Hacker Newsnew | past | comments | ask | show | jobs | submitlogin

For the latter, the ALG needs to check that the connection starts with a SIP packet and disable any further processing if does not.


Agreed. I'm labouring the point because a lot of comments here are waving this away as a one-line stateless change ("just check the fragmentation offset is zero"), when in fact it might mean switching from a completely stateless ALG to a stateful ALG. That is a bigger deal from the code complexity point of view, because it means the ALG has to start tracking TCP connections.


I don't see any way the ALG could work reliably without being stateful - after all, the string it's looking for might end up split across multiple packets for any number of reasons out of control of the network hardware.

Perhaps this is the reason why all of these kinds of protocols always seem unreliable...


It might, but in a very high proportion of cases the networking stack takes the happy path and a single logical protocol unit translates directly to a single packet on the wire. That being the practical reality, it's quite possible to write a stateless protocol parser and have it apparently work. Except, as you point out, when it doesn't.


If the device is doing NAT, it already keeps track of whether a TCP connection is new or not. It feels like it should be easy enough to check that state when applying the ALG rule.

Or can a SIP REGISTER happen in a packet after the first?




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: