[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [AVT] Media over DTLS

To: David McGrew <mcgrew at cisco.com>
Subject: Re: [AVT] Media over DTLS
From: Jonathan Rosenberg <jdrosen at cisco.com>
Date: Mon, 13 Mar 2006 12:03:53 -0500
Cc: AVT <avt at ietf.org>
In-reply-to: <03D20971-EFA6-4E0C-A62A-33DECF417863@cisco.com>
List-help: <mailto:avt-request@ietf.org?subject=help>
List-id: Audio/Video Transport Working Group <avt.ietf.org>
List-post: <mailto:avt@ietf.org>
List-subscribe: <https://www1.ietf.org/mailman/listinfo/avt>, <mailto:avt-request@ietf.org?subject=subscribe>
List-unsubscribe: <https://www1.ietf.org/mailman/listinfo/avt>, <mailto:avt-request@ietf.org?subject=unsubscribe>
References: <03D20971-EFA6-4E0C-A62A-33DECF417863@cisco.com>
User-agent: Mozilla/5.0 (Windows; U; Windows NT 5.0; en-US; rv:1.7.8) Gecko/20050511

A comment below on the NAT traversal pieces here.

David McGrew wrote:

3.  RTP-over-DTLS appears not to work with Symmetric RTP [6].  That
    RTP method is commonly used in order to allow RTP sessions to
    traverse NAT and firewall devices.  This facility relies on the
    fact that the media source behind the NAT sends data that triggers
    a NAT translation that allows inbound media.  If the initiator of
    the DTLS handshake is outside of the NAT or firewall, then
    RTP-over-DTLS will fail.

Thats true, but this is why we have ICE. The problem is not specific to DTLS; generally speaking, for RTP or any type of end-to-end communications, NAT will generally require the participant behind the NAT to initiate a request outwards towards its correspondent. Its made more complicated by the fact that either the offerer or answerer or both could be behind such a NAT.

ICE solves this problem by providing each agent with the IP address of the other, so that each reaches out to the other with a STUN connectivity check. This will create the necessary NAT permissions to let subsequent communications occur.

As such, I believe that if you used ICE with DTLS, you would use ICE first to get the permissions in place, and then once the connectivity checks succeed, then run DTLS to secure the media stream. In this way, DTLS would "see" a clear IP channel and not need to worry about which end initiates or which end is behind NAT. It would just work.

Its also important to point out that NAT traversal really REQUIRES the offerer to receive the SDP answer, in order to learn the IP addresses and ports to which permissions need to be opened in the NAT. Thus, all of this discussion about completing various rounds of negotiation prior to receipt of the answer by the offerer are moot with NAT traversal; it is necessary. I'll note furthermore that this is not a consequence of the specifics of ICE; it is an unavoidable consequence of two things: (1) the separation of the media and the signaling on different ports, (2) the nature of NATs, requiring permissions to be installed before relaying packets from an outside entity. Any NAT traversal solution fitting within these constraints will have the same requirement, including SBCs.

Thanks,
Jonathan R.


--
Jonathan D. Rosenberg, Ph.D.                   600 Lanidex Plaza
Cisco Fellow                                   Parsippany, NJ 07054-2711
Cisco Systems
jdrosen at cisco.com                              FAX:   (973) 952-5050
http://www.jdrosen.net                         PHONE: (973) 952-5000
http://www.cisco.com

_______________________________________________
Audio/Video Transport Working Group
avt at ietf.org
https://www1.ietf.org/mailman/listinfo/avt

References:
- Re: [AVT] Media over DTLS
  - From: David McGrew

Prev by Date: [AVT] Session and entity handling in draft-ietf-avt-mib-rtp-bis-00
Next by Date: [AVT] Further comments on draft-ietf-avt-mib-rtp-bis-00
Previous by thread: Re: [AVT] Media over DTLS
Next by thread: Re: [AVT] Media over DTLS
Index(es):
- Date
- Thread