Re: [MMUSIC] RTSP and NATs
philippe.gentric@philips.com Mon, 10 February 2003 16:17 UTC
Received: from www1.ietf.org (ietf.org [132.151.1.19] (may be forged)) by ietf.org (8.9.1a/8.9.1a) with ESMTP id LAA14085 for <mmusic-archive@odin.ietf.org>; Mon, 10 Feb 2003 11:17:55 -0500 (EST)
Received: (from mailnull@localhost) by www1.ietf.org (8.11.6/8.11.6) id h1AGQNO25482 for mmusic-archive@odin.ietf.org; Mon, 10 Feb 2003 11:26:23 -0500
Received: from ietf.org (odin.ietf.org [132.151.1.176]) by www1.ietf.org (8.11.6/8.11.6) with ESMTP id h1AGQNp25479 for <mmusic-web-archive@optimus.ietf.org>; Mon, 10 Feb 2003 11:26:23 -0500
Received: from www1.ietf.org (ietf-mx.ietf.org [132.151.6.1]) by ietf.org (8.9.1a/8.9.1a) with ESMTP id LAA14070 for <mmusic-web-archive@ietf.org>; Mon, 10 Feb 2003 11:17:23 -0500 (EST)
Received: from www1.ietf.org (localhost.localdomain [127.0.0.1]) by www1.ietf.org (8.11.6/8.11.6) with ESMTP id h1AGQ8p25469; Mon, 10 Feb 2003 11:26:08 -0500
Received: from ietf.org (odin.ietf.org [132.151.1.176]) by www1.ietf.org (8.11.6/8.11.6) with ESMTP id h1AGPRp25427 for <mmusic@optimus.ietf.org>; Mon, 10 Feb 2003 11:25:27 -0500
Received: from gw-nl4.philips.com (ietf-mx.ietf.org [132.151.6.1]) by ietf.org (8.9.1a/8.9.1a) with ESMTP id LAA14050 for <mmusic@ietf.org>; Mon, 10 Feb 2003 11:16:27 -0500 (EST)
From: philippe.gentric@philips.com
Received: from smtpscan-nl2.philips.com (smtpscan-nl2.philips.com [130.139.36.22]) by gw-nl4.philips.com (Postfix) with ESMTP id 595EDA3D02; Mon, 10 Feb 2003 17:20:07 +0100 (MET)
Received: from smtprelay-nl1.philips.com (localhost [127.0.0.1]) by smtpscan-nl2.philips.com (8.9.3/8.8.5-1.2.2m-19990317) with ESMTP id RAA27362; Mon, 10 Feb 2003 17:20:05 +0100 (MET)
Received: from hbg001soh.diamond.philips.com (e1soh01.diamond.philips.com [130.143.165.45]) by smtprelay-nl1.philips.com (8.9.3/8.8.5-1.2.2m-19990317) with ESMTP id RAA27109; Mon, 10 Feb 2003 17:20:01 +0100 (MET)
Subject: Re: [MMUSIC] RTSP and NATs
To: Magnus Westerlund <magnus.westerlund@era.ericsson.se>, jdrosen@dynamicsoft.com
Cc: IETF MMUSIC WG <mmusic@ietf.org>
X-Mailer: Lotus Notes Release 5.0.9a January 7, 2002
Message-ID: <OFE2572A2C.42479ADB-ONC1256CC9.0037EA6E-C1256CC9.0059C316@diamond.philips.com>
Date: Mon, 10 Feb 2003 17:13:39 +0100
X-MIMETrack: Serialize by Router on hbg001soh/H/SERVER/PHILIPS(Release 5.0.9a |January 7, 2002) at 10/02/2003 17:21:03
MIME-Version: 1.0
Content-type: text/plain; charset="us-ascii"
Sender: mmusic-admin@ietf.org
Errors-To: mmusic-admin@ietf.org
X-BeenThere: mmusic@ietf.org
X-Mailman-Version: 2.0.12
Precedence: bulk
List-Unsubscribe: <https://www1.ietf.org/mailman/listinfo/mmusic>, <mailto:mmusic-request@ietf.org?subject=unsubscribe>
List-Id: Multiparty Multimedia Session Control Working Group <mmusic.ietf.org>
List-Post: <mailto:mmusic@ietf.org>
List-Help: <mailto:mmusic-request@ietf.org?subject=help>
List-Subscribe: <https://www1.ietf.org/mailman/listinfo/mmusic>, <mailto:mmusic-request@ietf.org?subject=subscribe>
Jonathan you wrote: >I agree that symmetric RTP is clearly the best solution for RTSP as it >is used today. I do not believe that relying on source IP being the same > between the RTSP and RTP sessions is a good idea. This won't work in >enterprises which may be natting into a multiplicity of IP addresses. YES! I fully agree, (see item 3 below) Magnus, (Sorry for the delay in responding to previous RTSP&NAT) Having a RTSP server and a STUN server co-located at the same port is no concern for us neither in terms of security nor in terms of implementation, or to be more specific it is largely worth the trouble ! i.e. the trade of is rather simple: either you do that or NATs will prevent you from using RTSP.... And yes, magnus, you are right, the first key issue is to inform the client about the ports the server will be listening for incomming STUN packets, which need to be the RTP and RTCP ports.... ******************************************* let me summarize the 4 open issues I see for RTSP/STUN/NAT: (1) server signals its RTP and RTCP ports: it can be done either: (a) in the SDP (since its per-media ?) as in draft-ietf-mmusic-sdp4nat-03.txt or (b) in the headers of the response to DESCRIBE or SETUP Note that if SETUP is used it is a failed-in-advance attempt ("hey, try again, because this wont work") causing 1 round trip, so I dont like this solution much, and also there are cases when you dont use DESCRIBE ... so I would prefer solution (a)SDP. 2) there is the possiblity that inside DESCRIBE and/or SETUP the client gives its IP address, then the server could compare this transported client IP with the apparent IP address of the client, Then the server could make a specific reply: -we would need to define a new status- for example: "463: See you from behind a NAT, use STUN on designated ports" But this solution would only be a safe-guard, I mean it is smart to assume that: "When the server indicates explicit RTP and RTCP ports, the client SHOULD send STUN queries toward the server at these port numbers and wait for STUN responses indicating the possible presence of NAT." so that if you prefer to wait for a possible 463... you loose... a round trip !-) too bad! 3) One key missing item (as noted by Jonathan) is also the capability at SETUP to indicate not only a specific port number but also a specific IP address since through some NATs RTP and RTCP packets will come out not only with an (apparently) random port number but also from a different apparent IP address ! So we _must_ add this capability....(but it is no big deal right?) 4) you also need to send packets periodically to keep the NAT mappings "open". But the issue here is simply to document that, right ? regards, Philippe Gentric Software Architect Philips MP4Net "philippe dot gentric at philips dot com" http://www.platform4.philips.com To: Philippe Gentric/MP4-SUR/CE/PHILIPS@EMEA1 cc: IETF MMUSIC WG <mmusic@ietf.org> Subject: Re: [MMUSIC] RTSP and NATs Magnus Westerlund Classification: <magnus.westerlund@era.ericsson .se> 05/02/2003 19:45 Hi Philippe, philippe.gentric@philips.com wrote: >Magnus, > >I strongly support the recommendation to not use ALGs, >therefore STUN should be used instead but then you wrote: > > > > To be able to use STUN to traverse symmetric NATs the STUN server > > needs to be co-located with the streaming server media distribution > > ports. As this will create implementations difficulties and possi- > > bly security problems this SHOULD NOT be done. > >I am surprised, I would have proposed _on the contrary_ a "SHOULD" here >(since traversing symetric NATs is a key feature) ! > > >also what do you mean by "implementation difficulties" ? (I really cannot see any ?) >and could you explicit what type of _additional_ security issues this would cause >(i.e. issues that are not inherent to running either a RTSP or a STUN server in the first place ?) > > The problem of running STUN for a symmetric NAT is that the STUN server must be located at the servers sending port. So using the same RTSP mechanism that are used for traversing a cone-nat the client would: 1. first contact a well known port with the server for each his media stream to get the mapping of the stream. The client can't use any other then the well known port because it doesn't know what port to send to. 2. In the SETUP ask the server to send from its STUN servers well known port. It also needs to receive RTCP on that port. 3. For keep alive on the RTP port the client needs to send periodically STUN messages to the STUN server. This is a mess for a implementor. It need to have a STUN server receiving the STUN messages while the RTP/RTCP stack should receive all other messages. Also all the clients need to reside on the same port number which creates a multiplexing nightmare. If you change the setup phase so that the streams are first SETUP to dummy ports then reconfigured with a later message, the STUN could be located at each media streams source address. However in this setup it is actually better to use symmetric RTP in all regards except perhaps hi-jacking of media streams. However with certain restrictions you can actually end up with at least the same level of security that RTSP provides today. How are you using STUN to traverse a symmetric NAT? Best Regards Magnus -- Magnus Westerlund Multimedia Technologies, Ericsson Research ERA/TVA/A ---------------------------------------------------------------------- Ericsson AB | Phone +46 8 4048287 Torshamsgatan 23 | Fax +46 8 7575550 S-164 80 Stockholm, Sweden | mailto: magnus.westerlund@era.ericsson.se _______________________________________________ mmusic mailing list mmusic@ietf.org https://www1.ietf.org/mailman/listinfo/mmusic
- [MMUSIC] RTSP and NATs Magnus Westerlund
- Re: [MMUSIC] RTSP and NATs Tom Marshall
- Re: [MMUSIC] RTSP and NATs Jonathan Rosenberg
- Re: [MMUSIC] RTSP and NATs Tom Marshall
- Re: [MMUSIC] RTSP and NATs Colin Perkins
- Re: [MMUSIC] RTSP and NATs Jonathan Rosenberg
- Re: [MMUSIC] RTSP and NATs Tom Marshall
- Re: [MMUSIC] RTSP and NATs Jonathan Rosenberg
- Re: [MMUSIC] RTSP and NATs Tom Marshall
- Re: [MMUSIC] RTSP and NATs Magnus Westerlund
- Re: [MMUSIC] RTSP and NATs philippe.gentric
- Re: [MMUSIC] RTSP and NATs Magnus Westerlund
- Re: [MMUSIC] RTSP and NATs philippe.gentric
- Re: [MMUSIC] RTSP and NATs Magnus Westerlund
- Re: [MMUSIC] RTSP and NATs philippe.gentric
- Re: [MMUSIC] RTSP and NATs Magnus Westerlund
- Re: [MMUSIC] RTSP and NATs philippe.gentric
- Re: [MMUSIC] RTSP and NATs Magnus Westerlund
- Re: [MMUSIC] RTSP and NATs philippe.gentric
- Re: [MMUSIC] RTSP and NATs Magnus Westerlund