Re: [GnomeMeeting-list] Major ILS change

From: Craig Southeren <craigs postincrement com>
To: Damien Sandras <damien sandras it-optics com>, gnomemeeting-list gnome org
Subject: Re: [GnomeMeeting-list] Major ILS change
Date: Mon, 15 Mar 2004 22:04:11 +1100

On Mon, 15 Mar 2004 11:42:37 +0100
Damien Sandras <damien sandras it-optics com> wrote:

..deleted

> I still can try, but please tell me what is that difference. Imagine I
> can really portscan the port specified in the ILS request, what is the
> difference for the user between :
> - the portscan only happens if the specified address is different from
> the signalling address and is private
> and
> - the portscan always occurs
> 
> What I mean is that from the user point of view, I don't see people who
> would be rejected in one case and not in the other...

You get three pieces of information from the user:

  a) the IP address in the ILS request
  b) the port in the ILS request
  c) the IP address that the ILS request comes from (from getpeername)

By definition, c) is always going to be a legal public address. If it is
a private address, then the ILS is being spoofed - throw the request away.

If c) is the same as a), or they are both public addresses, then there
is very good chance that the user has a public address, or has good NAT
software. Either way, don't bother doing a portscan - just accept the
info (you can do the portscan if you like - but I bet it will work 99%
of the time)

If c) is different from a), and a) is private, then the user is behind a
NAT firewall and does not know it. Then, you need to detect if they can
actually receive a call. There is no way we can be sure, but if we check
port b) on address c) and there is a socket listening, we can give them
the benefit of the doubt and assume they are able to receive calls.

This will allow anyone to use any port to listen for calls, and will
throw away most people that are unable to receive calls, such as people
behind non-H.323 aware NAT firewalls. 

Note that just because you have a H.323-aware firewall, that does not
mean that incoming calls should be directed to port 1720. My ADSL box
was H.323-aware (until I turned off that feature) and it did NOT work
that way.

This differs from your approach in that:

a) Endpoints not listening on port 1720 will be allowed to receive calls
through the ILS, whereas your system does not allow that

b) Multiple endpoints behind a H.323-aware NAT firewall will be
correctly validated (as much as possible) rather than being assumed as
being correct just because port 1720 on that address scans correctly.

Just my thoughts.

   Craig

-----------------------------------------------------------------------
 Craig Southeren, craigs postincrement com http://www.postincrement.com
 Post Increment - Software, Consulting and Services
 Co-founder of the only open source H.323 project
 Phone: +61 2 43654666   Fax: +61 2 43673140   Mobile: +61 417 231046
 ICQ: #86852844          MSN: craig_southeren hotmail com   
 GnuPG Public Key:  http://www.postincrement.com/pgp.txt
 Blog:              http://www.southeren.com/blog/

Follow-Ups:
- Re: [GnomeMeeting-list] Major ILS change
  - From: Kilian Krause

References:
- Re: [GnomeMeeting-list] Major ILS change
  - From: Craig Southeren
- Re: [GnomeMeeting-list] Major ILS change
  - From: Damien Sandras

[Date Prev][Date Next] [Thread Prev][Thread Next] [Thread Index] [Date Index] [Author Index]