Real-Time Alive Protocol, NetShow, and VDO Live

Real-Time Alive Protocol,

NetShow, and VDO Live

In this section, we appraise alive applications and the problems they affectation to

firewalls. Alive is a anatomy of advice in which the applicant requests that

the server accelerate abstracts at a assertive speed. In some implementations, the applicant needs

to affirm anniversary allocation of abstracts received. In others, the server aloof sends data

until the applicant tells it to stop. Major protocols broadly acclimated in this breadth are Real-

Time Alive Protocol, or RTSP (used by RealPlayer, Cisco IP/TV, and Apple

QuickTime 4), NetShow (used by Microsoft Media Player), and VDO Live.

The RTSP, authentic in RFC 2326, is acclimated for affair bureaucracy and teardown as

well as for authoritative abstracts breeze (stop, play, pause).The RFC allows RTSP to run

over both TCP and UDP, but all bartering implementations use alone TCP, so

Cisco supports appliance analysis for TCP-based RTSP sessions only. RTSP

is a text-based, HTTP-like agreement by which the applicant sends requests and

obtains replies from the server. Requests may be acclimated to accommodate the transport

www.syngress.com

Figure 4.8 RPC Affiliation Flow

client port

1050

server port

111

"Tell me the anchorage to

connect to NFS daemon"

server port

34564

client port

1052

The applicant asks the portmapper which

port the NFS apparition is active on.

The applicant establishes a

connection to anchorage 34564

"NFS runs on port

34564"

154 Chapter 4 • Advanced PIX Configurations

that will be acclimated for alive abstracts transmission, the options that are supported,

asking the server to alpha or stop streaming, and the like. Anchored in RTSP is

Session Description Agreement (SDP, declared in RFC 2327), which is acclimated to

provide the applicant with some added advice about the antecedent of a datastream,

including its concrete area (in agreement of IP addresses).The afterward is an

example of an RTSP/SDP affair (with nonrelevant genitalia skipped):

C> OPTIONS rtsp://www.play.com:554 RTSP/1.0

C> CSeq: 1

S> RTSP/1.0 200 OK

S> CSeq: 1

S> Server: RealMedia Server Version 6.0.3.354 (win32

S> Public: OPTIONS, DESCRIBE, ANNOUNCE, SETUP, GET_PARAMETER,

SET_PARAMETER, TEARDOWN

S> RealChallenge1: 15d67d72b49fd4895774cfbb585af460

C> SETUP rtsp://www.play.com:554/g2audio.rm/streamid=0 RTSP/1.0

C> CSeq: 3

C> RealChallenge2: 319cd1020892093a7b7290ef22b6f41101d0a8e3, sd=3d00792f

C> Transport: x-real-rdt/mcast;client_port=6970;mode=play,x-realdt/

udp;client_port=6970;mode=play,x-pn-tng/udp;client_port=6970;

mode=play,rtp/avp;unicast;client_port=6970-6971;

mode=play

S> RTSP/1.0 200 OK

S> CSeq: 3

S> Session: 22660-2

S> RealChallenge3: 9521b5d0fcff7ab0ea7f407f89c5f3584f213d09,sdr=9bf7e48f

S> Transport: x-real-rdt/udp;client_port=6970;server_port=28344

C> PLAY rtsp://www.play.com:554/g2audio.rm RTSP/1.0

C> CSeq: 5

C> Session: 22660-2

S> RTSP/1.0 200 OK

S> CSeq: 5

S> Session: 22660-2

C> TEARDOWN rtsp://www.play.com:554/g2audio.rm RTSP/1.0

C> CSeq: 6

C> Session: 22660-2

www.syngress.com

Advanced PIX Configurations • Chapter 4 155

S> RTSP/1.0 200 OK

S> CSeq: 6

S> Session: 22660-2

The affair starts by negotiating applicant and server capabilities.Then comes

the SETUP command, in which the carriage approach (RDT or RTP) and port

are adjourned (highlighted in italics in the above-mentioned code).The applicant again commands

the server to alpha transmission, and it assuredly tears the affiliation down

after all abstracts has been received.

Real Abstracts Carriage (RDT) is a RealNetworks proprietary agreement for data

delivery. It uses two one-way UDP connections: one from the server to the client

for abstracts commitment and addition from the applicant to the server for requests to

retransmit absent packets.This is the absence approach for the RealNetworks G2 server.

In the barter that appears in the above-mentioned code, the applicant has called to

receive abstracts on anchorage 6970 and the server has called to accept requests on port

28334.

Real-Time Carriage Agreement (RTP), declared in RFC 1889, uses a oneway

UDP affiliation for sending abstracts from the server to the applicant and another

two-way UDP affiliation for manual ascendancy with RTP Ascendancy Protocol

(RTCP). RTP/RTCP admission action on two after ports: the RTP

channel is an alike cardinal anchorage and RTCP is the abutting after port.This is

the absence approach for Apple QuickTime and Cisco IP/TV.

To added complicate matters, there is one added approach of operation, interleaved

mode, in which all RDT and RTP communications are anchored into

the antecedent RTSP connection.This is the simplest approach from the firewall’s point

of appearance because it requires no added processing.

RTSP admission action on the absence anchorage of 554. Cisco IP/TV additionally uses

port 8554, which is not enabled by absence on the PIX.The command for

enabling and disabling RTSP analysis is:

[no] fixup agreement rtsp []

For example, in adjustment to accredit actual processing of Cisco IP/TV streams,

you charge to add the afterward command to the absence configuration:

PIX1(config)# fixup agreement rtsp 8554

When they accomplish appliance analysis for the RTSP protocol, the PIX

monitors all SETUP replies with a cipher of “200.” If the bulletin is entering and

the server is a beneath defended interface, the firewall needs to accessible a acting conduit

for the admission affiliation from the server to the applicant on a anchorage declared in

www.syngress.com

156 Chapter 4 • Advanced PIX Configurations

the reply. If the bulletin is outbound, no added accomplishments are needed.The inspection

process has the afterward restrictions:

 The PIX monitors alone TCP-based RTSP exchange. RTSP over UDP

is not inspected.

 RealNetworks RDT multicast approach is not accurate (x-real-rdt/mcast

content type).

 Proprietary RealNetworks PNA approach is not supported.

 The PIX is clumsy to admit RTSP anchored in HTTP.

 RealPlayer needs to be set up to use alone TCP to affix to the server

(that is, to use RTSP over TCP only).This is done via Options |

Preferences | Carriage | RTSP Settings.The accordant ambience actuality is

Use TCP to Affix to Server.You can added configure it to assignment in

interleaved approach (which needs no appliance inspection) by selecting

Attempt to use TCP for all content.You can additionally configure it to use

RDP by selecting Attempt to use UDP for all content.

 Accurate RDP transports are rtp/avp, rtp/avp/udp, x-real-rdt,

x-real-rdt/udp, and x-pn-tng/udp.

Even if the PIX tries its best to fix addresses central RTSP/SDP packets, many

NAT/PAT restrictions apply:

 PAT is not supported.

 NAT of SDP letters central RTSP is not accurate because these long

messages could be breach into several packets and the firewall has no means

of reconstructing the aboriginal message.On the added hand, NAT usually

works with Cisco IP/TV RTSP messages.

 NAT of datastream-related admission can be performed for

RealNetworks server and Apple QuickTime. For Cisco IP/TV it can

only be done back the eyewitness and the agreeable administrator are on the outside

interface and the server is on the inside.

Microsoft’s NetShow, acclimated by Media Player, is a beneath circuitous alive protocol.

Like the added alive protocols, it has a ascendancy channel, which is used

to accommodate bureaucracy and teardown of a abstracts commitment channel.The abstracts approach can

be either TCP- or UDP-based.When UDP streams are used, the following

process occurs:

www.syngress.com

Advanced PIX Configurations • Chapter 4 157

1. The applicant connects to the server on TCP anchorage 1755.

2. After a affiliation is established, the applicant sends a bulletin to the server,

proposing a UDP anchorage on which it is activity to accept a datastream.

3. After the agreement is complete, the server starts sending abstracts to the

client.

4. The affair ends by disturbing bottomward the ascendancy connection.

As apparent here, the firewall needs to accessible a acting aqueduct alone when

the applicant is on a beneath defended interface than the server.The anchorage and IP addresses

are extracted from the agreement process.When TCP datastreams are used, after

the antecedent affiliation to anchorage 1755 is established, the applicant artlessly informs the

server that it wants to use the aforementioned TCP affiliation for streaming, and the server

starts sending abstracts over the already accustomed connection.There is no charge for

any added processing by the firewall in this case (provided that admission lists are set

up correctly). NetShow appliance analysis is not configurable.

The VDO Live alive agreement consistently uses two connections.The aboriginal is a

TCP ascendancy affiliation accustomed from the applicant to anchorage 7000 on the server.

The additional is a UDP datastream from the server to the client. It consistently has a

source anchorage of 7001 and the destination anchorage (the client-side port) is negotiated

over the ascendancy affiliation during antecedent setup.The PIX monitors the VDO

Live ascendancy affiliation and opens a acting aqueduct for admission traffic

from anchorage 7001 on the server to the adjourned anchorage on the client.When the

control affiliation is closed, the PIX closes the abstracts affiliation as well. (There is

no abstracted teardown bulletin in this protocol, so this is the alone way for the firewall

to apprehension that advice has finished.) Back NAT is involved, the PIX

modifies the IP abode and anchorage cardinal in the action of its agreement correspondingly.

Application analysis for VDO Live is not configurable and cannot

be disabled.