RTCP may expose internal IP addresses and private user names across NAT device

Overview

In the context of NAT devices, RTCP SDES packets may contain private information about usernames and internal IP addresses which may not be translated/hidden before packets travel to un-trusted zone through the NAT device.

Impact

Un-trusted parties may get internal IP address and user name information which can potentially compromise the purpose of NAT device and privacy of users.

Description

RTCP is RTP Control Protocol primarily used to provide feedback on the quality of the data distribution. Additionally, RTCP can also be used to convey participant identification and other information, such as user name, phone number, and location, using source description (SDES) packets. Unlike other SDES items, CNAME (canonical endpoint identifier) is mandatory and provides binding from the random SSRC identifier to an identifier that is constant for the source.

When RTCP packets travel across Network Address Translation (NAT) devices, the layer 3 source IP address is translated from the private address to the public address. However, the host portion of CNAME may also contain the internal private IP address which may get exposed to un-trusted parties if the NAT device is not RTCP aware. Additionally, CNAME may also contain user names which may also get exposed if not translated/removed before RTCP packets traverse through NAT device.

Solution

RTCP packets must be inspected for this possible exposure before they leave private network. Any occurrence of IP addresses and user names must be translated or removed as needed.  With its VoIP Firewall functionality, the Sipera IPCS can protect the privacy of internal users and IP addresses by enforcing firewall/NAT traversal policies when deployed in the enterprise DMZ.

For more information on any of these threat advisories, please email Sipera VIPER Lab at viper@sipera.com