On Mon, Aug 11, 2008 at 05:09:33PM +0200, Klaus Darilion wrote: > > Could you please explain what kind of security does assigning random > > (dynamic) port to SIP UAS give? > > Have you ever used sipvicious? It scans random IPs for port 5060 - you > get rather fast lots of SIP clients which you can target to attack. Of > course you could also scan other ports than 5060 but this takes 2^15 > times more. Can also be done with nmap of course :-)
> >> Actually if all SIP user agents would be standard conform then even the > >> proxies need not to use port 5060 (SRV lookups). > > > > Well, in my opinion we should try to make Qutecom as close to the > > standards defined in RFC 3261 (and others) as possible. And IANA > > assigned port for SIP is 5060 (5061 TLS) > > Using a random port for SIP is 100% standard conform. The assigned port > is the one which is used if the port is not specified in the URI. I think so far we've identified two things: 1) The port that is used by qutecom (and other sip devices) when registering with a registrar should be random. AFAIK Qutecom currently uses 5060 even in this case. 2) When listening for incoming connections it might make sense to use a well-known port (security issues aside). This should be configurable. But probably you don't want a random port here. And I agree with Klaus that you probably don't want to use 5060 if connecting directly to the internet. Both cases should be clearly distinguished. As far as I know, Qutecom uses 5060 also for case 1 above and does some special handling to achieve port-reuse when scanning if the port is already used. Ralf -- Dr. Ralf Schlatterbeck Tel: +43/2243/26465-16 Open Source Consulting Fax: +43/2243/26465-23 Reichergasse 131 www: http://www.runtux.com A-3411 Weidling email: [EMAIL PROTECTED] osAlliance member email: [EMAIL PROTECTED] _______________________________________________ QuteCom-dev mailing list [email protected] http://lists.qutecom.org/mailman/listinfo/qutecom-dev
