idnits 2.17.1 

draft-ietf-mmusic-rtsp-nat-04.txt:

  Checking boilerplate required by RFC 5378 and the IETF Trust (see
  https://trustee.ietf.org/license-info):
  ----------------------------------------------------------------------------

  ** It looks like you're using RFC 3978 boilerplate.  You should update this
     to the boilerplate described in the IETF Trust License Policy document
     (see https://trustee.ietf.org/license-info), which is required now.

  -- Found old boilerplate from RFC 3978, Section 5.1 on line 17.

  -- Found old boilerplate from RFC 3978, Section 5.5 on line 1526.

  -- Found old boilerplate from RFC 3979, Section 5, paragraph 1 on line 1497.

  -- Found old boilerplate from RFC 3979, Section 5, paragraph 2 on line 1504.

  -- Found old boilerplate from RFC 3979, Section 5, paragraph 3 on line 1510.

  ** This document has an original RFC 3978 Section 5.4 Copyright Line,
     instead of the newer IETF Trust Copyright according to RFC 4748.

  ** This document has an original RFC 3978 Section 5.5 Disclaimer, instead
     of the newer disclaimer which includes the IETF Trust according to RFC
     4748.


  Checking nits according to https://www.ietf.org/id-info/1id-guidelines.txt:
  ----------------------------------------------------------------------------

  ** The document seems to lack a 1id_guidelines paragraph about 6 months
     document validity -- however, there's a paragraph with a matching
     beginning. Boilerplate error?

  == No 'Intended status' indicated for this document; assuming Proposed
     Standard


  Checking nits according to https://www.ietf.org/id-info/checklist :
  ----------------------------------------------------------------------------

  == There are 2 instances of lines with non-RFC2606-compliant FQDNs in the
     document.


  Miscellaneous warnings:
  ----------------------------------------------------------------------------

  == The copyright year in the RFC 3978 Section 5.4 Copyright Line does not
     match the current year

  == The document seems to use 'NOT RECOMMENDED' as an RFC 2119 keyword, but
     does not include the phrase in its RFC 2119 key words list.

  -- The document seems to lack a disclaimer for pre-RFC5378 work, but may
     have content which was first submitted before 10 November 2008.  If you
     have contacted all the original authors and they are all willing to grant
     the BCP78 rights to the IETF Trust, then this is fine, and you can ignore
     this comment.  If not, you may need to add the pre-RFC5378 disclaimer. 
     (See the Legal Provisions document at
     https://trustee.ietf.org/license-info for more information.)

  -- The document date (October 24, 2005) is 6757 days in the past.  Is this
     intentional?


  Checking references for intended status: Proposed Standard
  ----------------------------------------------------------------------------

     (See RFCs 3967 and 4897 for information about using normative references
     to lower-maturity documents in RFCs)

  == Unused Reference: '3' is defined on line 1422, but no explicit reference
     was found in the text

  == Unused Reference: '11' is defined on line 1442, but no explicit
     reference was found in the text

  == Unused Reference: '14' is defined on line 1454, but no explicit
     reference was found in the text

  == Unused Reference: '15' is defined on line 1457, but no explicit
     reference was found in the text

  == Unused Reference: '20' is defined on line 1471, but no explicit
     reference was found in the text

  == Unused Reference: '22' is defined on line 1476, but no explicit
     reference was found in the text

  ** Obsolete normative reference: RFC 2326 (ref. '1') (Obsoleted by RFC 7826)

  ** Obsolete normative reference: RFC 2327 (ref. '2') (Obsoleted by RFC 4566)

  ** Obsolete normative reference: RFC 4234 (ref. '3') (Obsoleted by RFC 5234)

  ** Obsolete normative reference: RFC 3489 (ref. '6') (Obsoleted by RFC 5389)

  == Outdated reference: A later version (-40) exists of
     draft-ietf-mmusic-rfc2326bis-11

  -- Possible downref: Normative reference to a draft: ref. '8' 

  == Outdated reference: A later version (-19) exists of
     draft-ietf-mmusic-ice-06

  ** Obsolete normative reference: RFC 3388 (ref. '10') (Obsoleted by RFC
     5888)

  ** Obsolete normative reference: RFC 4091 (ref. '11') (Obsoleted by RFC
     5245)

  -- Obsolete informational reference (is this intentional?): RFC 2766 (ref.
     '13') (Obsoleted by RFC 4966)

  -- Obsolete informational reference (is this intentional?): RFC 2460 (ref.
     '14') (Obsoleted by RFC 8200)

  -- Duplicate reference: RFC4091, mentioned in '16', was also mentioned in
     '11'.

  -- Obsolete informational reference (is this intentional?): RFC 4091 (ref.
     '16') (Obsoleted by RFC 5245)

  == Outdated reference: A later version (-03) exists of
     draft-wing-avt-rtp-noop-00

  == Outdated reference: A later version (-18) exists of
     draft-ietf-behave-rfc3489bis-02

  == Outdated reference: A later version (-08) exists of
     draft-ietf-behave-nat-udp-04


     Summary: 10 errors (**), 0 flaws (~~), 15 warnings (==), 12 comments
     (--).

     Run idnits with the --verbose option for more detailed information about
     the items above.

--------------------------------------------------------------------------------


2	Network Working Group                                  Magnus Westerlund
3	INTERNET-DRAFT                                                  Ericsson
4	Expires: April 2006                                          Thomas Zeng
5	                                           PacketVideo Network Solutions
6	                                                        October 24, 2005

8	     How to Enable Real-Time Streaming Protocol (RTSP) Traverse Network
9	           Address Translators (NAT) and Interact with Firewalls.
10	                    <draft-ietf-mmusic-rtsp-nat-04.txt>

12	Status of this memo

14	   By submitting this Internet-Draft, each author represents that any
15	   applicable patent or other IPR claims of which he or she is aware
16	   have been or will be disclosed, and any of which he or she becomes
17	   aware will be disclosed, in accordance with Section 6 of BCP 79.

19	   Internet-Drafts are working documents of the Internet Engineering
20	   Task Force (IETF), its areas, and its working groups. Note that
21	   other groups may also distribute working documents as Internet-
22	   Drafts.

24	   Internet-Drafts are draft documents valid for a maximum of six
25	   months and may be updated, replaced, or obsoleted by other documents
26	   at any time.  It is inappropriate to use Internet-Drafts as
27	   reference material or to cite them other than as "work in
28	   progress.".

30	   The list of current Internet-Drafts can be accessed at
31	   http://www.ietf.org/1id-abstracts.html

33	   The list of Internet-Draft Shadow Directories can be accessed at
34	   http://www.ietf.org/shadow.html

36	   This document is an individual submission to the IETF. Comments
37	   should be directed to the authors.

39	Abstract

41	   This document describes several types of NAT traversal techniques
42	   that can be used by RTSP. For each technique a description on how it
43	   shall be used, what security implications it has and other
44	   deployment considerations are given. Further a description on how
45	   RTSP relates to firewalls is given.

47	TABLE OF CONTENTS

49	1. Definitions.........................................................4
50	  1.1. Glossary........................................................4
51	  1.2. Terminology.....................................................4
52	2. Changes.............................................................4
53	3. Introduction........................................................5
54	  3.1. NATs............................................................5
55	  3.2. Firewalls.......................................................5
56	4. Requirements........................................................6
57	5. Detecting the loss of NAT mappings..................................7
58	6. NAT Traversal Techniques............................................8
59	  6.1. STUN............................................................8
60	   6.1.1. Introduction.................................................8
61	   6.1.2. Using STUN to traverse NAT without server modifications......9
62	   6.1.3. Embedding STUN in RTSP......................................11
63	   6.1.4. Discussion On Co-located STUN Server........................12
64	   6.1.5. ALG considerations..........................................12
65	   6.1.6. Deployment Considerations...................................12
66	   6.1.7. Security Considerations.....................................14
67	  6.2. ICE............................................................14
68	   6.2.1. Introduction................................................14
69	   6.2.2. Using ICE in RTSP...........................................15
70	   6.2.3. Implementation burden of ICE................................17
71	   6.2.4. Deployment Considerations...................................17
72	  6.3. Symmetric RTP..................................................18
73	   6.3.1. Introduction................................................18
74	   6.3.2. Necessary RTSP extensions...................................18
75	   6.3.3. Deployment Considerations...................................18
76	   6.3.4. Security Consideration......................................19
77	   6.3.5. A Variation to Symmetric RTP................................20
78	  6.4. Application Level Gateways.....................................21
79	   6.4.1. Introduction................................................21
80	   6.4.2. Guidelines On Writing ALGs for RTSP.........................22
81	   6.4.3. Deployment Considerations...................................23
82	   6.4.4. Security Considerations.....................................23
83	  6.5. TCP Tunneling..................................................23
84	   6.5.1. Introduction................................................23
85	   6.5.2. Usage of TCP tunneling in RTSP..............................24
86	   6.5.3. Deployment Considerations...................................24
87	   6.5.4. Security Considerations.....................................24
88	  6.6. TURN (Traversal Using Relay NAT)...............................25
89	   6.6.1. Introduction................................................25
90	   6.6.2. Usage of TURN with RTSP.....................................25
91	   6.6.3. Deployment Considerations...................................26
92	   6.6.4. Security Considerations.....................................27
93	7. Firewalls..........................................................28
94	8. Comparison of Different NAT Traversal Techniques...................28
95	9. Open Issues........................................................29
96	10. Security Consideration............................................29
97	11. IANA Consideration................................................30
98	12. Acknowledgments...................................................30
99	13. Author's Addresses................................................30
100	14. References........................................................31
101	15. IPR Notice........................................................33
102	16. Copyright Notice........................Error! Bookmark not defined.

104	1. Definitions

106	1.1. Glossary

108	   ALG    - Application Level Gateway, an entity that can be embedded
109	            in a NAT or other middlebox to perform the application layer
110	            functions required for a particular protocol to traverse the
111	            NAT/middlebox [6]
112	   ICE    - Interactive Connectivity Establishment, see [9].
113	   DNS    - Domain Name Service
114	   DDOS   - Distributed Denial Of Service attacks
115	   MID    - Media Identifier from Grouping of media lines in SDP, see
116	            [10].
117	   NAT    - Network Address Translator, see [12].
118	   NAT-PT - Network Address Translator Protocol Translator, see [13]
119	   RTP    - Real-time Transport Protocol, see [5].
120	   RTSP   - Real-Time Streaming Protocol, see [1] and [7].
121	   SDP    - Session Description Protocol, see [2].
122	   SSRC   - Synchronization source in RTP, see [5].
123	   TBD    - To Be Decided

125	1.2. Terminology

127	   The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
128	   "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this
129	   document are to be interpreted as described in RFC 2119 [4].

131	2. Changes

133	   The following changes have been done since draft-ietf-mmusic-rtsp-
134	   nat-03.txt:

136	   - A outline of a procedure for ICE is presneted.
137	   - Updated references
138	   - Replaced NAT classification by BEHAVE WG definitions.

140	3. Introduction

142	   Today there is a proliferate deployment of different flavors of
143	   Network Address Translator (NAT) boxes that in practice follow
144	   standards rather loosely [12][24][18].  NATs cause discontinuity in
145	   address realms [18], therefore a protocol, such as RTSP, needs to
146	   try to make sure that it can deal with such discontinuities caused
147	   by NATs. The problem with RTSP is that, being a media control
148	   protocol that manages one or more media streams; RTSP carries
149	   information about network addresses and ports inside itself. Because
150	   of this, even if RTSP itself, when carried over TCP for example, is
151	   not blocked by NATs, its media streams may be blocked by NATs,
152	   unless special provisions are added to support NAT-traversal.

154	   Like NATs, firewalls (FWs) are also middle boxes that need to be
155	   considered. They are deployed to prevent unwanted traffic to be able
156	   to get in or out of the protected network. RTSP is designed such
157	   that a firewall can be configured to let RTSP controlled media
158	   streams to go through with minimal implementation problems. However
159	   there is a need for more detailed information on how FWs should be
160	   configured to work with RTSP.

162	   This document describes several NAT-traversal mechanisms for RTSP
163	   based streaming. These NAT solutions fall into the category of
164	   ""UNilateral Self-Address Fixing (UNSAF)" as defined in [18] and
165	   quoted below:
166	          "UNSAF is a process whereby some originating process attempts
167	          to determine or fix the address (and port) by which it is
168	          known - e.g. to be able to use address data in the protocol
169	          exchange, or to advertise a public address from which it will
170	          receive connections."

172	   Following the guidelines spelled out in [18], we describe the
173	   required RTSP protocol extensions for each method, transition
174	   strategies, and security concerns.

176	   This document intends to recommend FW/NAT traversal methods for RTSP
177	   streaming servers based on RFC 2326 [1] as well as the updated RTSP
178	   core spec [7]. This document is intended to be updated to stay
179	   consistent with the RTSP core protocol [7].

181	3.1. NATs

183	   Today there exist a number of different NAT types and usage areas.
184	   These are described in the section 3 and 4 of [26].
185	3.2. Firewalls

187	   A firewall (FW) is a security gateway that enforces certain access
188	   control policies between two network administrative domains: a
189	   private domain (intranet) and a public domain (public internet).

191	   Many organizations use firewalls to prevent privacy intrusions and
192	   malicious attacks to corporate computing resources in the private
193	   intranet [19].
194	   A comparison between NAT and FW are given below:

196	   1. FW must be a gateway between two network administrative domains,
197	      while NAT does not have to sit between two domains. In fact, in
198	      many corporations there are many NAT boxes within the intranet,
199	      in which case the NAT boxes sit between subnets.
200	   2. NAT does not in itself provide security, although some access
201	      control policies can be implemented using address translation
202	      schemes.
203	   3. NAT and FWs are similar in that they can both be configured to
204	      allow multiple network hosts to share a single public IP address.
205	      In other words, a host behind a NAT or FW can have a private IP
206	      address and a public one, so for NAT and FW there is the issue of
207	      address mapping which is important in order for RTSP protocol to
208	      work properly when there are NATs and FWs between the RTSP server
209	      and its clients.

211	   In the rest of this memo we use the phrase "NAT traversal"
212	   interchangeably with "FW traversal", "NAT/FW traversal" and
213	   "NAT/Firewall traversal".

215	4. Requirements

217	   This section considers the set of requirements when designing or
218	   evaluating RTSP NAT traversal solutions.

220	   RTSP is a client/server protocol, and as such the targeted
221	   applications in general deploy RTSP servers in the public address
222	   realm. However, there are use cases where the reverse is true: RTSP
223	   clients are connecting from public address realm to RTSP servers
224	   behind home NATs. This is the case for instance when home
225	   surveillance cameras running as RTSP servers intend to stream video
226	   to cell phone users in the public address realm through a home NAT.

228	   The first priority should be to solve the RTSP NAT traversal problem
229	   for RTSP servers deployed in the open.

231	   The list of feature requirements for RTSP NAT solutions are given
232	   below:
233	     1. MUST work for all flavors of NATs, including symmetric NATs.
234	     2. MUST work for firewalls (subject to pertinent firewall
235	        administrative policies), including those with ALGs.
236	     3. SHOULD have minimal impact on clients in the open and not dual-
237	        hosted:
238	          o For instance, no extra delay from RTSP connection till
239	             arrival of media.

241	     4. SHOULD be simple to use/implement/administer that people
242	        actually turn them on
243	          o Otherwise people will resort to TCP tunneling through NATs
244	          o Address discovery for NAT traversal should take place
245	             behind the scene, if possible

247	     5. SHOULD authenticate dual-hosted client transport handler to
248	        prevent DDOS attacks.

250	     The last requirement addresses the Distributed Denial-Of-Service
251	     (DDOS) threat, which relates to NAT traversal as explained below.

253	     During NAT traversal, when the RTSP server performs address
254	     translation on a client, the result may be that the public IP
255	     address of the RTP receiver host is different than the public IP
256	     address of the RTSP client host. This posts a DDOS threat that has
257	     significant amplification potentials because the RTP media streams
258	     in general consist of large number of IP packets. DDOS attacks
259	     occur if the attacker fakes the messages in the NAT traversal
260	     mechanism to trick the RTSP server into believing that the
261	     client's RTP receiver is located in a separate host. For example,
262	     user A may use his RTSP client to direct the RTSP server to send
263	     video RTP streams to www.foo.com in order to degrade the services
264	     provided by www.foo.com. Note a simple preventative measure is for
265	     the RTSP server to disallow the cases where the client's RTP
266	     receiver has a different public IP address than that of the RTSP
267	     client. However, in some applications (e.g., XCON), dual-hosted
268	     RTSP/RTP clients have valid use cases. The key is how to
269	     authenticate the messages exchanged during the NAT traversal
270	     process. Message authentication is a big challenge in the current
271	     wired and wireless networking environment. It may be necessary in
272	     the immediate future to deploy NAT traversal solutions that do not
273	     have full message authentication, but provide upgrade path to add
274	     authentication features in the future.

276	5. Detecting the loss of NAT mappings

278	   Several of the NAT traversal techniques in the next chapter make use
279	   of the fact that the NAT UDP mapping's external address and port can
280	   be discovered. This information is then utilized to traverse the NAT
281	   box. However any such information is only good while the mapping is
282	   still valid. As the IAB's UNSAF document [18] points out, the
283	   mapping can either timeout or change its properties. It is therefore
284	   important for the NAT traversal solutions to handle the loss or
285	   change of NAT mappings, according to [18].

287	   First, since NATs may also dynamically reclaim or readjust
288	   address/port translations, "keep-alive" and periodic re-polling may
289	   be required [18]. Secondly, it is possible to detect and recover
290	   from the situation where the mapping has been changed or removed.

292	   The possibility to detect a lost mapping is based on the fact that
293	   no traffic will arrive. Below we will give some recommendation on
294	   how to detect loss of NAT mappings when using RTP/RTCP under RTSP
295	   control.

297	   For RTP session there is normally a need to have both RTP and RTCP
298	   functioning. The loss of a RTP mapping can only be detected when
299	   expected traffic does not arrive. If no data arrives after having
300	   received the 200 response to a PLAY request, one can normally expect
301	   to receive RTP packets within a few seconds. However, for a receiver
302	   to be certain to detect the case where no RTP traffic was delivered
303	   due to NAT trouble, one should monitor the RTCP Sender reports. The
304	   sender report carries a field telling how many packets the server
305	   has sent. If that has increased and no RTP packets has arrived for a
306	   few seconds it is likely the RTP mapping has been removed.

308	   The loss of mapping for RTCP is simpler to detect. As RTCP is
309	   normally sent periodically in each direction, even during the RTSP
310	   ready state, if RTCP packets are missing for several RTCP intervals,
311	   the mapping is likely to be lost.  Note that if no RTCP packets are
312	   received by the RTSP server and nor RTSP messages for a while, the
313	   RTSP server has the option to delete the corresponding SSRC and RTSP
314	   session ID, because either the client can not get through a middle
315	   box NAT/FW, or that the client is mal-functioning.

317	6. NAT Traversal Techniques

319	   There exist a number of potential NAT traversal techniques that can
320	   be used to allow RTSP to traverse NATs. They have different features
321	   and are applicable to different topologies; their cost is also
322	   different. They also vary in security levels. In the following
323	   sections, each technique is outlined in details with discussions on
324	   the corresponding advantages and disadvantages.

326	   Not all of the techniques are yet described in the full details,
327	   because the intention is to refer to other documents, or some
328	   appendix to this document, for the full specification of a specific
329	   NAT traversal solution.  Note that some of the solutions make use of
330	   protocols (e.g., RTP-NOOP, TURN and ICE) in different stage of
331	   standardization and not yet completed.

333	6.1. STUN

335	6.1.1. Introduction

337	   STUN - "Simple Traversal of UDP Through Network Address Translators"
338	   [6][25] is a standardized protocol developed by the MIDCOM WG that
339	   allows a client to use secure means to discover the presence of a
340	   NAT between himself and the STUN server and the type of that NAT.

342	   The client then uses the STUN server to discover the address
343	   bindings assigned by the NAT.

345	   STUN is a client-server protocol. STUN client sends a request to a
346	   STUN server and the server returns a response. There are two types
347	   of STUN requests - Binding Requests, sent over UDP, and Shared
348	   Secret Requests, sent over TLS over TCP.

350	6.1.2. Using STUN to traverse NAT without server modifications

352	   This section describes how a client can use STUN to traverse NATs to
353	   RTSP servers without requiring server modifications. However this
354	   method has limited applicability and requires the server to be
355	   available in the external/public address realm in regards to the
356	   client located behind a NAT(s).

358	   Limitations:

360	   - The server must be located in either a public address realm or the
361	     next hop external address realm in regards to the client.
362	   - The client may only be located behind NATs that performing
363	     Endpoint Independent or Address Dependent Mappings. Clients behind
364	     NATs that do Address and Port Dependent Mappings cannot use this
365	     method.

367	   Method:

369	   A RTSP client using RTP transport over UDP can use STUN to traverse
370	   a NAT(s) in the following way:

372	   1. Use STUN to try to discover the type of NAT, and the timeout
373	      period for any UDP mapping on the NAT. This is RECOMMENDED to be
374	      performed in the background as soon as IP connectivity is
375	      established. If this is performed prior to establishing a
376	      streaming session the delays in the session establishment will be
377	      reduced. If no NAT is detected, normal SETUP SHOULD be used.

379	   2. The RTSP client determines the number of UDP ports needed by
380	      counting the number of needed media transport protocols sessions
381	      in the multi-media presentation. This information is available in
382	      the media description protocol, e.g. SDP. For example, each RTP
383	      session will in general require two UDP ports, one for RTP, and
384	      one for RTCP.

386	   3. For each UDP port required, establish a mapping and discover the
387	      public/external IP address and port number with the help of the
388	      STUN server. A successful mapping looks like below:
389	      client's local address/port <-> public address/port.

391	   4. Perform the RTSP SETUP for each media. In the transport header
392	      the following parameter SHOULD be included with the given values:
393	      "dest_addr" [7] with the public/external IP address and port pair
394	      for both RTP and RTCP. To allow this to work servers MUST allow a
395	      client to setup the RTP stream on any port, not only even ports.
396	      This requires the new feature provided in the update to RFC2326
397	      ([7]). The server SHOULD respond with a transport header
398	      containing an "src_addr" parameter with the RTP and RTCP source
399	      IP address and port of the media stream.

401	   5. To keep the mappings alive, the client SHOULD periodically send
402	      UDP traffic over all mappings needed for the session. STUN MAY be
403	      used to determine the timeout period of the NAT(s) UDP mappings.
404	      For the mapping carrying RTCP traffic the periodic RTCP traffic
405	      may be enough. For mappings carrying RTP traffic and for mappings
406	      carrying RTCP packets at too low a frequency, keep-alive messages
407	      SHOULD be sent. As keep alive messages, one could use the RTP
408	      NOOP packet ([23]) to the streaming server's discard port (port
409	      number 9). The drawback of using RTP NOOP is that the payload
410	      type number must be dynamically assigned through RTSP first.

412	   If a UDP mapping is lost then the above discovery process must be
413	   repeated. The media stream also needs to be SETUP again to change
414	   the transport parameters to the new ones. This will likely cause a
415	   glitch in media playback.

417	   To allow UDP packets to arrive from the server to a client behind a
418	   Address Dependent Filtering NAT, the client must send the very first
419	   UDP packet to pinch a hole in the NAT. The client, before sending a
420	   RTSP PLAY request, must send a so called FW packet (such as a RTP
421	   NOOP packet) on each mapping, to the IP address given as the servers
422	   source address. To create minimum problems for the server these UDP
423	   packets SHOULD be sent to the server's discard port (port number 9).
424	   Since UDP packets are inherently unreliable, to ensure that at least
425	   one UDP message passes the NAT, FW packets should be retransmitted
426	   in short intervals.

428	   For a Address and Port Dependent Filtering NAT the client must send
429	   messages to the exact ports used by the server to send UDP packets
430	   before sending a RTSP PLAY request. This makes it possible to use
431	   the above described process with the following additional
432	   restrictions: for each port mapping, FW packets need to be sent
433	   first to the server's source address/port. To minimize potential
434	   effects on the server from these messages the following type of FW
435	   packets MUST be sent. RTP: an empty or less than 12 bytes UDP
436	   packet.  RTCP: A correctly formatted RTCP RR or SR message.

438	   The above described adaptations for restricted NATs will not work
439	   unless the server includes the "src_addr" in the "Transport" header
440	   (which is the "source" transport parameter in RFC2326).

442	6.1.3. Embedding STUN in RTSP

444	   This section outlines the adaptation and embedding of STUN within
445	   RTSP. This enables STUN to be used to traverse any type of NAT,
446	   including symmetric NATs.  Protocol changes are beyond the scope of
447	   this memo and are instead defined in TBD internet draft.

449	   Limitations:

451	   This NAT traversal solution has limitations:

453	      1. It does not work if both RTSP client and RTSP server are
454	         behind separate NATs.
455	      2. The RTSP server may, for security reasons, refuse to send
456	         media streams to an IP different from the IP in the client RTSP
457	         requests. Therefore, if the client is behind a NAT that has
458	         multiple public addresses, and the client's RTSP port and UDP
459	         port are mapped to different IP addresses, RTSP SETUP may fail.

461	   Deviations from STUN as defined in RFC 3489

463	   Specifically, we differ from RFC3489 in two aspects:
464	      1. We allow RTSP applications to have the option to perform STUN
465	         "Shared Secret Request" through RTSP, via extension to RTSP;
466	      2. We require STUN server to be co-located on RTSP server's media
467	         output ports.

469	   In order to allow binding discovery without authentication, the STUN
470	   server embedded in RTSP application must ignore authentication tag,
471	   and the STUN client embedded in RTSP application must use dummy
472	   authentication tag.

474	   If STUN server is co-located with RTSP server's media output port,
475	   an RTSP client using RTP transport over UDP can use STUN to traverse
476	   ALL types of NATs. In the case of port and address dependent mapping
477	   NATs, the party inside the NAT must initiate UDP traffic. The STUN
478	   Bind Request, being a UDP packet itself, can serve as the traffic
479	   initiating packet. Subsequently, both the STUN Binding Response
480	   packets and the RTP/RTCP packets can traverse the NAT, regardless of
481	   whether the RTSP server or the RTSP client is behind NAT.

483	   Likewise, if a RTSP server is behind a NAT, then an embedded STUN
484	   server must co-locate on the RTSP client's RTCP port. In this case,
485	   we assume that the client has some means of establishing TCP
486	   connection to the RTSP server behind NAT so as to exchange RTSP
487	   messages with the RTSP server.

489	   To minimize delay, we require that the RTSP server supporting this
490	   option must inform its client the RTP and RTCP ports from where the
491	   server intend to send out RTP and RTCP packets, respectively. This
492	   can be done by using the "server_port" parameter in RFC2326, and the
493	   "src_addr" parameter in [7]. Both are in RTSP Transport header.

495	   To minimize the keep-alive traffic for address mapping, we also
496	   require that the RTSP end-point (server or client) sends and
497	   receives RTCP packets from the same port.

499	6.1.4. Discussion On Co-located STUN Server

501	   In order to use STUN to traverse port and address dependent mapping
502	   NATs the STUN server needs to be co-located with the streaming
503	   server media output ports. This creates a de-multiplexing problem:
504	   we must be able to differentiate a STUN packet from a media packet.
505	   This will be done based on heuristics. This works fine between STUN
506	   and RTP or RTCP where the first byte happens to be different, but
507	   may not work with other media transport protocols.

509	6.1.5. ALG considerations

511	   If a NAT supports RTSP ALG (Application Level Gateway) and is not
512	   aware of the STUN traversal option, service failure may happen,
513	   because a client discovers its public IP address and port numbers,
514	   and inserts them in its SETUP requests, when the RTSP ALG processes
515	   the SETUP request it may change the destination and port number,
516	   resulting in unpredictable behavior. In such cases a convenient way
517	   should be provided to turn off STUN-based NAT traversal.

519	6.1.6. Deployment Considerations

521	   For the non-embedded usage of STUN the following applies:

523	   Advantages:

525	   - Using STUN does not require RTSP server modifications; it only
526	     affects the client implementation.

528	   Disadvantages:

530	   - Requires a STUN server deployed in the public address space.
531	   - Only works with endpoint independent and address dependent
532	     mapping. Port and address dependent filtering NATs create some
533	     issues.
534	   - Does not work with port and address dependent mapping NATs without
535	     server modifications.
536	   - Will mostly not work if a NAT uses multiple IP addresses, since
537	     RTSP server generally requires all media streams to use the same
538	     IP as used in the RTSP connection.

540	   - Interaction problems exist when a RTSP-aware ALG interferes with
541	     the use of STUN for NAT traversal.
542	   - Using STUN requires that RTSP servers and clients support the
543	     updated RTSP specification, because it is no longer possible to
544	     guarantee that RTP and RTCP ports are adjacent to each other, as
545	     required by the "client_port" and "server_port" parameters in
546	     RFC2326.

548	   Transition:

550	   The usage of STUN can be phased out gradually as the first step of a
551	   STUN capable server or client should be to check the presence of
552	   NATs. The removal of STUN capability in the client implementations
553	   will have to wait until there is absolutely no need to use STUN.

555	   For the "Embedded STUN" method the following applies:

557	   Advantages:

559	   - STUN is a solution first used by SIP applications. As shown above,
560	     with little or no changes, RTSP application can re-use STUN as a
561	     NAT traversal solution, avoiding the pit-fall of solving a problem
562	     twice.
563	   - STUN has built-in message authentication features, which makes it
564	     more secure. See next section for an in-depth security discussion.
565	   - This solution works as long as there is only one RTSP end point in
566	     the private address realm, regardless of the NAT's type. There may
567	     even be multiple NATs (see figure 1 in [6]).
568	   - Compares to other UDP based NAT traversal methods in this
569	     document, STUN requires little new protocol development (since
570	     STUN is already a IETF standard), and most likely less
571	     implementation effort, since open source STUN server and client
572	     have become available [21]. There is the need to embed STUN in
573	     RTSP server and client, which require a de-multiplexer between
574	     STUN packets and RTP/RTCP packets. There is also a need to
575	     register the proper feature tags.

577	   Disadvantages:

579	   - Some extensions to the RTSP core protocol, signaled by RTSP
580	     feature tags, must be introduced.
581	   - Requires an embedded STUN server to co-locate on each of RTSP
582	     server's media protocol's ports (e.g. RTP and RTCP ports), which
583	     means more processing is required to de-multiplex STUN packets
584	     from media packets. For example, the de-multiplexer must be able
585	     to differentiate a RTCP RR packet from a STUN packet, and forward
586	     the former to the streaming server, the later to STUN server.
587	   - Even if the RTSP server is in the open, and the client is behind a
588	     multi-addressed NAT, it may still break if the RTSP server does
589	     not allow RTP packets to be sent to an IP differs from the IP of
590	     the client's RTSP request.
591	   - Interaction problems exist when a RTSP ALG is not aware of STUN.
592	   - Using STUN requires that RTSP servers and clients support the
593	     updated RTSP specification, and they both agree to support the
594	     proper feature tag.
595	   - Increases the setup delay with at least the amount of time it
596	     takes to perform STUN message exchanges.

598	   Transition:

600	   The usage of STUN can be phased out gradually as the first step of a
601	   STUN capable machine can be to check the presence of NATs for the
602	   presently used network connection. The removal of STUN capability in
603	   the client implementations will have to wait until there is
604	   absolutely no need to use STUN.

606	6.1.7. Security Considerations

608	   To prevent RTSP server being used as Denial of Service (DoS) attack
609	   tools the RTSP Transport header parameter "destination" and
610	   "dest_addr" are generally not allowed to point to any IP address
611	   other than the one that RTSP message originates from. The RTSP
612	   server is only prepared to make an exception of this rule when the
613	   client is trusted (e.g., through the use of a secure authentication
614	   process, or through some secure method of challenging the
615	   destination to verify its willingness to accept the RTP traffic).
616	   Such restriction means that STUN does not work for NATs that would
617	   assign different IP addresses to different UDP flows on its public
618	   side. Therefore the multi-addressed NATs will at times have trouble
619	   with STUN-based RTSP NAT traversals.

621	   In terms of security property, STUN combined with destination
622	   address restricted RTSP has the same security properties as the core
623	   RTSP. It is protected from being used as a DoS attack tool unless
624	   the attacker has ability the to spoof the TCP connection carrying
625	   RTSP messages.

627	   Using STUN's support for message authentication and secure transport
628	   of RTSP messages, attackers cannot modify STUN responses or RTSP
629	   messages to change media destination. This protects against
630	   hijacking, however as a client can be the initiator of an attack,
631	   these mechanisms cannot securely prevent RTSP servers being used as
632	   DoS attack tools.

634	6.2. ICE

636	6.2.1. Introduction
637	   ICE (Interactive Connectivity Establishment) [9] is a methodology
638	   for NAT traversal that is under development for SIP using SDP
639	   offer/answer. The basic idea is to try, in a parallel fashion, all
640	   possible connection addresses that an end point may have. This
641	   allows the end-point to use the best available UDP "connection"
642	   (meaning two UDP end-points capable of reaching each other). The
643	   methodology has very nice properties in that basically all NAT
644	   topologies are possible to traverse.

646	   Here is how ICE works. End point A collects all possible address
647	   that can be used, including local IP addresses, STUN derived
648	   addresses, TURN addresses, etc. On each local port that any of these
649	   address and port pairs leads to, a STUN server is installed. This
650	   STUN server only accepts STUN requests using the correct
651	   authentication through the use of username and password.

653	   End-point A then sends a request to establish connectivity with end-
654	   point B, which includes all possible ways to get the media through
655	   to A. Note that each of A's published address/port pairs has a STUN
656	   server co-located. B, before responding to A, uses a STUN client to
657	   try to reach all the address and port pairs specified by A. The
658	   destinations for which the STUN requests have successfully completed
659	   are then indicated. If bi-directional communication is intended the
660	   end-point B must then in its turn offer A all its reachable address
661	   and port pairs, which then are tested by A.

663	   If B fails to get any STUN response from A, all hope is not lost.
664	   Certain NAT topologies require multiple tries from both ends before
665	   successful connectivity is accomplished. The STUN requests may also
666	   result in that more connectivity alternatives are discovered and
667	   conveyed in the STUN responses.

669	   This chapter is not yet a full technical solution. It is mostly a
670	   feasibility study on how ICE could be applied to RTSP and what
671	   properties it would have. One nice thing about ICE for RTSP is that
672	   it does make it possible to deploy RTSP server behind NAT/FIRWALL, a
673	   desirable option to some RTSP applications.

675	6.2.2. Using ICE in RTSP

677	   The usage of ICE for RTSP requires that both client and server be
678	   updated to include the ICE functionality. If both parties implement
679	   the necessary functionality the following step-by-step algorithm
680	   could be used to accomplish connectivity for the UDP traffic.

682	   This assumes that it is possible to establish a TCP connection for
683	   the RTSP messages between the client and the server. This is not
684	   trivial in scenarios where the server is located behind a NAT, and
685	   may require some TCP ports been opened, or the deployment of
686	   proxies, etc.

688	   The negotiation of ICE in RTSP of necessity will work different than
689	   in SIP with SDP offer/answer. The protocol interactions are
690	   different and thus the possibilities for transfer of states are also
691	   somewhat different. The goal is also to avoid introducing extra
692	   delay in the setup process at least for when the server is using a
693	   public address and the client is either having a public address or
694	   is behind NAT(s). This process is only intended to support PLAY
695	   mode, i.e. media traffic flows from server to client.

697	   Step 1: The ICE usage begins in the SDP. The SDP for the service
698	   indicates that ICE is supported at the server. No candidates can be
699	   given here as that would not work with the on demand, DNS load
700	   balancing, etc., that make a SDP indicate a resource on a server
701	   park rather than a specific machine.

703	   Step 2: The client gathers addresses and puts together its candidate
704	   for each media stream indicated in the session description.

706	   Step 3: In each SETUP request the client includes its candidates,
707	   promoting one for primary usage. This indicates for the server the
708	   ICE support by the client. One candidate is the primary candidate
709	   and here the prioritization for this address should be somewhat
710	   different compared to SIP. High performance rather than always
711	   successful is to recommended as it is most likely to be a server in
712	   the public.

714	   Step 4: The server responds (200 OK) for each media stream with its
715	   candidates. A server with a public address usually only provides a
716	   single ICE candidate. Also here one candidate is the server primary
717	   address.

719	   Step 5: The connectivity checks are performed. For the server the
720	   connectivity checks from the server to the clients have an
721	   additional usage. They verify that there is someone willingly to
722	   receive the media, thus protecting itself from performing
723	   unknowingly an DoS attack.

725	   Step 6a: Connectivity checks from the client's primary to the
726	   server's primary was successful. Thus no further SETUP requests are
727	   necessary. Go to 7.

729	   Step 6b: Connectivity checks for primary fails. If further
730	   candidates have been derived then those can be promoted in new
731	   candidate lines in SETUP request updating the list (Goto 5). If
732	   another address than the primary has been verified by the client to
733	   work, that address may then be promoted for usage in a SETUP request
734	   (Goto 7).

736	   Step 7: Client issues PLAY request. If the server also has completed
737	   its connectivity checks for this primary addresses (based on
738	   username as it may be derived addresses if the client was behind
739	   NAT) then it can directly answer 200 ok (Goto 8). If the
740	   connectivity check has not yet completed it responds with a 1xx code
741	   to indicate that it is verifying the connectivity. If that fails
742	   within the set timeout an error is reported back. Client needs to go
743	   to 6b.

745	   Step 8: Process completed media can be delivered. ICE testing ports
746	   may be released.

748	   To keep media paths alive client must likely periodically send data
749	   to the server. This could be realized with either STUN or RTP No-op
750	   [23] packets. RTCP sent by client should be able to keep RTCP open.

752	6.2.3. Implementation burden of ICE

754	   The usage of ICE will require that a number of new protocols and new
755	   RTSP/SDP features be implemented. This makes ICE the solution that
756	   has the largest impact on client and server implementations amongst
757	   all the NAT/FW traversal methods in this document.

759	   Some RTSP server implementation requirements are:
760	    - STUN server features
761	    - limited STUN client features
762	    - SDP generation with more parameters.
763	    - RTSP error code for ICE extension

765	   Some client implantation requirements are:
766	    - Limited STUN server features
767	    - Limited STUN client features
768	    - RTSP error code and ICE extension

770	6.2.4. Deployment Considerations

772	   Advantages:
773	   - Solves NAT connectivity discovery for basically all cases as long
774	     as a TCP connection between them can be established. This includes
775	     servers behind NATs. (Note that a proxy between address domains
776	     may be required to get TCP through).
777	   - Improves defenses against DDOS attacks, as media receiving client
778	     requires authentications, via STUN on its media reception ports.

780	   Disadvantages:
781	   - Increases the setup delay with at least the amount of time it
782	     takes for the server to perform its STUN requests.
783	   - Assumes that it is possible to de-multiplex between media packets
784	     and STUN packets.

786	   - Has fairly high implementation burden put on both RTSP server and
787	     client. The precise implantation complexity needs to be assessed
788	     once ICE is fully defined as a standard. Currently ICE is still a
789	     protocol under development.

791	6.3. Symmetric RTP

793	6.3.1. Introduction

795	   Symmetric RTP is a NAT traversal solution that is based on requiring
796	   RTSP clients to send UDP packets to the server's media output ports.
797	   Conventionally, RTSP servers send RTP packets in one direction: from
798	   server to client. Symmetric RTP is similar to connection-oriented
799	   traffic, where one side (e.g., the RTSP client) first "connects" by
800	   sending a RTP packet to the other side's RTP port, the recipient
801	   then replies to the originating IP and port.

803	   Specifically, when the RTSP server receives the "connect" RTP packet
804	   (a.k.a. FW packet, since it is used to pinch a hole in the FW/NAT
805	   and to aid the server for port binding and address mapping) from its
806	   client, it copies the source IP and Port number and uses them as
807	   delivery address for media packets. By having the server send media
808	   traffic back the same way as the client's packet are sent to the
809	   server, address mappings will be honored. Therefore this technique
810	   works for all types of NATs. However, it does require server
811	   modifications. Unless there is built-in protection mechanism,
812	   symmetric RTP is very vulnerable to DDOS attacks, because attackers
813	   can simply forge the source IP & Port of the binding packet.

815	6.3.2. Necessary RTSP extensions

817	   To support symmetric RTP the RTSP signaling must be extended to
818	   allow the RTSP client to indicate that it will use symmetric RTP.
819	   The client also needs to be able to signal its RTP SSRC to the
820	   server in its SETUP request. The RTP SSRC is used to establish some
821	   basic level of security against hijacking attacks. Care must be
822	   taken in choosing client's RTP SSRC. First, it must be unique within
823	   all the RTP sessions belonging to the same RTSP session. Secondly,
824	   if the RTSP server is sending out media packets to multiple clients
825	   from the same send port, the RTP SSRC needs to be unique amongst
826	   those clients' RTP sessions. Recognizing that there is a potential
827	   that RTP SSRC collision may occur, the RTSP server must be able to
828	   signal to client that a collision has occurred and that it wants the
829	   client to use a different RTP SSRC carried in the SETUP response.

831	   Details of the RTSP extension are beyond the scope of this draft.

833	6.3.3. Deployment Considerations
834	   Advantages:

836	   - Works for all types of NATs, including those using multiple IP
837	     addresses. (Requirement 1 in section 4).
838	   - Have no interaction problems with any RTSP ALG changing the
839	     client's information in the transport header.

841	   Disadvantages:

843	   - Requires modifications to both RTSP server and client.
844	   - The format of the RTP packet for "connection setup" (a.k.a FW
845	     packet) is yet to be defined. One possibility is to use RTP NOOP
846	     packet format in [23].
847	   - Has worse security situation than STUN when using address
848	     restrictions.
849	   - Would still require STUN to discover the timeout of NAT bindings.

851	6.3.4. Security Consideration

853	   Symmetric RTP's major security issue is that RTP streams can be
854	   hijacked and directed towards any target that the attacker desires.

856	   The most serious security problem is the deliberate attack with the
857	   use of a RTSP client and symmetric RTP. The attacker uses RTSP to
858	   setup a media session. Then it uses symmetric RTP with a spoofed
859	   source address of the intended target of the attack. There is no
860	   defense against this attack other than restricting the possible bind
861	   address to be the same as the RTSP connection arrived on. This
862	   prevents symmetric RTP to be used with multi-address NATs.

864	   A hijack attack can also be performed in various ways. The basic
865	   attack is based on the ability to read the RTSP signaling packets in
866	   order to learn the address and port the server will send from and
867	   also the SSRC the client will use. Having this information the
868	   attacker can send its own NAT-traversal RTP packets containing the
869	   correct RTP SSRC to the correct address and port on the server. The
870	   destination of the packets is set as the source IP and port in these
871	   RTP packets.

873	   Another variation of this attack is to modify the RTP binding packet
874	   being sent to the server by simply changing the source IP to the
875	   target one desires to attack.

877	   One can fend off the first attack by applying encryption to the RTSP
878	   signaling transport. However, the second variation is impossible to
879	   defend against. As a NAT re-writes the source IP and port this
880	   cannot be authenticated, but authentication is required in order to
881	   protect against this type of DOS attack.

883	   The random SSRC tag in the binding packet determines how well
884	   symmetric RTP can fend off stream-hijacking performed by parties
885	   that are not "man-in-the-middle".
886	   This proposal uses the 32-bit RTP SSRC field to this effect.
887	   Therefore it is important that this field is derived with a non-
888	   predictable randomizer. It should not be possible by knowing the
889	   algorithm used and a couple of basic facts, to derive what random
890	   number a certain client will use.

892	   An attacker not knowing the SSRC but aware of which port numbers
893	   that a server sends from can deploy a brute force attack on the
894	   server by testing a lot of different SSRCs until it finds a matching
895	   one. Therefore a server SHOULD implement functionality that blocks
896	   ports that receive multiple FW packets (i.e. the packet that is sent
897	   to the server for FW traversal) with different invalid SSRCs,
898	   especially when they are coming from the same IP/Port.

900	   To improve the security against attackers the random tag's length
901	   could be increased. To achieve a longer random tag while still using
902	   RTP and RTCP, it will be necessary to develop RTP and RTCP payload
903	   formats for carrying the random tag.

905	6.3.5. A Variation to Symmetric RTP

907	   Symmetric RTP requires a valid RTP format in the FW packet, which is
908	   the first packet that the client sends to the server to set up
909	   virtual RTP connection. There is currently no appropriate RTP packet
910	   format for this purpose, although the NOOP format is a proposal to
911	   fix the problem [23].

913	   Meanwhile, there has been FW traversal techniques deployed in the
914	   wireless streaming market place that use non-RTP messages as FW
915	   packets. This section attempts to summarize a subset of those
916	   solutions that happens to use a variation to the standard symmetric
917	   RTP solution.

919	   In this variation of symmetric RTP, the FW packet is a small UDP
920	   packet that does not contain RTP header. Hence the solution can no
921	   longer be called symmetric RTP, yet it employs the same technique
922	   for FW traversal. In response to client's FW packet, RTSP server
923	   sends back a similar FW packet as a confirmation so that the client
924	   can stop the so called "connection phase" of this NAT traversal
925	   technique. Afterwards, the client only has to periodically send FW
926	   packets as keep-alive messages for the NAT mappings.

928	   The server listens on its RTP-media output port, and tries to decode
929	   any received UDP packet as FW packet. This is valid since an RTSP
930	   server is not expecting RTP traffic from the RTSP client. Then, it
931	   can correlate the FW packet with the RTSP client's session ID or the
932	   server's SSRC, and record the NAT bindings accordingly. The server
933	   then sends a FW packet as the response to the client.

935	   The FW packet normally contains the SSRC used to identify the RTP
936	   stream, and can be made no bigger than 12 bytes, making it
937	   distinctively different from RTP packets, whose header size is 12
938	   bytes.

940	   RTSP signaling can be added to do the following:
941	      1. Enables or disables such FW message exchanges. When the FW/NAT
942	        has an RTSP-aware ALG, it is better to disable FW message
943	        exchange and let ALG works out the address and port mappings.
944	      2. Configures the number of re-tries and the re-try interval of
945	        the FW message exchanges.

947	   Such FW packets may also contain digital signatures to support
948	   three-way handshake based receiver authentications, so as to prevent
949	   DDoS attacks described before.

951	   This approach has the following advantages when compared with the
952	   symmetric RTP approach:
953	      1. There is no need to define RTP payload format for FW traversal,
954	        therefore it is simple to use, implement and administer
955	        (Requirement 4 in section 4), although a binding protocol must
956	        be defined (which is out side of the scope of this memo).
957	      2. When properly defined, this kind of FW message exchange can
958	        also authenticate RTP receivers, so as to prevent DDoS attacks
959	        for dual-hosted RTSP client. By dual-hosted RTSP client we mean
960	        the kind that uses one "perceived" IP address for RTSP message
961	        exchange, and a different "perceived" IP address for RTP
962	        reception. (Requirement 5 in section 4).

964	   This approach has the following disadvantages when compared with the
965	   symmetric RTP approach:
966	      1. RTP traffic is normally accompanied by RTCP traffic. This
967	        approach still needs to rely on RTCP RRs and SRs to enable NAT
968	        traversal for RTCP endpoints, or use the same type of FW
969	        messages for RTCP endpoints.
970	      2. The server's sender SSRC for the RTP stream must be signaled in
971	        RTSP's SETUP response, in the Transport header of the RTSP
972	        SETUP response.

974	6.4. Application Level Gateways

976	6.4.1. Introduction

978	   An Application Level Gateway (ALG) reads the application level
979	   messages and performs necessary changes to allow the protocol to
980	   work through the middle box. However this behavior has some problems
981	   in regards to RTSP:

983	   1. It does not work when the RTSP protocol is used with end-to-end
984	   security. As the ALG can't inspect and change the application level
985	   messages the protocol will fail due to the middle box.

987	   2. ALGs need to be updated if extensions to the protocol are added.
988	   Due to deployment issues with changing ALGs this may also break the
989	   end-to-end functionality of RTSP.

991	   Due to the above reasons it is NOT RECOMMENDED to use an RTSP ALG in
992	   NATs. This is especially important for NATs targeted to home users
993	   and small office environments, since it is very hard to upgrade NATs
994	   deployed in home or SOHO (small office/home office) environment.

996	6.4.2. Guidelines On Writing ALGs for RTSP

998	   In this section, we provide a step-by-step guideline on how one
999	   should go about writing an ALG to enable RTSP to traverse a NAT.

1001	   1. Detect any SETUP request.

1003	   2. Try to detect the usage of any of the NAT traversal methods that
1004	      replace the address and port of the Transport header parameters
1005	      "destination" or "dest_addr". If any of these methods are used,
1006	      the ALG SHOULD NOT change the address. Ways to detect that these
1007	      methods are used are:
1008	      - For embedded STUN, it would be watch for a feature tag, like
1009	      "nat.stun". If any of those exists in the "supported", "proxy-
1010	      require", or "require" headers of the RTSP exchange.
1011	      - For non-embedded STUN and TURN based solutions: This can in
1012	      some case be detected by inspecting the "destination" or
1013	      "dest_addr" parameter. If it contains either one of the NAT's
1014	      external IP addresses or a public IP address. However if multiple
1015	      NATs are used this detection may fail. Remapping should only be
1016	      done for addresses belonging to the NATs own private address
1017	      space.

1019	      Otherwise continue to the next step.

1021	   3. Create UDP mappings (client given IP/port <-> external IP/port)
1022	      where needed for all possible transport specification in the
1023	      transport header of the request found in (1). Enter the public
1024	      address and port(s) of these mappings in transport header.
1025	      Mappings SHALL be created with consecutive public port number
1026	      starting on an even number for RTP for each media stream.
1027	      Mappings SHOULD also be given a long timeout period, at least 5
1028	      minutes.

1030	   4. When the SETUP response is received from the server the ALG MAY
1031	      remove the unused UDP mappings, i.e. the ones not present in the
1032	      transport header. The session ID SHOULD also be bound to the UDP
1033	      mappings part of that session.

1035	   5. If SETUP response settles on RTP over TCP or RTP over RTSP as
1036	      lower transport, do nothing: let TCP tunneling to take care of
1037	      NAT traversal. Otherwise go to next step.

1039	   6. The ALG SHOULD keep alive the UDP mappings belonging to the an
1040	      RTSP session as long as: RTSP messages with the session's ID has
1041	      been sent in the last timeout interval, or UDP messages are sent
1042	      on any of the UDP mappings during the last timeout interval.

1044	   7. The ALG MAY remove a mapping as soon a TEARDOWN response has been
1045	      received for that media stream.

1047	6.4.3. Deployment Considerations

1049	   Advantage:

1051	   - No impact on either client or server
1052	   - Can work for any type of NATs

1054	   Disadvantage:

1056	   - When deployed they are hard to update to reflect protocol
1057	     modifications and extensions. If not updated they will break the
1058	     functionality.
1059	   - When end-to-end security is used the ALG functionality will fail.
1060	   - Can interfere with other type of traversal mechanisms, such as
1061	     STUN.

1063	   Transition:

1065	   An RTSP ALG will not be phased out in any automatically way. It must
1066	   be removed, probably through the removal of the NAT it is associated
1067	   with.

1069	6.4.4. Security Considerations

1071	   An ALG will not work when deployment of end-to-end RTSP signaling
1072	   security. Therefore deployment of ALG will result in that clients
1073	   located behind NATs will not use end-to-end security.

1075	6.5. TCP Tunneling

1077	6.5.1. Introduction
1078	   Using a TCP connection that is established from the client to the
1079	   server ensures that the server can send data to the client. The
1080	   connection opened from the private domain ensures that the server
1081	   can send data back to the client. To send data originally intended
1082	   to be transported over UDP requires the TCP connection to support
1083	   some type of framing of the RTP packets.

1085	   Using TCP also results in that the client has to accept that real-
1086	   time performance may no longer be possible. TCP's problem of
1087	   ensuring timely deliver was the reasons why RTP was developed.
1088	   Problems that arise with TCP are: head-of-line blocking, delay
1089	   introduced by retransmissions, highly varying congestion control.

1091	6.5.2. Usage of TCP tunneling in RTSP

1093	   The RTSP core specification [7] supports interleaving of media data
1094	   on the TCP connection that carries RTSP signaling. See section 10.13
1095	   in [7] for how to perform this type of TCP tunneling.

1097	   There is currently new finished work on one more way of transporting
1098	   RTP over TCP in AVT and MMUSIC. For signaling and rules on how to
1099	   establish the TCP connection in lieu of UDP, see [16]. Another draft
1100	   describes how to frame RTP over the TCP connection is described in
1101	   [17].

1103	6.5.3. Deployment Considerations

1105	   Advantage:

1107	   - Works through all types of NATs where server is in the open.

1109	   Disadvantage:

1111	   - Functionality needs to be implemented on both server and client.
1112	   - Will not always meet multimedia stream's real-time requirements.

1114	   Transition:

1116	   The tunneling over RTSP's TCP connection is not planned to be phased
1117	   -out. It is intended to be a fallback mechanism and for usage when
1118	   total media reliability is desired, even at the price of loss of
1119	   real-time properties.

1121	6.5.4. Security Considerations

1123	   The TCP tunneling of RTP has no known security problem besides those
1124	   already present in RTSP. It is not possible to get any amplification
1125	   effect that is desired for denial of service attacks due to TCP's
1126	   flow control.

1128	   A possible security consideration, when session media data is
1129	   interleaved with RTSP, would be the performance bottleneck when RTSP
1130	   encryption is applied, since all session media data also needs to be
1131	   encrypted.

1133	6.6. TURN (Traversal Using Relay NAT)

1135	6.6.1. Introduction

1137	   Traversal Using Relay NAT (TURN) [8] is a protocol for setting up
1138	   traffic relays that allows clients behind NATs and firewalls to
1139	   receive incoming traffic for both UDP and TCP.  These relays are
1140	   controlled and have limited resources. They need to be allocated
1141	   before usage.

1143	   TURN allows a client to temporarily bind an address/port pair on the
1144	   relay (TURN server) to its local source address/port pair, which is
1145	   used to contact the TURN server. The TURN server will then forward
1146	   packets between the two sides of the relay. To prevent DOS attacks
1147	   on either recipient, the packets forwarded are restricted to the
1148	   specific source address. On the client side it is restricted to the
1149	   source setting up the mapping. On the external side this is limited
1150	   to the source address/port pair of the first packet arriving on the
1151	   binding. After the first packet has arrived the mapping is "locked
1152	   down" to that address. Packets from any other source on this address
1153	   will be discarded.

1155	   Using a TURN server makes it possible for a RTSP client to receive
1156	   media streams from even an unmodified RTSP server. However the
1157	   problem is those RTSP servers most likely restrict media
1158	   destinations to no other IP address than the one RTSP message
1159	   arrives. This means that TURN could only be used if the server knows
1160	   and accepts that the IP belongs to a TURN server and the TURN server
1161	   can't be targeted at an unknown address. Unfortunately TURN servers
1162	   can be targeted at any host that has a public IP address by spoofing
1163	   the source IP of TURN Allocation requests.

1165	6.6.2. Usage of TURN with RTSP

1167	   To use a TURN server for NAT traversal, the following steps should
1168	   be performed.

1170	   1. The RTSP client connects with RTSP server. The client retrieves
1171	      the session description to determine the number of media streams.
1172	      To avoid the issue with having RTSP connection and media traffic
1173	      from different addresses also the TCP connection must be done
1174	      thru the same TURN server as the one in the next step.

1176	   2. The client establishes the necessary bindings on the TURN server.
1177	      It must choose the local RTP and RTCP ports that it desires to
1178	      receive media packets. TURN supports requesting bindings of even
1179	      port numbers and continuous ranges.

1181	   3. The RTSP client uses the acquired address and port mappings in
1182	      the RTSP SETUP request using the destination header. Note that
1183	      the server is required to have a mechanism to verify that it is
1184	      allowed to send media traffic to the given address. The server
1185	      SHOULD include its RTP SSRC in the SETUP response.

1187	   4. Client requests that the Server starts playing. The server starts
1188	      sending media packet to the given destination address and ports.

1190	   5. The first media packet to arrive at the TURN server on the
1191	      external port causes "lock down"; then TURN server forwards the
1192	      media packets to the RTSP client.

1194	   6. When media arrives at the client, the client should try to verify
1195	      that the media packets are from the correct RTSP server, by
1196	      matching the RTP SSRC of the packet. Source IP address of this
1197	      packet will be that of the TURN server and can therefore not be
1198	      used to verify that the correct source has caused lock down.

1200	   7. If the client notices that some other source has caused lock down
1201	      on the TURN server, the client should create new bindings and
1202	      change the session transport parameters to reflect the new
1203	      bindings.

1205	   8. If the client pauses and media are not sent for about 75% of the
1206	      mapping timeout the client should use TURN to refresh the
1207	      bindings.

1209	6.6.3. Deployment Considerations

1211	   Advantages:

1213	   - Does not require any server modifications.
1214	   - Works for any types of NAT as long as the server has public
1215	     reachable IP address.

1217	   Disadvantage

1219	   - TURN is not yet a standard.
1220	   - Requires another network element, namely the TURN server.

1222	   - Such a TURN server for RTSP is not scalable since the number of
1223	     sessions it must forward is proportional to the number of client
1224	     media sessions.
1225	   - TURN server becomes a single point of failure.
1226	   - Since TURN forwards media packets, it necessarily introduces
1227	     delay.
1228	   - Requires that the server can verify that the given destination
1229	     address is valid to be used by the client.
1230	   - An RTSP ALG MAY change the necessary destinations parameter. This
1231	     will cause the media traffic to be sent to the wrong address.

1233	   Transition:

1235	   TURN is not intended to be phase-out completely, see chapter 11.2 of
1236	   [8]. However the usage of TURN could be reduced when the demand for
1237	   having NAT traversal is reduced.

1239	6.6.4. Security Considerations

1241	   An eavesdropper of RTSP messages between the RTSP client and RTSP
1242	   server will be able to do a simple denial of service attack on the
1243	   media streams by sending messages to the destination address and
1244	   port present in the RTSP SETUP messages. If the attacker's message
1245	   can reach the TURN server before the RTSP server's message, the lock
1246	   down can be accomplished towards some other address. This will
1247	   result in that the TURN server will drop all the media server's
1248	   packets when they arrive. This can be accomplished with little risk
1249	   for the attacker of being caught, as it can be performed with a
1250	   spoofed source IP. The client may detect this attack when it
1251	   receives the lock down packet sent by the attacker as being mal-
1252	   formatted and not corresponding to the expected context. It will
1253	   also notice the lack of incoming packets. See bullet 7 in section
1254	   6.6.2.

1256	   The TURN server can also become part of a denial of service attack
1257	   towards any victim. To perform this attack the attacker must be able
1258	   to eavesdrop on the packets from the TURN server towards a target
1259	   for the DOS attack. The attacker uses the TURN server to setup a
1260	   RTSP session with media flows going through the TURN server. The
1261	   attacker is in fact creating TURN mappings towards a target by
1262	   spoofing the source address of TURN requests. As the attacker will
1263	   need the address of these mappings he must be able to eavesdrop or
1264	   intercept the TURN responses going from the TURN server to the
1265	   target. Having these addresses, he can set up a RTSP session and
1266	   starts delivery of the media. The attacker must be able to create
1267	   these mappings.  The attacker in this case may be traced by the TURN
1268	   username in the mapping requests.

1270	   The first attack can be made very hard by applying transport
1271	   security for the RTSP messages, which will hide the TURN servers
1272	   address and port numbers from any eavesdropper.

1274	   The second attack requires that the attacker have access to a user
1275	   account on the TURN server to be able set up the TURN mappings. To
1276	   prevent this attack the server shall verify that the target
1277	   destination accept this media stream.

1279	7. Firewalls

1281	   Firewalls exist for the purpose of protecting a network from traffic
1282	   not desired by the firewall owner. Therefore it is a policy decision
1283	   if a firewall will let RTSP and its media streams through or not.
1284	   RTSP is designed to be firewall friendly in that it should be easy
1285	   to design firewall policies to permit passage of RTSP traffic and
1286	   its media streams.

1288	   The firewall will need to allow the media streams associated with a
1289	   RTSP session pass through it. Therefore the firewall will need an
1290	   ALG that reads RTSP SETUP and TEARDOWN messages. By reading the
1291	   SETUP message the firewall can determine what type of transport and
1292	   from where the media streams will use. Commonly there will be the
1293	   need to open UDP ports for RTP/RTCP. By looking at the source and
1294	   destination addresses and ports the opening in the firewall can be
1295	   minimized to the least necessary. The opening in the firewall can be
1296	   closed after a teardown message for that session or the session
1297	   itself times out.

1299	   Simpler firewalls do allow a client to receive media as long as it
1300	   has sent packets to the target. Depending on the security level this
1301	   can have the same behavior as a NAT. The only difference is that no
1302	   address translation is done. To be able to use such a firewall a
1303	   client would need to implement one of the above described NAT
1304	   traversal methods that include sending packets to the server to open
1305	   up the mappings.

1307	8. Comparison of Different NAT Traversal Techniques

1309	   This section evaluates the techniques described above against the
1310	   requirements listed in section 4.

1312	   In the following table, the columns correspond to the numbered
1313	   requirements. For instance, the column under R1 corresponds to the
1314	   first requirement in section 4: MUST work for all flavors of NATs.

1316	   The rows represent the different FW traversal techniques. SymRTP is
1317	   short for symmetric RTP, "V.SymRTP" is short for "variation of
1318	   symmetric RTP" as described in section 6.3.5.

1320	   -----------------------------------------------+
1321	               |  R1  |  R2  |  R3  |  R4  |  R5  |
1322	   ------------+------+------+------+------+------+
1323	     STUN      | Yes  | Yes  |  No  | Maybe|  No  |
1324	   ------------+------+------+------+------+------+
1325	     ICE       | Yes  | Yes  |  No  |  No  | Yes  |
1326	   ------------+------+------+------+------+------+
1327	     SymRTP    | Yes  | Yes  | Yes  |Maybe |  No  |
1328	   ------------+------+------+------+------+------+
1329	   V. SymRTP   | Yes  | Yes  | Yes  | Yes  |future|
1330	   ------------+------+------+------+------+------+
1331	     TURN      | Yes  | Yes  | No   | No   | Yes  |
1332	   -----------------------------------------------+

1334	9. Open Issues

1336	   Some open issues with this draft:

1338	   - At some point we need to recommend one RTSP NAT solution so as to
1339	     ensure implementations can inter-operate. This decision will
1340	     require that requirements, security and desired goals be evaluated
1341	     against implementation cost and the probability to get the final
1342	     solution deployed.
1343	   - The ALG recommendations need to be improved and clarified.
1344	   - The firewall RTSP ALG recommendations need to be written as they
1345	     are different from the NAT ALG in some perspectives.
1346	   - The ICE solution needs to be hammered out into all the details.

1348	10. Security Consideration

1350	   In preceding sessions we have discussed security merits of each and
1351	   every NAT/FW traversal methods for RTSP. In summary, the presence of
1352	   NAT(s) is a security risk, as a client cannot perform source
1353	   authentication of its IP address. This prevents the deployment of
1354	   any future RTSP extensions providing security against hijacking of
1355	   sessions by a man-in-the-middle.

1357	   Each of the proposed solutions has security implications.

1359	   Using STUN will provide the same level of security as RTSP with out
1360	   transport level security and source authentications; as long as the
1361	   server does not grant a client request to send media to different IP
1362	   addresses.

1364	   Using symmetric RTP will have a higher risk of session hijacking
1365	   than normal RTSP. The reason is that there exists a probability that
1366	   an attacker is able to guess the random tag that the client uses to
1367	   prove its identity when creating the address bindings. This can be
1368	   solved in the variation of symmetric RTP (section 6.3.5) with
1369	   authentication features.

1371	   The usage of an RTSP ALG does not increase in itself the risk for
1372	   session hijacking. However the deployment of ALGs as sole mechanism
1373	   for RTSP NAT traversal will prevent deployment of encrypted end-to-
1374	   end RTSP signaling.

1376	   The usage of TCP tunneling has no known security problems. However
1377	   it might provide a bottleneck when it comes to end-to-end RTSP
1378	   signaling security if TCP tunneling is used on an interleaved RTSP
1379	   signaling connection.

1381	   The usage of TURN has severe risk of denial of service attacks
1382	   against a client. The TURN server can also be used as a redirect
1383	   point in a DDOS attack unless the server has strict enough rules for
1384	   who may create bindings.

1386	11. IANA Consideration

1388	   This specification does not define any protocol extensions hence no
1389	   IANA action is requested.

1391	12. Acknowledgments

1393	   The author would also like to thank all persons on the MMUSIC
1394	   working group's mailing list that has commented on this
1395	   specification. Persons having contributed in such way in no special
1396	   order to this protocol are: Jonathan Rosenberg, Philippe Gentric,
1397	   Tom Marshall, David Yon, Amir Wolf, Anders Klemets, and Colin
1398	   Perkins. Thomas Zeng would also like to give special thanks to Greg
1399	   Sherwood of PacketVideo for his input into this memo.

1401	13. Author's Addresses

1403	   Magnus Westerlund        Tel: +46 8 4048287
1404	   Ericsson Research        Email: Magnus.Westerlund@ericsson.com
1405	   Ericsson AB
1406	   Torshamnsgatan 23
1407	   SE-164 80 Stockholm, SWEDEN

1409	   Thomas Zeng                     Tel: 1-858-320-3125
1410	   PacketVideo Network Solutions   Email: zeng@pvnetsolutions.com
1411	   9605 Scranton Rd., Suite 400
1412	   San Diego, CA92121

1414	14. References

1416	14.1. Normative references

1418	   [1]  H. Schulzrinne, et. al., "Real Time Streaming Protocol (RTSP)",
1419	        IETF RFC 2326, April 1998.
1420	   [2]  M. Handley, V. Jacobson, "Session Description Protocol (SDP)",
1421	        IETF RFC 2327, April 1998.
1422	   [3]  Crocker, D. and P. Overell, "Augmented BNF for Syntax
1423	        Specifications: ABNF", RFC 4234, October 2005.
1424	   [4]  S. Bradner, "Key words for use in RFCs to Indicate Requirement
1425	        Levels", RFC 2119, March 1997.
1426	   [5]  H. Schulzrinne, et. al., "RTP: A Transport Protocol for Real-
1427	        Time Applications", STD 64, RFC 3550, IETF, July 2003.
1428	   [6]  J. Rosenberg, et. Al., " STUN - Simple Traversal of UDP Through
1429	        Network Address Translators", IETF RFC 3489, March 2003
1430	   [7]  H. Schulzrinne, et. al., "Real Time Streaming Protocol (RTSP)",
1431	        draft-ietf-mmusic-rfc2326bis-11.txt, IETF draft, October 2005,
1432	        work in progress.
1433	   [8]  J. Rosenberg, et. Al., "Traversal Using Relay NAT (TURN)",
1434	        draft-rosenberg-midcom-turn-08.txt, IETF draft, Sep 2005, work
1435	        in progress.
1436	   [9]  J. Rosenberg, "Interactive Connectivity Establishment (ICE): A
1437	        Methodology for Network Address Translator (NAT) Traversal for
1438	        the Session Initiation Protocol (SIP)," draft-ietf-mmusic-ice-
1439	        06, IETF draft, October 2005, work in progress.
1440	   [10] G. Camarillo, et. al., "Grouping of Media Lines in the Session
1441	        Description Protocol (SDP)," IETF RFC 3388, December 2002.
1442	   [11] Camarillo, G. and J. Rosenberg, "The Alternative Network
1443	        Address Types (ANAT) Semantics for the Session Description
1444	        Protocol (SDP) Grouping Framework", RFC 4091, June 2005.

1446	14.2. Informative References

1448	   [12] P. Srisuresh, K. Egevang, "Traditional IP Network Address
1449	        Translator (Traditional NAT)," RFC 3022, Internet Engineering
1450	        Task Force, January 2001.
1451	   [13] Tsirtsis, G. and Srisuresh, P., "Network Address Translation -
1452	        Protocol Translation (NAT-PT)", RFC 2766, Internet Engineering
1453	        Task Force, February 2000.
1454	   [14] S. Deering and R. Hinden, "Internet Protocol, Version 6 (IPv6)
1455	        Specification", RFC 2460, Internet Engineering Task Force,
1456	        December 1998.
1457	   [15] J. Postel, "internet protocol", RFC 791, Internet Engineering
1458	        Task Force, September 1981.

1460	   [16] Camarillo, G. and J. Rosenberg, "The Alternative Network
1461	        Address Types (ANAT) Semantics for the Session Description
1462	        Protocol (SDP) Grouping Framework", RFC 4091, June 2005.
1463	   [17] John Lazzaro, "Framing RTP and RTCP Packets over Connection-
1464	        Oriented Transport", IETF Draft, draft-ietf-avt-rtp-framing-
1465	        contrans-06.txt, September 2005.
1466	   [18] D. Daigle, "IAB Considerations for UNilateral Self-Address
1467	        Fixing (UNSAF) Across Network Address Translation", RFC 3424,
1468	        Internet Engineering Task Force, Nov. 2002
1469	   [19] R. Finlayason, "IP Multicast and Firewalls", RFC 2588, Internet
1470	        Engineering Task Force, May 1999
1471	   [20] Krawczyk, H., Bellare, M., and Canetti, R.: "HMAC: Keyed-
1472	        hashing for message authentication". IETF RFC 2104, February
1473	        1997
1474	   [21] Open Source STUN Server and Client,
1475	        http://www.vovida.org/applications/downloads/stun/index.html
1476	   [22]
1477	   [23] Dan Wing, et.al. "RTP No-Op Payload Format", draft-wing-avt-
1478	        rtp-noop-00.txt, March 2004
1479	   [24] P. Srisuresh and M.Holdrege, "IP Network Address Translator
1480	        (NAT) Terminology and Considerations", RFC2663, Internet
1481	        Engineering Task Force, Aug. 1999
1482	   [25] J. Rosenberg, C. Huitema and R. Mahy, "STUN - Simple Traversal
1483	        of UDP Through Network Address Translators", draft-ietf-behave-
1484	        rfc3489bis-02.txt, July 2005
1485	   [26] F. Audet, "NAT Behavioral Requirements for Unicast UDP," draft-
1486	        ietf-behave-nat-udp-04, September 6, 2005.

1488	15. IPR Notice

1490	   The IETF takes no position regarding the validity or scope of any
1491	   Intellectual Property Rights or other rights that might be claimed
1492	   to pertain to the implementation or use of the technology described
1493	   in this document or the extent to which any license under such
1494	   rights might or might not be available; nor does it represent that
1495	   it has made any independent effort to identify any such rights.
1496	   Information on the procedures with respect to rights in RFC
1497	   documents can be found in BCP 78 and BCP 79.

1499	   Copies of IPR disclosures made to the IETF Secretariat and any
1500	   assurances of licenses to be made available, or the result of an
1501	   attempt made to obtain a general license or permission for the use
1502	   of such proprietary rights by implementers or users of this
1503	   specification can be obtained from the IETF on-line IPR repository
1504	   at http://www.ietf.org/ipr.

1506	   The IETF invites any interested party to bring to its attention any
1507	   copyrights, patents or patent applications, or other proprietary
1508	   rights that may cover technology that may be required to implement
1509	   this standard.  Please address the information to the IETF at
1510	   ietf-ipr@ietf.org.

1512	16. Copyright Notice

1514	   Copyright (C) The Internet Society (2005).

1516	   This document is subject to the rights, licenses and restrictions
1517	   contained in BCP 78, and except as set forth therein, the authors
1518	   retain all their rights.

1520	   This document and the information contained herein are provided on
1521	   an "AS IS" basis and THE CONTRIBUTOR, THE ORGANIZATION HE/SHE
1522	   REPRESENTS OR IS SPONSORED BY (IF ANY), THE INTERNET SOCIETY AND THE
1523	   INTERNET ENGINEERING TASK FORCE DISCLAIM ALL WARRANTIES, EXPRESS OR
1524	   IMPLIED, INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF
1525	   THE INFORMATION HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED
1526	   WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.

1528	   This Internet-Draft expires in April 2006.