undefined | Better HN

0 pointsviraptor14y ago0 comments

I can't find the bits about updating firewall rules, but anyways... They keep concentrating on the media path, while getting the signalling to the right place is just as hard. They need some public relay and that's one part I still haven't seen seriously mentioned yet. I disagree with "Actual NAT traversal in SIP/RTP is very straightforward." - since there are many issues:

- They can't use end-to-end encryption since public relay has to add information about the public address the message came from (unless it wants to transfer the media itself).

- They can't allow random changes to addresses by intermediate nodes, since that would allow trivial attack on the mesh infrastructure.

How will they stop a situation where someone creates lots of nodes, proxies SIP, but randomises the media addresses? Media address can't be encoded at the source, since it has to come from the relay. It wouldn't be hard for a competing company to spawn thousands of nodes on EC2 and overload the network with broken "relay" nodes.

0 comments

MichaelGG14y ago

Sorry I should have made it clear. SIP/RTP don't work with NATs at all (public IP and a NAT'd client) if you follow the spec. By NAT traversal with SIP, I'm referring to this case, not NAT'd client to NAT'd client.

You're right that using relays requires some thought in order to keep it secure.

j / k navigate · click thread line to collapse

0 pointsviraptor14y ago0 comments

- They can't use end-to-end encryption since public relay has to add information about the public address the message came from (unless it wants to transfer the media itself).

- They can't allow random changes to addresses by intermediate nodes, since that would allow trivial attack on the mesh infrastructure.

0 comments

MichaelGG14y ago

You're right that using relays requires some thought in order to keep it secure.

j / k navigate · click thread line to collapse