Upload
rooney-carey
View
65
Download
4
Tags:
Embed Size (px)
DESCRIPTION
RTP Real-Time Transport Protocol. Patrick Burke Craig Webb. Outline. Introduction RTP Network Stack Design Goals 2 Protocols in 1 RTP Packet Format RTCP Packet Format Vulnerabilities. Intro / What is RTP?. RFC 3550/3551 (obsoletes RFC 1889/1890) End-to-end delivery for real-time data - PowerPoint PPT Presentation
Citation preview
Outline
• Introduction
• RTP Network Stack
• Design Goals
• 2 Protocols in 1
• RTP Packet Format
• RTCP Packet Format
• Vulnerabilities
Intro / What is RTP?
• RFC 3550/3551 (obsoletes RFC 1889/1890)
• End-to-end delivery for real-time data– Video/audio conferencing– Simulations– VOIP
• Provides functions to support loss, out-of-order, jitter, source/payload identification, rate control
Design Goals / What it does...
• Lightweight - specification and implementation
• Flexible - provide mechanism, don’t dictate algorithms
• Protocol-neutral - UDP/IP, ST-II, IPX...
• Scalable - unicast, multicast 2 to O(107)
• Separate data and control - RTP / RTCP
• Separate packets for different media types
• Support for encryption
Design Goals / What it doesn’t do...
• Ensure timely delivery
• Ensure quality-of-service
• Prevent out-of-order delivery
Provides mechanisms for detecting/measuring these but relies on Transport layer and/or Application. Example: Relies on UDP checksum service.
Separate data and control
(Two protocols - consecutive UDP ports)
• RTP – encapsulates data
– adds sequencing, timestamp, source identification
• RTCP (RTP Control Protocol) – provides control information
– QoS feedback
RTP packet header• Version - currently 2
• Padding - used in encryption
• Extension - used in some implementations
• CSRC count - number of contributing source indentifiers (maximum of 15)
• Marker - significant events, defined by implementation (i.e. frame boundaries)
• Payload type - audio/video encoding method
• SSRC - synchronization source, randomly generated at start of session (no 2 SSRC within the same RTP session can have the same identifier)
RTP Packet Header
• Sequence number – Initial value is random,
– Increment by 1 each RTP packet sent
– Loss detection
– Out-of-order detection
• Timestamp – Used for synchronization
– Allows for QoS feedback (jitter calculations)
– Rate adaptation
RTP mixers and translators
• Mixer– several media streams to one new stream
– becomes the new SSRC
• Translator – converts data encoding
RTCP packet types
• SR - sender report, transmission and reception statistics from active members
• RR - receiver report, reception statistics from non-active members
• SDES - source description items, CNAME (user@host) plus any other pertinent info
• BYE - end of participation
• APP - application-specific functions
RTCP packet
• Each RTCP packet begins with a fixed part followed by structured elements of variable length (must end on a 32 bit boundary).
• Stackable within 1 UDP packet.
RTCP packet
• Periodically sent from:– Transmitting terminal to receiving terminal
– Receiving terminal to transmitting terminal
• Main functions are:– Rate control
– Membership identification
– QoS tracking
Issues and Vulnerabilities
• Theoretical Vulnerabilities
• Security Philosophy
• Documented Vulnerabilities
Theoretical Vulnerabilities
• RTP is a relative new-comer– RFC 1889 approved in 1996– RFC 3550 approved in 2003
• Functionally identical with 1880
• Updates to rules and algorithms governing how the protocol is to be used
• Widely used, but few documented exploitations documented to date
Theoretical Vulnerabilities
• Theoretically vulnerable to common transportation-layer weaknesses:– Denial of Service
• SSRC assumption by unauthorized user• Packet injection• Fake content inserted before real
– QoS Bandwidth Attack– Embedded encryption breakable
• Sometimes KEY transmitted in the clear
Security Philosophy
• Network “attacks” hard to recognize without specific knowledge of application– Targeted communication is high-speed
• Audio/Visual Communicaiton
• Multicast Communication
• Authentication & Encryption, where required, are implemented at lower layers– RTCP statistics are available to help
– “Physician, heal thyself”
Documented Vulnerabilities
• Total of 24 patents found referencing RTP– Only 2 directly relate to RTP
• 6,856,613 – Throttling audio packets to processing capacity
• 6,728,265 – Controlling frame transmission rate
– Remainder merely mention RTP as a recommended or suggested transport method
Documented Vulnerabilities
• Only 3 documented CERT vulnerabilities– VU#460350 – Apple Quicktime Streaming
Server• There is an error in the way Quicktime parses
“DESCRIBE requests containing specially crafted User-Agent fields. An attacker could exploit this vulnerability by sending a DESCRIBE request with an overly large User-Agent field.”
– Legitimate users would be blocked from streamed content
• Apple released a patch for this condition
Documented Vulnerabilities
• CERT vulnerabilities (continued)– VU#148564 – Apple Quicktime Streaming
Server• Includes a utility called MP3Broadcaster which
contains an integer overflow which may be exploited to cause a DoS attack.
• No practical solution known by CERT
• Must be prevented by disabling unauthenticated remote broadcasts
Documented Vulnerabilities
• CERT vulnerabilities (continued)– VU#934932 – RealNetworks Helix Universal
Server 9• Contains buffer overflow protection in two plug-in
modules which has allowed remote attackers to execute arbitrary code causing the Server to crash
• No practical solution known by CERT
• Must be prevented by removing the associated plug-ins: vsrcplin and vsrc3260
References
• http://www/cs/columbia.edu/~hgs/rtp/faq.html• http://www.kb.cert.org/vuls• Kurose & Ross, Computer Networking, 2003
Questions
• What is the main purpose of RTP?– End-to-end delivery for real-time data
• Video/audio conferencing
• Simulations
• VOIP
• What is the purpose of RTCP?– Provide RTP control information and QoS
feedback