Real-Time Streaming Protocol (RTSP) is a real-time audio and video delivery
protocol used by many popular multimedia applications. When establishing a
control channel, RTSP uses one TCP channel and up to two additional UDP
channels. The TCP port used to establish the control channel is the well-known
port 554. This TCP control channel is then used to negotiate the other two UDP
channels depending on the transport mode that is configured on the client.
While UDP is occasionally used to setup the control channel for RTSP
applications, RFC 2326 specifies only TCP. Therefore, the PIX only provides
support for TCP. The first UDP channel that is established is the data
connection and may use one of the following transport modes:
- Real-Time Transport Protocol (RTP)
- Real Data Transport Protocol (RDT), which is not supported by the PIX
Security Appliance
The second UDP channel that is established is another control channel.
It may use one of the following modes:
- Real-Time Control Protocol (RTCP)
- UDP Resend
RTSP also supports a TCP-only mode. This mode contains only one TCP
connection, which is used as the control and data channels. Because this mode
contains only one constant standard TCP connection, no special handling by the
PIX Security Appliance is required.
The PIX Security Appliance supports
two types of RTSP:
- Standard RTP Mode
- RealNetworks RDT mode
Together these modes are used to support applications such as Cisco
IP/TV, Apple QuickTime 4, and the RealNetworks suite of applications. The
RealNetworks suite includes RealAudio, RealPlayer, and RealServer. Both
standard RTP mode and RealNetworks RDT mode will now be examined.
Standard RTP Mode
In standard RTP mode, the following three
channels are used by RTSP:
- TCP control channel is the standard TCP connection initiated from the
client to the server.
- RTP data channel is the Simplex (unidirectional) UDP session used for media
delivery using the RTP packet format from the server to the client. The
client’s port is always an even numbered port.
- RTCP reports is the Duplex (bidirectional) UDP session used to provide
synchronization information to the client and packet loss information to the
server. The RTCP port is always the next consecutive port from the RTP data
port.
For standard RTP mode RTSP traffic, the PIX Security Appliance behaves
in the following manner:
- Outbound connections:
- After the client and the server negotiate the transport mode and the ports
to use for the sessions, the security appliance opens temporary inbound dynamic
openings for the RTP data channel and RTCP report channel from the server.
- Inbound connections:
- If an ACL exists allowing inbound connections to an RTSP server, and if all
outbound UDP traffic is implicitly allowed, no special handling is required
since the server initiates the data and report channel from the inside.
- If an ACL exists allowing inbound connections to an RTSP server, and if all
outbound TCP traffic is not implicitly allowed, the security appliance opens
temporary dynamic openings for the data and report channels from the server.
Figure
illustrates how
a client and server using an RTSP application communicate in standard RTP mode.
Note that the second UDP channel is set up by the server and is bidirectional,
in order for it to provide synchronization information to the client and packet
loss information to the server.
RealNetworks RDT Mode
In
RealNetworks RDT mode, the following three channels are used by RTSP:
- TCP control channel is the standard TCP connection initiated from the
client to the server.
- UDP data channel is the Simplex, or unidirectional, UDP session used for
media delivery using the standard UDP packet format from the server to the
client.
- UDP resend is the Simplex, or unidirectional, UDP session used for the
client to request that the server resend lost data packets.
For RealNetworks RDT mode RTSP traffic, the PIX Security Appliance
behaves in the following manner:
- Outbound connections:
- If outbound UDP traffic is implicitly allowed, and after the client and the
server negotiate the transport mode and the ports to use for the session, the
security appliance opens temporary inbound openings for the UDP data channel
from the server.
- If outbound UDP traffic is not implicitly allowed, and after the client and
the server negotiate the transport mode and the ports to use for the session,
the security appliance opens a temporary inbound opening for the UDP data
channel from the server and a temporary outbound opening for the UDP resend
channel from the client.
- Inbound connections:
- If an ACL exists allowing inbound connections to an RTSP server, and if all
outbound UDP traffic is implicitly allowed, the security appliance opens a
temporary inbound opening for the UDP resend from the client.
- If an ACL exists allowing inbound connections to an RTSP server, and if all
outbound TCP traffic is not implicitly allowed, the security appliance opens
temporary opening for the UDP data and UDP resend channels from the server and
client, respectively.
Figure
illustrates how a client and server using an RTSP application communicate in
RealNetworks RDT mode. Notice that unlike standard mode RTP, the second RDP
channel is not bidirectional. Instead, it is unidirectional and simply allows
the client to request the server to resend lost packets.