[jitsi-dev] preventing JVB from broadcasting a private IP address


#1

Hello everybody,

Our Jitsi-Meet platform is used by internal and external users, so we
have JVB listening on two different network interfaces (eth1: Internal
use & eth2: External use).
Internal users have a direct access to JVB's IP address and external
users access the server through its NATted IP as described on the
diagram bellow.

On the client side, users receive 3 different ICE candidate including
the private IP 2.2.2.2 that I don't want to broadcast for security
reasons.

Is there any way to prevent JVB from broadcasting a private IP address
as an ICE candidate ?

Best regards
Hamza


#2

Hello Hamza,

I think this is what you need:

org.ice4j.ice.harvest.BLOCKED_INTERFACES (https://github.com/jitsi/ice4j/blob/f2cd3891e1b3f30af620bcfdb29255a003c498c1/src/main/java/org/ice4j/StackProperties.java#L207)

org.ice4j.ice.harvest.BLOCKED_ADDRESSES (https://github.com/jitsi/ice4j/blob/f2cd3891e1b3f30af620bcfdb29255a003c498c1/src/main/java/org/ice4j/StackProperties.java#L234)

Best,
George

···

On Jan 31, 2018, at 3:44 AM, KHAIT Hamza - SG/SPSSI/CPII/DOSE/ET/PNE ANNUAIRE ET MESSAGERIE <hamza.khait@i-carre.net> wrote:

Hello everybody,

Our Jitsi-Meet platform is used by internal and external users, so we have JVB listening on two different network interfaces (eth1: Internal use & eth2: External use).
Internal users have a direct access to JVB's IP address and external users access the server through its NATted IP as described on the diagram bellow.

<JVB Preventing ICE candidate.png>

On the client side, users receive 3 different ICE candidate including the private IP 2.2.2.2 that I don't want to broadcast for security reasons.

Is there any way to prevent JVB from broadcasting a private IP address as an ICE candidate ?

Best regards
Hamza
_______________________________________________
dev mailing list
dev@jitsi.org
Unsubscribe instructions and other list options:
http://lists.jitsi.org/mailman/listinfo/dev


#3

Hi,

Hello everybody,

Our Jitsi-Meet platform is used by internal and external users, so we have JVB listening on two different network interfaces (eth1: Internal use & eth2: External use).
Internal users have a direct access to JVB's IP address and external users access the server through its NATted IP as described on the diagram bellow.

On the client side, users receive 3 different ICE candidate including the private IP 2.2.2.2 that I don't want to broadcast for security reasons.

Is there any way to prevent JVB from broadcasting a private IP address as an ICE candidate ?

I don't think there is a way to do this currently. You could add 2.2.2.2 to the list of blocked addresses, but this will probably result in 3.3.3.3 being removed as well (we haven't used it in this way, and I have not tested the exact behavior).

org.ice4j.ice.harvest.BLOCKED_ADDRESSES=2.2.2.2

Regards,
Boris

···

On 31/01/2018 03:44, KHAIT Hamza - SG/SPSSI/CPII/DOSE/ET/PNE ANNUAIRE ET MESSAGERIE wrote: