Re: [GnomeMeeting-list] Major ILS change
- From: Craig Southeren <craigs postincrement com>
- To: Damien Sandras <damien sandras it-optics com>, gnomemeeting-list gnome org
- Subject: Re: [GnomeMeeting-list] Major ILS change
- Date: Mon, 15 Mar 2004 22:04:11 +1100
On Mon, 15 Mar 2004 11:42:37 +0100
Damien Sandras <damien sandras it-optics com> wrote:
..deleted
> I still can try, but please tell me what is that difference. Imagine I
> can really portscan the port specified in the ILS request, what is the
> difference for the user between :
> - the portscan only happens if the specified address is different from
> the signalling address and is private
> and
> - the portscan always occurs
>
> What I mean is that from the user point of view, I don't see people who
> would be rejected in one case and not in the other...
You get three pieces of information from the user:
a) the IP address in the ILS request
b) the port in the ILS request
c) the IP address that the ILS request comes from (from getpeername)
By definition, c) is always going to be a legal public address. If it is
a private address, then the ILS is being spoofed - throw the request away.
If c) is the same as a), or they are both public addresses, then there
is very good chance that the user has a public address, or has good NAT
software. Either way, don't bother doing a portscan - just accept the
info (you can do the portscan if you like - but I bet it will work 99%
of the time)
If c) is different from a), and a) is private, then the user is behind a
NAT firewall and does not know it. Then, you need to detect if they can
actually receive a call. There is no way we can be sure, but if we check
port b) on address c) and there is a socket listening, we can give them
the benefit of the doubt and assume they are able to receive calls.
This will allow anyone to use any port to listen for calls, and will
throw away most people that are unable to receive calls, such as people
behind non-H.323 aware NAT firewalls.
Note that just because you have a H.323-aware firewall, that does not
mean that incoming calls should be directed to port 1720. My ADSL box
was H.323-aware (until I turned off that feature) and it did NOT work
that way.
This differs from your approach in that:
a) Endpoints not listening on port 1720 will be allowed to receive calls
through the ILS, whereas your system does not allow that
b) Multiple endpoints behind a H.323-aware NAT firewall will be
correctly validated (as much as possible) rather than being assumed as
being correct just because port 1720 on that address scans correctly.
Just my thoughts.
Craig
-----------------------------------------------------------------------
Craig Southeren, craigs postincrement com http://www.postincrement.com
Post Increment - Software, Consulting and Services
Co-founder of the only open source H.323 project
Phone: +61 2 43654666 Fax: +61 2 43673140 Mobile: +61 417 231046
ICQ: #86852844 MSN: craig_southeren hotmail com
GnuPG Public Key: http://www.postincrement.com/pgp.txt
Blog: http://www.southeren.com/blog/
[
Date Prev][
Date Next] [
Thread Prev][
Thread Next]
[
Thread Index]
[
Date Index]
[
Author Index]