Configure Advanced Protocol Inspection
Real-Time Streaming Protocol (RTSP)

Real-Time Streaming Protocol (RTSP) is a real-time audio and video delivery protocol used by many popular multimedia applications. When establishing a control channel, RTSP uses one TCP channel and up to two additional UDP channels. The TCP port used to establish the control channel is the well-known port 554. This TCP control channel is then used to negotiate the other two UDP channels depending on the transport mode that is configured on the client.

While UDP is occasionally used to setup the control channel for RTSP applications, RFC 2326 specifies only TCP. Therefore, the PIX only provides support for TCP. The first UDP channel that is established is the data connection and may use one of the following transport modes:

  • Real-Time Transport Protocol (RTP)
  • Real Data Transport Protocol (RDT), which is not supported by the PIX Security Appliance

The second UDP channel that is established is another control channel. It may use one of the following modes:

  • Real-Time Control Protocol (RTCP)
  • UDP Resend

RTSP also supports a TCP-only mode. This mode contains only one TCP connection, which is used as the control and data channels. Because this mode contains only one constant standard TCP connection, no special handling by the PIX Security Appliance is required.

The PIX Security Appliance supports two types of RTSP:

  • Standard RTP Mode
  • RealNetworks RDT mode

Together these modes are used to support applications such as Cisco IP/TV, Apple QuickTime 4, and the RealNetworks suite of applications. The RealNetworks suite includes RealAudio, RealPlayer, and RealServer. Both standard RTP mode and RealNetworks RDT mode will now be examined.

Standard RTP Mode
In standard RTP mode, the following three channels are used by RTSP:

  • TCP control channel is the standard TCP connection initiated from the client to the server.
  • RTP data channel is the Simplex (unidirectional) UDP session used for media delivery using the RTP packet format from the server to the client. The client’s port is always an even numbered port.
  • RTCP reports is the Duplex (bidirectional) UDP session used to provide synchronization information to the client and packet loss information to the server. The RTCP port is always the next consecutive port from the RTP data port.

For standard RTP mode RTSP traffic, the PIX Security Appliance behaves in the following manner:

  • Outbound connections:
    • After the client and the server negotiate the transport mode and the ports to use for the sessions, the security appliance opens temporary inbound dynamic openings for the RTP data channel and RTCP report channel from the server.
  • Inbound connections:
    • If an ACL exists allowing inbound connections to an RTSP server, and if all outbound UDP traffic is implicitly allowed, no special handling is required since the server initiates the data and report channel from the inside.
    • If an ACL exists allowing inbound connections to an RTSP server, and if all outbound TCP traffic is not implicitly allowed, the security appliance opens temporary dynamic openings for the data and report channels from the server.

Figure illustrates how a client and server using an RTSP application communicate in standard RTP mode. Note that the second UDP channel is set up by the server and is bidirectional, in order for it to provide synchronization information to the client and packet loss information to the server.

RealNetworks RDT Mode
In RealNetworks RDT mode, the following three channels are used by RTSP:

  • TCP control channel is the standard TCP connection initiated from the client to the server.
  • UDP data channel is the Simplex, or unidirectional, UDP session used for media delivery using the standard UDP packet format from the server to the client.
  • UDP resend is the Simplex, or unidirectional, UDP session used for the client to request that the server resend lost data packets.

For RealNetworks RDT mode RTSP traffic, the PIX Security Appliance behaves in the following manner:

  • Outbound connections:
    • If outbound UDP traffic is implicitly allowed, and after the client and the server negotiate the transport mode and the ports to use for the session, the security appliance opens temporary inbound openings for the UDP data channel from the server.
    • If outbound UDP traffic is not implicitly allowed, and after the client and the server negotiate the transport mode and the ports to use for the session, the security appliance opens a temporary inbound opening for the UDP data channel from the server and a temporary outbound opening for the UDP resend channel from the client.
  • Inbound connections:
    • If an ACL exists allowing inbound connections to an RTSP server, and if all outbound UDP traffic is implicitly allowed, the security appliance opens a temporary inbound opening for the UDP resend from the client.
    • If an ACL exists allowing inbound connections to an RTSP server, and if all outbound TCP traffic is not implicitly allowed, the security appliance opens temporary opening for the UDP data and UDP resend channels from the server and client, respectively.

Figure illustrates how a client and server using an RTSP application communicate in RealNetworks RDT mode. Notice that unlike standard mode RTP, the second RDP channel is not bidirectional. Instead, it is unidirectional and simply allows the client to request the server to resend lost packets.


Web Links