On Tue, Feb 11, 2003 at 12:21:38PM +0100, Magnus Westerlund wrote:
> Hi Tom,
>
> I think this is a good idea, however we will still have the DOS attack
> problems when specifying addresses other then the ones the RTSP
> connection uses. I don't have a good way of solving this.
Unfortunately, I don't either. Is it mandatory to solve it in the spec? It
seems to me that the best solution is to have a challenge/response mechanism
for each transport. But that is beyond the scope of RTSP. Perhaps it would
be sufficient to say that the possibility for abuse exists and some form of
cryptographically secure challenge/response mechanism should be used if the
server allows sending to a different address than the client RTSP endpoint.
The most troublesome scenario is a NAT that maps the RTSP and transport
flows to different IP addresses. How common is this?
> As you used a description format that is not the ABNF of RFC 2234 I
> converted it below.
[...]
Thank you.
> Some small detail questions:
> - Should the port range be limited to 16 bit values?
For UDP with IPv4 and IPv6, yes. For others (non-UDP or IPv7+), who knows?
> - What are the rules when it would be optional to specify port numbers?
Perhaps a transport can have an implied or well-known port number, or a port
number is not applicable to it, etc.
--
A lot of people are afraid of heights. Not me. I'm afraid of widths.
-- Steven Wright
Attachment:
pgp00019.pgp
Description: PGP signature