Re: [MMUSIC] RTSP and NATs
philippe.gentric@philips.com Mon, 10 February 2003 16:17 UTC
Received: from www1.ietf.org (ietf.org [132.151.1.19] (may be forged)) by ietf.org (8.9.1a/8.9.1a) with ESMTP id LAA14085 for <mmusic-archive@odin.ietf.org>; Mon, 10 Feb 2003 11:17:55 -0500 (EST)
Received: (from mailnull@localhost) by www1.ietf.org (8.11.6/8.11.6) id h1AGQNO25482 for mmusic-archive@odin.ietf.org; Mon, 10 Feb 2003 11:26:23 -0500
Received: from ietf.org (odin.ietf.org [132.151.1.176]) by www1.ietf.org (8.11.6/8.11.6) with ESMTP id h1AGQNp25479 for <mmusic-web-archive@optimus.ietf.org>; Mon, 10 Feb 2003 11:26:23 -0500
Received: from www1.ietf.org (ietf-mx.ietf.org [132.151.6.1]) by ietf.org (8.9.1a/8.9.1a) with ESMTP id LAA14070 for <mmusic-web-archive@ietf.org>; Mon, 10 Feb 2003 11:17:23 -0500 (EST)
Received: from www1.ietf.org (localhost.localdomain [127.0.0.1]) by www1.ietf.org (8.11.6/8.11.6) with ESMTP id h1AGQ8p25469; Mon, 10 Feb 2003 11:26:08 -0500
Received: from ietf.org (odin.ietf.org [132.151.1.176]) by www1.ietf.org (8.11.6/8.11.6) with ESMTP id h1AGPRp25427 for <mmusic@optimus.ietf.org>; Mon, 10 Feb 2003 11:25:27 -0500
Received: from gw-nl4.philips.com (ietf-mx.ietf.org [132.151.6.1]) by ietf.org (8.9.1a/8.9.1a) with ESMTP id LAA14050 for <mmusic@ietf.org>; Mon, 10 Feb 2003 11:16:27 -0500 (EST)
From: philippe.gentric@philips.com
Received: from smtpscan-nl2.philips.com (smtpscan-nl2.philips.com [130.139.36.22]) by gw-nl4.philips.com (Postfix) with ESMTP id 595EDA3D02; Mon, 10 Feb 2003 17:20:07 +0100 (MET)
Received: from smtprelay-nl1.philips.com (localhost [127.0.0.1]) by smtpscan-nl2.philips.com (8.9.3/8.8.5-1.2.2m-19990317) with ESMTP id RAA27362; Mon, 10 Feb 2003 17:20:05 +0100 (MET)
Received: from hbg001soh.diamond.philips.com (e1soh01.diamond.philips.com [130.143.165.45]) by smtprelay-nl1.philips.com (8.9.3/8.8.5-1.2.2m-19990317) with ESMTP id RAA27109; Mon, 10 Feb 2003 17:20:01 +0100 (MET)
Subject: Re: [MMUSIC] RTSP and NATs
To: Magnus Westerlund <magnus.westerlund@era.ericsson.se>, jdrosen@dynamicsoft.com
Cc: IETF MMUSIC WG <mmusic@ietf.org>
X-Mailer: Lotus Notes Release 5.0.9a January 7, 2002
Message-ID: <OFE2572A2C.42479ADB-ONC1256CC9.0037EA6E-C1256CC9.0059C316@diamond.philips.com>
Date: Mon, 10 Feb 2003 17:13:39 +0100
X-MIMETrack: Serialize by Router on hbg001soh/H/SERVER/PHILIPS(Release 5.0.9a |January 7, 2002) at 10/02/2003 17:21:03
MIME-Version: 1.0
Content-type: text/plain; charset="us-ascii"
Sender: mmusic-admin@ietf.org
Errors-To: mmusic-admin@ietf.org
X-BeenThere: mmusic@ietf.org
X-Mailman-Version: 2.0.12
Precedence: bulk
List-Unsubscribe: <https://www1.ietf.org/mailman/listinfo/mmusic>, <mailto:mmusic-request@ietf.org?subject=unsubscribe>
List-Id: Multiparty Multimedia Session Control Working Group <mmusic.ietf.org>
List-Post: <mailto:mmusic@ietf.org>
List-Help: <mailto:mmusic-request@ietf.org?subject=help>
List-Subscribe: <https://www1.ietf.org/mailman/listinfo/mmusic>, <mailto:mmusic-request@ietf.org?subject=subscribe>
Jonathan you wrote:
>I agree that symmetric RTP is clearly the best solution for RTSP as it
>is used today. I do not believe that relying on source IP being the same
> between the RTSP and RTP sessions is a good idea. This won't work in
>enterprises which may be natting into a multiplicity of IP addresses.
YES!
I fully agree, (see item 3 below)
Magnus,
(Sorry for the delay in responding to previous RTSP&NAT)
Having a RTSP server and a STUN server co-located at the same port
is no concern for us neither in terms of security nor in terms of implementation,
or to be more specific it is largely worth the trouble !
i.e. the trade of is rather simple: either you do that or
NATs will prevent you from using RTSP....
And yes, magnus, you are right, the first key issue is to inform the client about the ports
the server will be listening for incomming STUN packets,
which need to be the RTP and RTCP ports....
*******************************************
let me summarize the 4 open issues I see for RTSP/STUN/NAT:
(1) server signals its RTP and RTCP ports:
it can be done either:
(a) in the SDP (since its per-media ?) as in draft-ietf-mmusic-sdp4nat-03.txt
or
(b) in the headers of the response to DESCRIBE or SETUP
Note that if SETUP is used it is a failed-in-advance attempt
("hey, try again, because this wont work") causing 1 round trip,
so I dont like this solution much, and also there are cases when
you dont use DESCRIBE ...
so I would prefer solution (a)SDP.
2) there is the possiblity that inside DESCRIBE and/or SETUP the client
gives its IP address, then the server could compare this transported client IP
with the apparent IP address of the client,
Then the server could make a specific reply:
-we would need to define a new status-
for example:
"463: See you from behind a NAT, use STUN on designated ports"
But this solution would only be a safe-guard,
I mean it is smart to assume that:
"When the server indicates explicit RTP and RTCP ports,
the client SHOULD send STUN queries toward the server
at these port numbers and wait for STUN responses
indicating the possible presence of NAT."
so that if you prefer to wait for a possible 463...
you loose... a round trip !-) too bad!
3) One key missing item (as noted by Jonathan)
is also the capability at SETUP to indicate not only a specific
port number but also a specific IP address since through
some NATs RTP and RTCP packets will come out not only with
an (apparently) random port number but also
from a different apparent IP address !
So we _must_ add this capability....(but it is no big deal right?)
4) you also need to send packets periodically to keep
the NAT mappings "open". But the issue here is simply
to document that, right ?
regards,
Philippe Gentric
Software Architect
Philips MP4Net
"philippe dot gentric at philips dot com"
http://www.platform4.philips.com
To: Philippe Gentric/MP4-SUR/CE/PHILIPS@EMEA1
cc: IETF MMUSIC WG <mmusic@ietf.org>
Subject: Re: [MMUSIC] RTSP and NATs
Magnus Westerlund Classification:
<magnus.westerlund@era.ericsson
.se>
05/02/2003 19:45
Hi Philippe,
philippe.gentric@philips.com wrote:
>Magnus,
>
>I strongly support the recommendation to not use ALGs,
>therefore STUN should be used instead but then you wrote:
>
>
> > To be able to use STUN to traverse symmetric NATs the STUN server
> > needs to be co-located with the streaming server media distribution
> > ports. As this will create implementations difficulties and possi-
> > bly security problems this SHOULD NOT be done.
>
>I am surprised, I would have proposed _on the contrary_ a "SHOULD" here
>(since traversing symetric NATs is a key feature) !
>
>
>also what do you mean by "implementation difficulties" ? (I really cannot see any ?)
>and could you explicit what type of _additional_ security issues this would cause
>(i.e. issues that are not inherent to running either a RTSP or a STUN server in the first place ?)
>
>
The problem of running STUN for a symmetric NAT is that the STUN server
must be located at the servers sending port. So using the same RTSP
mechanism that are used for traversing a cone-nat the client would:
1. first contact a well known port with the server for each his media
stream to get the mapping of the stream. The client can't use any other
then the well known port because it doesn't know what port to send to.
2. In the SETUP ask the server to send from its STUN servers well known
port. It also needs to receive RTCP on that port.
3. For keep alive on the RTP port the client needs to send periodically
STUN messages to the STUN server.
This is a mess for a implementor. It need to have a STUN server
receiving the STUN messages while the RTP/RTCP stack should receive all
other messages. Also all the clients need to reside on the same port
number which creates a multiplexing nightmare.
If you change the setup phase so that the streams are first SETUP to
dummy ports then reconfigured with a later message, the STUN could be
located at each media streams source address. However in this setup it
is actually better to use symmetric RTP in all regards except perhaps
hi-jacking of media streams. However with certain restrictions you can
actually end up with at least the same level of security that RTSP
provides today.
How are you using STUN to traverse a symmetric NAT?
Best Regards
Magnus
--
Magnus Westerlund
Multimedia Technologies, Ericsson Research ERA/TVA/A
----------------------------------------------------------------------
Ericsson AB | Phone +46 8 4048287
Torshamsgatan 23 | Fax +46 8 7575550
S-164 80 Stockholm, Sweden | mailto: magnus.westerlund@era.ericsson.se
_______________________________________________
mmusic mailing list
mmusic@ietf.org
https://www1.ietf.org/mailman/listinfo/mmusic
- [MMUSIC] RTSP and NATs Magnus Westerlund
- Re: [MMUSIC] RTSP and NATs Tom Marshall
- Re: [MMUSIC] RTSP and NATs Jonathan Rosenberg
- Re: [MMUSIC] RTSP and NATs Tom Marshall
- Re: [MMUSIC] RTSP and NATs Colin Perkins
- Re: [MMUSIC] RTSP and NATs Jonathan Rosenberg
- Re: [MMUSIC] RTSP and NATs Tom Marshall
- Re: [MMUSIC] RTSP and NATs Jonathan Rosenberg
- Re: [MMUSIC] RTSP and NATs Tom Marshall
- Re: [MMUSIC] RTSP and NATs Magnus Westerlund
- Re: [MMUSIC] RTSP and NATs philippe.gentric
- Re: [MMUSIC] RTSP and NATs Magnus Westerlund
- Re: [MMUSIC] RTSP and NATs philippe.gentric
- Re: [MMUSIC] RTSP and NATs Magnus Westerlund
- Re: [MMUSIC] RTSP and NATs philippe.gentric
- Re: [MMUSIC] RTSP and NATs Magnus Westerlund
- Re: [MMUSIC] RTSP and NATs philippe.gentric
- Re: [MMUSIC] RTSP and NATs Magnus Westerlund
- Re: [MMUSIC] RTSP and NATs philippe.gentric
- Re: [MMUSIC] RTSP and NATs Magnus Westerlund