Comments (7)
Hi, yes, this has been discussed with bug originators. Unfortunately due to the RTP limitations there is little can be done to support BOTH NAT traversal and be secure.
from rtpproxy.
That being said, we are working on few new mitigation features which could render this attack vector much more impractical.
from rtpproxy.
hi @sobomax would be happy to discuss potential solutions. My email: [email protected]
from rtpproxy.
@sobomax @sandrogauci the problem that a client's port (and IP address) will likely change during session at least in some 4G networks. So it's a legitimate behaviour, and if rtpproxy detects IP:port change it really should start sending data to a new address. Apparently old IP:port pair must stop sending data in this case, but we can't use it as a solid "proof" to (dis)allow a new address because it could happen during some network glitch, "mute", or any other legitimate situation where client won't be able to send data.
Regarding SSRC - also can change during session.
So although I want to be positibe I don't see how it can be fixed easily. That's a problem with standards and protocols developed before network security in mind.
from rtpproxy.
@lemenkov yes switching to a new IP is definitely one of the problems faced when trying to mitigate this by whitelisting an IP:port pair. My impression is that when this happens, the system could detect that the old IP:port pair did stop sending data and then allow the change to the new pair. Would you agree or disagree with this?
If there is a network glitch, the SSRC might not change. So I think adding some logic around different scenarios, e.g. when the SSRC does not change, allow the new IP:port pair; while when it does change, make sure that the session with the old SSRC is not still transmitting before allowing the switch to the new IP:port pair (which would require timing to be tuned).
Having said all that, of course this is an issue that is a limitation to plain RTP not providing any sort of authentication and not encrypting the traffic. So any changes to address this will just be mitigation rather than actual solutions to the underlying problem.
from rtpproxy.
from rtpproxy.
Do we have any update on this issue?
from rtpproxy.
Related Issues (20)
- socket allocated (SOCKET_REPLY) in technical docs is wrong? HOT 2
- rtpproxy briefly sends RTP from out-of-range source port and with unrelated RTP header fields before starting to properly forward HOT 4
- Difference between rtpp_weakref_obj and rtpp_hash_table HOT 1
- rtpproxy command protocol - stats - UDP stream timeout? HOT 2
- rtpp_acct_rtcp_hep - RTCP Type 203 (BYE)? HOT 2
- SIGSEGV in rtpp_wi_free HOT 2
- Play command fails HOT 7
- OSS-Fuzz issue 56543
- OSS-Fuzz issue 56764
- OSS-Fuzz issue 56786 HOT 1
- OSS-Fuzz issue 57069
- OSS-Fuzz issue 57278
- haw i can write RTCP code in c++
- OSS-Fuzz issue 59215
- What is the memory and CPU requirements for RTPProxy HOT 1
- Can't put all packets from both directions into a single file HOT 2
- OSS-Fuzz issue 59712
- Memory leak in `rtpp_cmd_rcache_insert` function HOT 1
- -Wincompatible-pointer-types configure check may fail unconditionally with future compilers
- SRTP support and 'transcoding' between encrypted and unencrypted streams
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from rtpproxy.