asterisk users - Feb 2012 - Should you "ever" use nat=no?

I've been lurking on the dev discussion on creating nat=auto. It all 
leads me to think there's no reason to use nat=no.

We have about 60 internal sip extensions connected to an multihomed 
asterisk box where the external ip is not nat'ed. Each of the internal 
sip contexts has nat=no. On startup I get a slew of warnings about 
intruders being able to distinguish real extensions. But that isn't 
right, is it? Or if it is, wouldn't the intruder have to be on the 
"inside" 10.0.0.0 net?

But so what? Does nat=no buy you anything? faster? slicker? richer?

sean

If your server is open to the internet and in SIP general section you have
nat=no and in peers you have nat=yes or vice versa then it's possible to
enumerate your extension. Because Asterisk responds with different messages
if the extension exists or not based on that difference in the nat setting
then it's possible to tell if an extension 100 exists or not. Over the past
few years, Digium has come to realization to respond to all unauthenticated
calls the same way in order to thwart any attack attempts or guesses on the
extension but it's still not perfect yet as these improvements are done at
a really slow pace. Regardless, they are being made and there truely is a
security risk.

I always use nat=yes. I don't even know why nat=no exists as there is
nothing that can't be done with nat=yes. Plus nat=yes will take care of
some of the surprise one-way audio scenarios as well so why use nat=no at
all?! I vote to totally get rid of the nat setting all together and hard
code it and set it to yes but again there are others who may not agree.

-Bruce



On Sat, Feb 11, 2012 at 6:54 PM, sean darcy <seandarcy2 at gmail.com>
wrote:
> I've been lurking on the dev discussion on creating nat=auto. It all
leads
> me to think there's no reason to use nat=no.
>
> We have about 60 internal sip extensions connected to an multihomed
> asterisk box where the external ip is not nat'ed. Each of the internal
sip
> contexts has nat=no. On startup I get a slew of warnings about intruders
> being able to distinguish real extensions. But that isn't right, is it?
Or
> if it is, wouldn't the intruder have to be on the "inside"
10.0.0.0 net?
>
> But so what? Does nat=no buy you anything? faster? slicker? richer?
>
> sean
>
>
>
> --
> ______________________________**______________________________**_________
> -- Bandwidth and Colocation Provided by http://www.api-digital.com --
> New to Asterisk? Join us for a live introductory webinar every Thurs:
>              http://www.asterisk.org/hello
>
> asterisk-users mailing list
> To UNSUBSCRIBE or update options visit:
> 
http://lists.digium.com/**mailman/listinfo/asterisk-**users<http://lists.digium.com/mailman/listinfo/asterisk-users>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL:
<http://lists.digium.com/pipermail/asterisk-users/attachments/20120211/c0584c1e/attachment.htm>