Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

RTSP ALG

 

The Real-Time Streaming Protocol (RTSP) controls the delivery of data with real-time properties such as audio and video. Media can be transmitted on the same RTSP control stream. This is an HTTP-like text-based protocol, but client and server maintain session information. A session is established using the SETUP message and terminated using the TEARDOWN message. The transport (the media protocol, address, and port numbers) is negotiated in the setup and the setup-response.

Support for stateful firewall and NAT services requires that you configure the RTSP ALG for TCP port 554. The ALG monitors the control connection, opens flows dynamically for media (RTP/RTSP) streams, and performs NAT address and port rewrites.

Understanding the RTSP ALG

Overview

RTSP (Real-Time Streaming Protocol) is an Application Layer protocol for controlling the delivery of data with real-time properties. It is similar in syntax and operation to HTTP/1.1. Unlike SIP and H.323, the purpose of RTSP is to access existing media files over the network and to control the replay of the media. The typical communication is between a client (running RealPlayer for example) and a streaming media server. Commands include the ability to pause and play media files from the remote server.

RTSP is a control channel protocol between the media client and media server. The data channel uses a different protocol, usually Real-Time Transport Protocol (RTP) or RTP Control Protocol (RTCP).

In RTSP standard mode, the client sets up three network channels with the RTSP server when media data is delivered using RTP over UDP.

RTSP runs over TCP. RTP and RTCP run over UDP. The ports for RTP and RTCP packets are dynamically negotiated by the client and server using RTSP. Because RTP and RTCP ports are dynamic, these ports cannot be allowed by a static policy. The main purpose of introducing an RTSP ALG to a firewall is to create dynamic policy (pinhole) according to the result of client/server negotiation so that RTP and RTCP traffic can pass through.

When the client and server reside in different realms, they might not be able to determine how to route to the address of the RTP or RTCP offer given by the peer. In this case, ALG needs to be involved to do translation for the RTP or RTCP offer address and modify it in the payload.

After the connection is established, the RTSP ALG monitors the messages exchanged between the client and server, tracks the status change of the dialog, and returns all the resources it acquired to support an RTSP dialog back to the system after the dialog has completed or failed.

RTSP Modes

Standard Mode

In RTSP standard mode, the client sets up three network channels with the RTSP server when media data is delivered using RTP over UDP.

A full-duplex TCP connection is used for control and negotiation. A full-duplex UDP channel is used for media data delivery using the RTP packet format. In most cases, RTP is initiated from the server. A full-duplex UDP channel called RTCP is used to provide synchronization information to the client and packet loss information to the server.

Figure 1 shows the RTSP ALG standard mode.

Figure 1: RTSP ALG Standard Mode
RTSP ALG Standard Mode

Interleave Mode

In RTSP interleave mode, media data can be made into packets using RTP or RDT over TCP. In this scenario , a single full-duplex TCP connection is used for both control and for media data delivery from the RTSP server to the client. The data stream is interleaved with the RTSP control stream.

Figure 2 shows the RTSP ALG interleave mode.

Figure 2: RTSP ALG Interleave Mode
RTSP ALG Interleave Mode

Understanding RTSP ALG Messages

RTSP Message Format

RTSP is text based and uses the ISO 10646 character set in UTF-8 encoding. Lines are terminated by CRLF, and an empty line is the separator of the message and body.

The first line is called the start-line. For request messages from client to server, the start-line represents the RTSP method. For the response message from server to client, the start-line represents the RTSP status code as the reply of method. The status code element is a 3-digit integer result code.

RTSP Methods

There are nine types of methods during one transaction.

  • OPTION—Represents a request for information about the communication options available on the request/response chain identified by the Request-URL. This method allows the client to determine the options, requirements, or both associated with a resource, or the capabilities of a server, without implying a resource action or initiating a resource retrieval.

  • DESCRIBE—Retrieves the description of a presentation or media object identified by the request URL from a server. This method might use the Accept header to specify the description formats that the client interprets.

  • ANNOUNCE—Request sent from client to server, this method posts the description of a presentation or media object identified by the request URL to a server. When request sent from server to client, this method updates the session description in real-time.

  • SETUP—Requests a URI and specifies the transport mechanism to be used for the streamed media.

  • PLAY—Informs the server to start sending data using the mechanism specified in SETUP.

  • PAUSE—Requests the stream delivery to be interrupted temporarily.

  • TEARDOWN—Stops the stream delivery for the given URI, freeing the resource associated with it.

  • GET_PARAMETER—Retrieves the value of a parameter of a presentation or stream specified in the URI.

  • SET_PARAMETER—Sets the value of a parameter for a presentation or stream specified by the URI.

RTSP Status Code

The first digit of the status code defines the class of response.

  • 1**: Informational—Request received, continuing process.

  • 2**: Success

  • 3**: Redirection—Further action must be taken in order to complete the request.

  • 4**: Client Error—The request contains bad syntax or cannot be fulfilled.

  • 5**: Server Error—The server failed to fulfill an apparently valid request.

RTSP Header

The RTSP header consists of the following fields:

  • CSeq—Specifies the sequence number for an RTSP request-response pair. For every RTSP request containing the given sequence number, there will be a corresponding response having the same number.

  • Content-Length—Contains the length of the content of the method, that is, after the double CRLF following the last header.

  • TRANSPORT—Indicates which transport protocol is to be used and configures its parameters.

  • SESSION—Identifies an RTSP session started by the media server in a SETUP response and concluded by TEARDOWN on the presentation URL.

Understanding RTSP ALG Conversation and NAT

This topic provides details on typical RTSP ALG conversation.

In general, RTP and RTCP packets are bidirectional, which means that either the client or server could initiate an RTP or an RTCP session.

Figure 3 describes an example of a sample packet capture in a standard RTSP conversation.

Figure 3: RTSP ALG Conversation
RTSP ALG Conversation

The RTSP ALG performs the following actions for a RTSP sample packet capture in a standard RTSP conversation:

  1. Monitors SETUP and 200 OK messages.
  2. Receives negotiated ports (6543 and 8765 in this example)
  3. Opens a pinhole for UDP media data from server to client.
  4. Receives the IP address in payload and translates the address if NAT is required.

    Table 1 describes the RTSP payload IP NAT.

    Table 1: RTSP Payload IP NAT

     

    Forward(C->S)

    Reverse(S->C)

    Pinhole

    Payload IP Translate

    Payload Port Translate

    No NAT

    A/4321->B/554

    A/4321<-B/554

    B/9876->A/5678

    A/5678->B/9876

    N/A

    N/A

    Source NAT (IPvx)

    A/4321->B/554

    A’/P’<-B/554

    B/9876->A’/P’’

    A/5678->B/9876

    N/A (*)

    5678<->P’’

    Destination NAT (IPvx)

    A/4321->B’/554

    A/4321<-B/554

    B/9876->A/5678

    A/5678->B’/9876

    B’ -> B (**)

    N/A

    NAT64

    A/4321->B’’/554

    A’’/Q’<-B/554

    B/9876->A’’/Q’’

    A/5678->B’’/9876

    B’’(IPv6)->B(IPv4)

    5678<->Q’’

    NAT46

    A/4321->B’’’/554

    A’’’/R’<-B/554

    B/9876->A’’’/R’’

    A/5678->B’’’/9876

    B’’’(IPv4)->B(IPv6)

    5678<->R’’

    In Table 1, the following letters and symbols are used:

    • A—RTSP client IP address

    • A’—Translated IPv4 or IPv6 address of RTSP client

    • A’’—Translated IPv4 address

    • A’’’—Translated IPv6 address

    • B—RTSP server IP address

    • B’—RTSP server IP address before destination NAT

    • B’’—RTSP server IP address at IPv6 realm

    • B’’’— RTSP server IP address at IPv4 realm

    • P’—Translated Port(translates from 4321) of RTSP client

    • P’’—Translated Port(translates from 5678 in message payload) of RTSP client

    • Q’—Translated (IPv6 to IPv4) Port(translates from 4321) of RTSP client

    • Q’’—Translated (IPv6 to IPv4) Port (translates from 5678 in message payload) of RTSP client

    • R’—Translated (IPv4 to IPv6) Port (translates from 4321) of RTSP client

    • R’’—Translated (IPv4 to IPv6) Port (translates from 5678 in message payload) of RTSP client

    • (*)—RTSP server IP address B appears in payload message; it does not need to translate

    • (**)—IP address B’ appears in payload message from client to server; it needs to translate to B

Example: Configuring the RTSP ALG

This example shows how to configure the RTSP ALG to pass through RTSP traffic with a source NAT pool on Juniper Networks devices.

Requirements

  • Configure proxy ARP for all IP addresses in the source NAT pool.

  • Enable the RTSP ALG.

  • Understand the basics concepts of the RTSP ALG. See Understanding the RTSP ALG.

Overview

In this example, the RTSP ALG is configured to monitor and allow RTSP traffic transferring media between client and server located on opposite sides of a Juniper Networks device.

Configuration

Enabling RTSP ALG

CLI Quick Configuration

To quickly configure this section of the example, copy the following commands, paste them into a text file, remove any line breaks, change any details necessary to match your network configuration, copy and paste the commands into the CLI at the [edit] hierarchy level, and then enter commit from configuration mode.

To configure proxy ARP for all IP addresses in the source NAT pool and to enable RTSP ALG:

Enter commit from configuration mode.

Configuring a NAT Source Pool and Rule Set and a Policy

CLI Quick Configuration

To quickly configure this section of the example, copy the following commands, paste them into a text file, remove any line breaks, change any details necessary to match your network configuration, copy and paste the commands into the CLI at the [edit] hierarchy level, and then enter commit from configuration mode.

Enter commit from configuration mode.

Note

If you are not sure of the RTSP client and server IP address, you can replace “da1” and “sa1” with “any”.

Step-by-Step Procedure

The following example requires you to navigate various levels in the configuration hierarchy. For instructions on how to do that, see Using the CLI Editor in Configuration Mode in the CLI User Guide.

To configure a source NAT pool:

  1. Create a NAT source pool.
  2. Configure security zone address book entries.
  3. Create a NAT source rule set.
  4. Configure a policy.

Results

From configuration mode, confirm your configuration by entering the show security nat and show security policies commands. If the output does not display the intended configuration, repeat the configuration instructions in this example to correct it.

If you are done configuring the device, enter commit from configuration mode.

Configuring RTSP ALG trace options

CLI Quick Configuration

To quickly configure this example, copy the following commands, paste them into a text file, remove any line breaks, change any details necessary to match your network configuration, copy and paste the commands into the CLI at the [edit] hierarchy level, and then enter commit from configuration mode.

Step-by-Step Procedure

To configure RTSP ALG trace options:

  1. Enable RTSP ALG trace options.
  2. Configure a filename to receive output from the tracing operation.
  3. Specify the maximum trace file size.
  4. Specify the level of tracing output.

Results

From configuration mode, confirm your configuration by entering the show security alg command. If the output does not display the intended configuration, repeat the configuration instructions in this example to correct it.

If you are done configuring the device, enter commit from configuration mode.

Verification

Confirm that the configuration is working properly.

Verifying RTSP ALG

Purpose

Verify that the RTSP ALG is enabled.

Action

From operational mode, enter the show security alg status command.

user@host> show security alg status

Meaning

The output shows the RTSP ALG status as follows:

  • Enabled—Shows the RTSP ALG is enabled.

  • Disabled—Shows the RTSP ALG is disabled.

Verifying the RTSP ALG Control Session

Purpose

Verify that the control session is created and all the RTSP control and data sessions are created.

Action

From operational mode, enter the show security flow session command.

user@host>show security flow session

Meaning

  • Session ID—Number that identifies the session. Use this ID to get more information about the session such as policy name or number of packets in and out.

  • Policy name—Policy name that permitted the traffic.

  • In—Incoming flow (source and destination IP addresses with their respective source and destination port numbers, session is TCP, and the source interface for this session is ge-0/0/1.0).

  • Out—Reverse flow (source and destination IP addresses with their respective source and destination port numbers, session is TCP, and destination interface for this session is fe-0/0/2.0).

Verifying the RTSP ALG Flow Gate Information

Purpose

Verify that the flow gate is opened for TCP data channel connection.

Action

From operational mode, enter the show security flow gate command.

user@host>show security flow gate

Meaning

The sample output shows that the flow gate is opened for TCP data channel connection.

Verifying the RTSP Resource Manager Group

Purpose

Verify the total number of resource manager groups and active groups that are used by the RTSP ALG.

Action

From operational mode, enter the show security resource-manager group active command.

user@host>show security resource-manager group active

Meaning

The sample output shows the total number of resource manager groups and active groups that are used by the RTSP ALG.

Verifying the RTSP Resource Information

Purpose

Verify the total number of resources and active resources that are used by the RTSP ALG.

Action

From operational mode, enter the show security resource-manager resource active command.

user@host>show security resource-manager resource active

Meaning

The sample output shows the total number of resources and active resources that are used by the RTSP ALG.

Related Documentation