[MMUSIC] comedia-fix and the whole source address/port boondoggle

[David Yon <yon.ietf@rfdsoftware.com>]

comedia-fix again raises the argument against embedding the source 
address/port information in the SDP.  That is something that I still feel 
strongly about, and work has progressed that makes use of it, although not 
as a fail-safe session correlation mechanism.  We've found that it's useful 
as a DoS counter-measure, using the following design:

	- An intermediate proxy on our network acts as a STUN-like
	  inverse-NAT translator to at least recover the likely address
	  from where the media will originate, and rewrites the SDP
	  if necessary.

	- Our gateways, when under load, sort the incoming connection
	  pending queue based on source addresses that they expect
	  to arrive.

The idea is that when under DoS attack, connections sourced from uninvited 
addresses are not dealt with until the queue of invited addresses has been 
serviced.  This is especially critical when the media is carried over TLS, 
and in our case we do not commence with the TLS handshake until either the 
connection has been correlated or until servicing the connection does not 
overload the gateway.  The side-effect of a failed/incorrect inverse-NAT 
rewrite only occurs under heavy load, and is not fatal.  But without the 
source address information, there is no way to implement such a scheme.

I believe that comedia adequately spells out the limitations imposed by 
various topologies (i.e., NAT), and the source address/port is still worth 
keeping.

_______________________________________________
mmusic mailing list
mmusic@ietf.org
https://www1.ietf.org/mailman/listinfo/mmusic