[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [MMUSIC] RTSP and NATs

To: philippe.gentric@philips.com
Subject: Re: [MMUSIC] RTSP and NATs
From: Magnus Westerlund <magnus.westerlund@era.ericsson.se>
Date: Wed, 05 Feb 2003 19:45:42 +0100
Cc: IETF MMUSIC WG <mmusic@ietf.org>
List-help: <mailto:mmusic-request@ietf.org?subject=help>
List-id: Multiparty Multimedia Session Control Working Group <mmusic.ietf.org>
List-post: <mailto:mmusic@ietf.org>
List-subscribe: <https://www1.ietf.org/mailman/listinfo/mmusic>,<mailto:mmusic-request@ietf.org?subject=subscribe>
List-unsubscribe: <https://www1.ietf.org/mailman/listinfo/mmusic>,<mailto:mmusic-request@ietf.org?subject=unsubscribe>
References: <OF7F5B2328.58959051-ON41256CC4.005F5833-C1256CC4.0060E701@diamond.philips.com>
Sender: mmusic-admin@ietf.org
User-agent: Mozilla/5.0 (Windows; U; Windows NT 5.0; en-US; rv:1.0.2) Gecko/20021120 Netscape/7.01

Hi Philippe,

philippe.gentric@philips.com wrote:

Magnus,

I strongly support the recommendation to not use ALGs,
therefore STUN should be used instead but then you wrote:

> To be able to use STUN to traverse symmetric NATs the STUN server
> needs to be co-located with the streaming server media distribution
> ports. As this will create implementations difficulties and possi-
> bly security problems this SHOULD NOT be done.

I am surprised, I would have proposed _on the contrary_ a "SHOULD" here
(since traversing symetric NATs is a key feature) !

also what do you mean by "implementation difficulties" ? (I really cannot see any ?)
and could you explicit what type of _additional_ security issues this would cause
(i.e. issues that are not inherent to running either a RTSP or a STUN server in the first place ?)

The problem of running STUN for a symmetric NAT is that the STUN server must be located at the servers sending port. So using the same RTSP mechanism that are used for traversing a cone-nat the client would:
1. first contact a well known port with the server for each his media stream to get the mapping of the stream. The client can't use any other then the well known port because it doesn't know what port to send to.
2. In the SETUP ask the server to send from its STUN servers well known port. It also needs to receive RTCP on that port.
3. For keep alive on the RTP port the client needs to send periodically STUN messages to the STUN server.

This is a mess for a implementor. It need to have a STUN server receiving the STUN messages while the RTP/RTCP stack should receive all other messages. Also all the clients need to reside on the same port number which creates a multiplexing nightmare.

If you change the setup phase so that the streams are first SETUP to dummy ports then reconfigured with a later message, the STUN could be located at each media streams source address. However in this setup it is actually better to use symmetric RTP in all regards except perhaps hi-jacking of media streams. However with certain restrictions you can actually end up with at least the same level of security that RTSP provides today.

How are you using STUN to traverse a symmetric NAT?

Best Regards

Magnus

--

Magnus Westerlund
Multimedia Technologies, Ericsson Research ERA/TVA/A
----------------------------------------------------------------------
Ericsson AB | Phone +46 8 4048287
Torshamsgatan 23 | Fax +46 8 7575550
S-164 80 Stockholm, Sweden | mailto: magnus.westerlund@era.ericsson.se

_______________________________________________
mmusic mailing list
mmusic@ietf.org
https://www1.ietf.org/mailman/listinfo/mmusic

References:
- Re: [MMUSIC] RTSP and NATs
  - From: philippe . gentric

Prev by Date: Re: [MMUSIC] RTSP and NATs
Next by Date: [MMUSIC] Deleted Streams in Grouping
Previous by thread: Re: [MMUSIC] RTSP and NATs
Next by thread: Re: [MMUSIC] RTSP and NATs
Index(es):
- Date
- Thread