[Wifidog] Teliphone
Alexandre Carmel-Veilleux
saruman at northernhacking.org
Wed Jan 19 20:16:31 EST 2005
I believe the Teliphone tunnels backwards to it's server, but I
haven't fired up tcpdump to find out for sure. Daniel D knows, but I
believe he signed an NDA with them.
Alex
On Wed, Jan 19, 2005 at 02:25:35PM -0500, Pascal Leclerc wrote:
> Date: Wed, 19 Jan 2005 14:25:35 -0500
> From: Pascal Leclerc <leclerc.pascal at ireq.ca>
> To: The WiFi Guard Dog project <Wifidog at isf.waglo.com>
> Subject: Re: [Wifidog] Teliphone
>
> Note: I know that some people do not understand french, you can use
> babelfish.altavista.com to translate and get the main idea of the
> discussion. Don't be shy and ask volunteers for a better translation.
> Sorry for my bad english, but I think it's easier to understand then
> french ;-) The main subject is the support of wireless (802.11B)
> phone by the wifidog gateway (wifidog will not ask the users for a
> validation and allow users to receive incoming calls) .
> --------------------------
>
> Wifidog supporte très bien Teliphone : Guillaume à reçu un appel sur son
> téléphone sans fil à l'Utopik mercredi soir au meeting.
>
> Pour le coté technique et le fontionnement, Alexandre C-V est
> probalement le plus apte à répondre à tes questions puisque c'est lui
> qui a ajouté le support Teliphone. En fait il a ajouté la possibilité
> d'ajouter des règles (FirewallRuleSet) dans la config.
>
> Regarde le fichier de config de wifidog
> http://cvs.sourceforge.net/viewcvs.py/wifidog/wifidog/wifidog.conf?rev=1.22&view=auto
> et tu devrais comprendre le fonctionnement.
>
> Je n'ai pas compris tous les détails pour le moment, mais je vais m'y
> attarder prochainement en ajoutant ce support à l'interface web de
> Wifidog dans OpenWRT.
>
> Pascal
>
> Yanik Crépeau wrote:
>
> > -----BEGIN PGP SIGNED MESSAGE-----
> > Hash: SHA1
> >
> > Toujours dans la même veine:
> >
> > Source: http://www.intertex.se/upfiles/IntertexSIPWhitePaper.pdf
> >
> > Initiating communication from the public Internet to a device on a
> > private LAN
> > is by definition a complex task for a firewall to handle. Supporting
> > media
> > streams (voice and video) transported over separate ports negotiated
> > in the
> > session setup, further adds to the complexity. Furthermore, the
> > location of
> > individual users on a private protected LAN also has to be handled.
> > Transparent
> > SIP traversal through firewalls and NATs requires specific handling of
> > these issues.
> >
> > SIP initiates multimedia sessions carried over other protocols, for
> > example RTP.
> > This means that when a SIP session has been started, various other
> > protocols are
> > used as well, usually transmitted over TCP or UDP and using an arbitrary,
> > dynamically assigned, port number. This is a problem for a firewall that
> > generally opens up certain protocols and ports
> > in advance. But since the ports are dynamically assigned, which ports
> > are to be
> > opened? Current firewalls do not support tunneling of dynamically
> > allocated
> > media streams. Handling the SIP media streams through a firewall by
> > opening a
> > wide range of ports is, of course, unacceptable from a security point
> > of view.
> > Instead, a firewall that understands SIP can open up the ports for the
> > right
> > protocols just when the SIP traffic needs it.
> >
> > A SIP message is destined for a specific user and therefore includes IP
> > addresses of the session participants in header fields. This is a
> > problem if a
> > SIP session should be established through a firewall using NAT. The IP
> > address
> > on the hidden side (which appears in the SIP headers) will not be the
> > same as
> > the one that the clients on the outside should use. This problem can
> > be resolved
> > in several ways. One is to make the SIP endpoints aware of NAT and let
> > them
> > discover what IP addresses and port numbers they can use. This has a
> > several drawbacks. First, every SIP endpoint application needs to be
> > modified ?
> > new software has to be written for them. Second, the NAT discovery is
> > problematic since different NATs work in different ways. Thirdly, this
> > solution
> > works only for NAT since the firewall blocks IP packets not allowed to
> > pass.
> > There is a suggested extension of the SIP protocol to handle this
> > situation (NAT
> > Friendly SIP).
> >
> > A more general way is to integrate a SIP proxy server that rewrites
> > the SIP
> > messages using proper global and local addresses on the respective
> > public and
> > private sides. The proxy server can also control the NATing firewall
> > and open up
> > for SIP initiated media streams.
> >
> > A third problem is to find the specific user on a private LAN using
> > private IP
> > addresses. Onsuch LANs, all SIP-signaling is normally addressed to
> > port 5060 on
> > the single global IP address of the Firewall. Thus, to handle incoming
> > calls,
> > the firewall must cooperate with a location function having a register
> > of all
> > SIP users inside the firewall. The location function can either be
> > separate or,
> > as in the Intertex and Ingate products, be integrated in the firewall in
> > form of a SIP registrar.
> >
> > Handling these three issues in a firewall is necessary to allow users
> > to use SIP
> > standard applications as they are designed today, no matter with whom
> > they
> > communicate.
> >
> > -----BEGIN PGP SIGNATURE-----
> > Version: GnuPG v1.2.5 (MingW32)
> > Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org
> >
> > iD8DBQFB7p800OgIseWq58IRAjdmAJ9E6DYzDXo1cNJcVn/zhoQeeIPKoACcDLcQ
> > 2Hq6GlQdprQ4cYCj7qhBS1Q=
> > =n+aC
> > -----END PGP SIGNATURE-----
> >
> > _______________________________________________
> > Wifidog mailing list
> > Wifidog at isf.waglo.com
> > http://isf.waglo.com/mailman/listinfo/wifidog_isf.waglo.co
> > m
>
>
>
> _______________________________________________
> Wifidog mailing list
> Wifidog at isf.waglo.com
> http://isf.waglo.com/mailman/listinfo/wifidog_isf.waglo.com
_______________________________________________
Wifidog mailing list
Wifidog at isf.waglo.com
http://isf.waglo.com/mailman/listinfo/wifidog_isf.waglo.com
More information about the Wifidog
mailing list