> In general, especially if you have NATed UACs, it's better to always have
> force_tcp_alias() in the config. It will cause problems only if you have
>  non-NATed broken UACs that don't expect/support symmetric signalling
>  over TCP (e.g. open a new connection for each new request and expect
>  only replies to that request on the connection).

Symmetric signalling is about using the same src_ip:src_port - dst_ip:dst_port
within a transaction, which involves requests and its replies. It's not about
different transactions in both ways. For that there is a draft/RFC about TCP
reuse and so, but it requires a "Via" parameter and some stuff...
RFC 3261 doesn't state that a UA should accept incoming requests to a port
different than the binding port.


> OTOH if you  don't force_tcp_alias() and the UACs don't add alias to the
> Via, it's a very slim chance that NATed UACs will work over tcp.

I again ask what "add alias to the Via" means :)

 
 
Regards.



--
Iñaki Baz Castillo <[hidden email]>

_______________________________________________
sr-dev mailing list
[hidden email]
http://lists.sip-router.org/cgi-bin/mailman/listinfo/sr-dev

El Viernes, 6 de Noviembre de 2009, Andrei Pelinescu-Onciul escribió:
> I would look at the contact port only if you have really broken UACs
> that use a different port in Via then the one in the contact.

This is the point. Both must match as both mean "the port in which the UA
binds". But this port shouln't match the random source port used to send the
initial REGISTER.

--
Iñaki Baz Castillo <[hidden email]>

_______________________________________________
sr-dev mailing list
[hidden email]
http://lists.sip-router.org/cgi-bin/mailman/listinfo/sr-dev

El Viernes, 6 de Noviembre de 2009, Juha Heinanen escribió:
> Andrei Pelinescu-Onciul writes:
>  > Yes, it should do either that, or add an alias parameter to its Via
>  > (assuming that the port in Via _is_ 5074).
>  > If it does add "alias" to the Via, make sure you have
>  > tcp_accept_aliases=yes in the config.
>
> twinkle does not add alias param to via so looks like its tcp
> implementation is broken.

It's 100% correct. Please se me previous mail.




--
Iñaki Baz Castillo <[hidden email]>

_______________________________________________
sr-dev mailing list
[hidden email]
http://lists.sip-router.org/cgi-bin/mailman/listinfo/sr-dev

On Nov 06, 2009 at 12:16, I?aki Baz Castillo <[hidden email]> wrote:
> El Viernes, 6 de Noviembre de 2009, Andrei Pelinescu-Onciul escribi?:
> > On Nov 06, 2009 at 08:12, Juha Heinanen <[hidden email]> wrote:

[...]
>
> So answering to this question:
>
> > is this twinkle's fault, i.e., should it put in contact uri port 59056
> > instead?
>
> Not at all per RFC 3261. Perhaps the hyper-complex draft-outbound states that
> the TCP UA must bind on the source port from which the REGISTER is sent, no
> idea. But for sure RFC 3261 doesn't say that.

Yes, according to 3261 the behaviour is correct. However if it doesn't
support receiving requests on the same port it used to send the
REGISTER or other requests it's broken in practice, since it would never
work behind a NAT.
It's like an udp UAC that has a different port in Via and expects new
requests only on that port: it's perfectly valid according to 3261, but it
will never work in practice due to NATs.

>
>
>
> > or add an alias parameter to its Via
> > (assuming that the port in Via _is_ 5074).
> > If it does add "alias" to the Via, make sure you have
> > tcp_accept_aliases=yes in the config.
>
> What is an "alias" parameter in the Via header?

draft-ietf-sip-connect-reuse-00 - it's a parameter added to Via
whend sending a request that means the remote side can alias the
connection (add an internal ip:src_port as an alias for ip:via_port).
The current version of the draft seems to be dealing only with TLS
though (it looks like TCP alias is now in
draft-jain-sip-transport-layer-connection-reuse-00).

It means that requests to twinkle_ip:twinkle_via_port will be sent on
the tcp connection from twhinkle_ip:twinkle_src_port, if the connection
is still opened.

If it accepts request on 12345 then it's ok.
It should consider "advertising" it by adding alias to Via though (it's
just ;alias somewhere in the via params).

Andrei

_______________________________________________
sr-dev mailing list
[hidden email]
http://lists.sip-router.org/cgi-bin/mailman/listinfo/sr-dev

El Viernes, 6 de Noviembre de 2009, Andrei Pelinescu-Onciul escribió:
> > Not at all per RFC 3261. Perhaps the hyper-complex draft-outbound states
> > that the TCP UA must bind on the source port from which the REGISTER is
> > sent, no idea. But for sure RFC 3261 doesn't say that.
>
> Yes, according to 3261 the behaviour is correct. However if it doesn't
> support receiving requests on the same port it used to send the
> REGISTER or other requests it's broken in practice, since it would never
> work behind a NAT.

100% agree.


> It's like an udp UAC that has a different port in Via and expects new
> requests only on that port: it's perfectly valid according to 3261, but it
> will never work in practice due to NATs.

Yes, UDP asymmetric SIP clients. Fortunatelly they are dissapearing :)


 
Ok. so using "force_tcp_alias" then SR behaves as if the request contained
"alias" in Via header and tcp_accept_aliases=yes in the config. So requests to
that user are sent using an existing TCP connection. Now it's clear, thanks ;)




--
Iñaki Baz Castillo <[hidden email]>

_______________________________________________
sr-dev mailing list
[hidden email]
http://lists.sip-router.org/cgi-bin/mailman/listinfo/sr-dev

Hi Juha!

Personally I do not like the alias approach. IIRC correctly there were
some security issues with aliases (at least some time ago) and ser does
hand aliases a little bit different then described by IETF to avoid this
issues.

To solve the situation there are 2 other solutions:
  1. in client
  2. in server

1. client:
The client learns the public socket during REGISTER (Via received+rport
in response) and changes its contact in REGISTER and INVITE messages to
the new one learned. This is for example what xlite and pjsip does. This
approach does not work if the client does not register - if it only
sends INVITE then there is no learned socket available in the initial
INVITE.

2. server
I use the pragmatic, and well working UDP approach. Just call
fix_nated_contact/register also for TCP clients. I never had any issues
with that.

regards
klaus

Juha Heinanen schrieb:
_______________________________________________
sr-dev mailing list
[hidden email]
http://lists.sip-router.org/cgi-bin/mailman/listinfo/sr-dev

El Viernes, 6 de Noviembre de 2009, Klaus Darilion escribió:
> Hi Juha!
>
> Personally I do not like the alias approach. IIRC correctly there were
> some security issues with aliases (at least some time ago) and ser does
> hand aliases a little bit different then described by IETF to avoid this
> issues.

Could I know about those security issues? (just a brief description).


> To solve the situation there are 2 other solutions:
>   1. in client
>   2. in server
>
> 1. client:
> The client learns the public socket during REGISTER (Via received+rport
> in response) and changes its contact in REGISTER

What about if the server doesn't challenge the client? XDD

> and INVITE messages to
> the new one learned. This is for example what xlite and pjsip does. This
> approach does not work if the client does not register - if it only
> sends INVITE then there is no learned socket available in the initial
> INVITE.

If the client doesn't register then it cannot receive responses anyway.

However, the fact is that during a TCP dialog there "should" exist *two* TCP
connections (assuming binding port = 5060):

a) UA:random_port - Proxy:5060
b) Proxy:random_port - UA:5060

If UA initiates the dialog the connection a) is created.
If Proxy sends an in-dialog request the connection b) is created.

Of course b) is not created when using "alias" or forcing the proxy to reuse
the connection established by UA (server solution).
 


> 2. server
> I use the pragmatic, and well working UDP approach. Just call
> fix_nated_contact/register also for TCP clients. I never had any issues
> with that.

Neither me, but it could fail if some UA doesn't allow that (never seen it
however).

Regards.


--
Iñaki Baz Castillo <[hidden email]>

_______________________________________________
sr-dev mailing list
[hidden email]
http://lists.sip-router.org/cgi-bin/mailman/listinfo/sr-dev

Iñaki Baz Castillo schrieb:
> El Viernes, 6 de Noviembre de 2009, Klaus Darilion escribió:
>> Hi Juha!
>>
>> Personally I do not like the alias approach. IIRC correctly there were
>> some security issues with aliases (at least some time ago) and ser does
>> hand aliases a little bit different then described by IETF to avoid this
>> issues.
>
> Could I know about those security issues? (just a brief description).

I do not remember anymore in detail, but I think by spoofing aliases
(and the proxy accepts the spoofed alias) it could be possible to
intercept SIP messages which are targeted to another user/client behind
the same NAT.

No problem - at least for xlite. It does:
1. REGISTER with local socket
2. 407
3. REGISTER with local socket
4. 200 ok (learn public socket)
5. deREGISTER local socket
6. 200 ok
7. REGISTER with public socket
8. 200 ok

I do not know how pjsip handles this (if it is smarter :-)

>> and INVITE messages to
>> the new one learned. This is for example what xlite and pjsip does. This
>> approach does not work if the client does not register - if it only
>> sends INVITE then there is no learned socket available in the initial
>> INVITE.
>
> If the client doesn't register then it cannot receive responses anyway.

e.g. call-setup would work, but BYE from callee would fail.

> However, the fact is that during a TCP dialog there "should" exist *two* TCP
> connections (assuming binding port = 5060):
>
> a) UA:random_port - Proxy:5060
> b) Proxy:random_port - UA:5060

that's the broken idea of RFC 3261. In fact that will never work due to
NAT/FW. The un-standardized approaches are described above and work
well. The standardized approach would be sip-outbound, which gives the
same result than the un-standardized approach.

regards
klaus


_______________________________________________
sr-dev mailing list
[hidden email]
http://lists.sip-router.org/cgi-bin/mailman/listinfo/sr-dev

Klaus Darilion writes:

 > 2. server
 > I use the pragmatic, and well working UDP approach. Just call
 > fix_nated_contact/register also for TCP clients. I never had any issues
 > with that.

even when client is not behind nat like in the example of the
discussion?

-- juha

_______________________________________________
sr-dev mailing list
[hidden email]
http://lists.sip-router.org/cgi-bin/mailman/listinfo/sr-dev

El Viernes, 6 de Noviembre de 2009, Klaus Darilion escribió:
> I do not remember anymore in detail, but I think by spoofing aliases
> (and the proxy accepts the spoofed alias) it could be possible to
> intercept SIP messages which are targeted to another user/client behind
> the same NAT.

ok.

 

That's really ugly! XDD
 


> > However, the fact is that during a TCP dialog there "should" exist *two*
> > TCP connections (assuming binding port = 5060):
> >
> > a) UA:random_port - Proxy:5060
> > b) Proxy:random_port - UA:5060
>
> that's the broken idea of RFC 3261.

It's not a broken idea since in IETF world there is no NAT.
But yes, the fact is that it's ridiculous!!! How is possible that a TCP
communication between two nodes could require two TCP connections??? Terrible
design...


> In fact that will never work due to
> NAT/FW. The un-standardized approaches are described above and work
> well. The standardized approach would be sip-outbound, which gives the
> same result than the un-standardized approach.

The only difference is that the un-standardized approach forcing the same
standardized approach without requiring "alias" parameter in Via header :)


Thanks.


--
Iñaki Baz Castillo <[hidden email]>

_______________________________________________
sr-dev mailing list
[hidden email]
http://lists.sip-router.org/cgi-bin/mailman/listinfo/sr-dev

Juha Heinanen schrieb:
> Klaus Darilion writes:
>
>  > 2. server
>  > I use the pragmatic, and well working UDP approach. Just call
>  > fix_nated_contact/register also for TCP clients. I never had any issues
>  > with that.
>
> even when client is not behind nat like in the example of the
> discussion?

In this case it can work also with client receiving responses/in-dialog
requests at advertised port (as long as the client is really listening
on the advertised port).

But one of my favorites statement is: "Never trust the user". As the
contact and Via headers are user provided data I do not trust it. Thus I
always enforce symmetric signaling, regardless if client is behind NAT
or not and regardless of the used protocol.*

The only exception is if the client is known to be asymmetric (then I
have to screen the contact that at least the IP is the src_ip).

regards
Klaus

* I once used the somehow "academic" approach with hyper-intelligent NAT
detection methods, but I ended up with the "pragmatic" approach which is
easier, more secure and works IMO better.


_______________________________________________
sr-dev mailing list
[hidden email]
http://lists.sip-router.org/cgi-bin/mailman/listinfo/sr-dev

Klaus Darilion writes:

 > But one of my favorites statement is: "Never trust the user". As the
 > contact and Via headers are user provided data I do not trust it. Thus I
 > always enforce symmetric signaling, regardless if client is behind NAT
 > or not and regardless of the used protocol.*

would it then make sense to use this approach also in the example
configs?  i haven't check, but i doubt they include it.

-- juha

_______________________________________________
sr-dev mailing list
[hidden email]
http://lists.sip-router.org/cgi-bin/mailman/listinfo/sr-dev

El Viernes, 6 de Noviembre de 2009, Klaus Darilion escribió:
> (as long as the client is really listening on the advertised port).

It should!



> But one of my favorites statement is: "Never trust the user". As the
> contact and Via headers are user provided data I do not trust it. Thus I
> always enforce symmetric signaling, regardless if client is behind NAT
> or not and regardless of the used protocol.*

Some SIP ALG routers change the Via/Contact port and set 12345 while the
public source port is 12344. Really. So don't believe the user, neither the
routers! XD




--
Iñaki Baz Castillo <[hidden email]>

_______________________________________________
sr-dev mailing list
[hidden email]
http://lists.sip-router.org/cgi-bin/mailman/listinfo/sr-dev

Juha Heinanen schrieb:
> Klaus Darilion writes:
>
>  > But one of my favorites statement is: "Never trust the user". As the
>  > contact and Via headers are user provided data I do not trust it. Thus I
>  > always enforce symmetric signaling, regardless if client is behind NAT
>  > or not and regardless of the used protocol.*
>
> would it then make sense to use this approach also in the example
> configs?  i haven't check, but i doubt they include it.

I depends if I still want to make money by securing SIP proxy
installations ;-)

regards
klaus

PS: yes

_______________________________________________
sr-dev mailing list
[hidden email]
http://lists.sip-router.org/cgi-bin/mailman/listinfo/sr-dev

Klaus Darilion schrieb:
Of course this has some limitations too - e.g. if a local user uses a
proxy between client and my proxy - I will incorrectly rewrite the
contact to the socket of the other proxy. But in typical service
provider deployments there should not be proxies inbetween, or the proxy
should be able to recover from this.

regards
klaus

_______________________________________________
sr-dev mailing list
[hidden email]
http://lists.sip-router.org/cgi-bin/mailman/listinfo/sr-dev

On Nov 06, 2009 at 14:39, I?aki Baz Castillo <[hidden email]> wrote:
> El Viernes, 6 de Noviembre de 2009, Klaus Darilion escribi?:
> > Hi Juha!
> >
> > Personally I do not like the alias approach. IIRC correctly there were
> > some security issues with aliases (at least some time ago) and ser does
> > hand aliases a little bit different then described by IETF to avoid this
> > issues.
>
> Could I know about those security issues? (just a brief description).

IIRC the original alias draft required to alias also the IP, so for
example a message from ip: 1.2.3.4 with src_port 1234 and having in via
 5.6.7.8:5060 would set an alias on the proxy:
 5.6.7.8:5060->1.2.3.4:1234 which is evidently a security problem (I can
 use it to redirect someone else's  traffic to me).
In ser/sr/kamailio the alias will work only for the port, so in the
above example the alias will be:
1.2.3.4:5060->1.2.3.4:1234 and IIRC a message might be logged.

Even using only the port for the alias there can still be problems if
there are several UACs behind the same NAT that listen on the same port
(e.g. 5060). All of them would add 5060 in the via and on the proxy
there would be attempts to set multiple aliases for nat_ip:5060.
In this case one UAC will also get the requests intended for the others.
This can also be used on purpose, to intercept the messages of the
other users behind the same NAT or on the same machine.
>
>
> > To solve the situation there are 2 other solutions:
> >   1. in client
> >   2. in server
> >
> > 1. client:
> > The client learns the public socket during REGISTER (Via received+rport
> > in response) and changes its contact in REGISTER

Even better would for the client to use STUN over tcp first to find the
port and NAT address and then send the REGISTER with the proper ports
(on the same connections). Then it could use STUN for keepalives
(draft-ietf-behave-rfc3489bis).
(in this case sr must be configured with STUN support, e.g.
 make config STUN=1)

[...]


Andrei

_______________________________________________
sr-dev mailing list
[hidden email]
http://lists.sip-router.org/cgi-bin/mailman/listinfo/sr-dev