Discussion:
TLS over RTSP
Alejandro Ferrari
2014-10-08 12:54:36 UTC
Permalink
Hi Guys,

I'm reading about some way to protect RTSP streaming, we have a security
cam, that stream over RTSP, but we need secure this traffic to avoid any
man in the middle issue.

Currently exist some way to encrypt RTSP traffic? I read something related
to "rtsps" but I can't found nothing useful about this... really exist?

Thank!
Alejandro
Ross Finlayson
2014-10-08 15:33:42 UTC
Permalink
1/ I think you mean "RTSP over TLS", not "TLS over RTSP".

2/ The "rtsps" URL scheme was defined only for the proposed RTSP 2.0 protocol, which nobody (including us) implements.

3/ If it's only 'man-in-the-middle' attacks that you care about, then regular RTSP (digest) authentication should protect against that. (However, that does not provide any confidentiality of the RTSP or media traffic.)

4/ Note that even if you were to use encryption to provide confidentiality of the RTSP (TCP) traffic, that would nor provide any confidentiality of the media (RTP/RTCP, i.e., UDP) traffic, unless you are tunneling RTP/RTCP-over-TCP (which is something that we discourage, unless you have a firewall that blocks UDP packets.

Nonetheless, if you are using the "LIVE555 Streaming Media" software to implement both the RTSP server and (all of) your RTSP clients, then you can implement RTSP over a TLS connection by setting up - at each end - a TLS connection, and then:
- In each RTSP client, use the (otherwise optional) "socketNumToServer" parameter to "RTSPClient::createNew()" to specify the socket number of the TSL connection.
- In your RTSP server, subclass "RTSPServer", and, in your subclass's constructor, pass the socket number of the TLS connection as the "ourSocket" parameter in your call to the "RTSPServer" constructor.

Ross Finlayson
Live Networks, Inc.
http://www.live555.com/
Jeff Shanab
2014-10-08 15:49:14 UTC
Permalink
set up a vpn tunnel Rtsp just happens to be the connection protocol on top
of it then.

On Wed, Oct 8, 2014 at 8:54 AM, Alejandro Ferrari <
Post by Alejandro Ferrari
Hi Guys,
I'm reading about some way to protect RTSP streaming, we have a security
cam, that stream over RTSP, but we need secure this traffic to avoid any
man in the middle issue.
Currently exist some way to encrypt RTSP traffic? I read something related
to "rtsps" but I can't found nothing useful about this... really exist?
Thank!
Alejandro
_______________________________________________
live-devel mailing list
http://lists.live555.com/mailman/listinfo/live-devel
Alejandro Ferrari
2014-10-08 17:42:36 UTC
Permalink
Hi Ross,

Thanks for your detailed response, let me check some points.

* Why is not recommended use RTSP over TCP?
* Our camera work inside of a home, and push to cloud servers, I think in
this scenario, UDP will be not an issue, right?
* Has live555 a library to push from Android? I read many post but not
found nothing "official"
* Can guide me to some documentation, about how to extend business logic
with your server?, we need record all the incoming streams into mp4 to made
this available later to watch as VOD.

Thanks again!
Alejandro
Post by Ross Finlayson
1/ I think you mean "RTSP over TLS", not "TLS over RTSP".
2/ The "rtsps" URL scheme was defined only for the proposed RTSP 2.0
protocol, which nobody (including us) implements.
3/ If it's only 'man-in-the-middle' attacks that you care about, then
regular RTSP (digest) authentication should protect against that.
(However, that does not provide any confidentiality of the RTSP or media
traffic.)
4/ Note that even if you were to use encryption to provide confidentiality
of the RTSP (TCP) traffic, that would nor provide any confidentiality of
the media (RTP/RTCP, i.e., UDP) traffic, unless you are tunneling
RTP/RTCP-over-TCP (which is something that we discourage, unless you have a
firewall that blocks UDP packets.
Nonetheless, if you are using the "LIVE555 Streaming Media" software to
implement both the RTSP server and (all of) your RTSP clients, then you can
implement RTSP over a TLS connection by setting up - at each end - a TLS
- In each RTSP client, use the (otherwise optional) "socketNumToServer"
parameter to "RTSPClient::createNew()" to specify the socket number of the
TSL connection.
- In your RTSP server, subclass "RTSPServer", and, in your subclass's
constructor, pass the socket number of the TLS connection as the
"ourSocket" parameter in your call to the "RTSPServer" constructor.
Ross Finlayson
Live Networks, Inc.
http://www.live555.com/
_______________________________________________
live-devel mailing list
http://lists.live555.com/mailman/listinfo/live-devel
Ross Finlayson
2014-10-08 19:17:15 UTC
Permalink
Post by Alejandro Ferrari
* Why is not recommended use RTSP over TCP?
Just to be clear, the RTSP protocol (the 'control protocol') is always over TCP. By default, however, the *media* packets (i.e., RTP/RTCP) are sent over UDP. It is possible, however, to also stream the media packets (RTP/RTCP) interleaved over the RTSP (i.e., TCP) connection. The basic reason why this is not recommended - unless you're behind a firewall that blocks UDP packets - is that the media (RTP/RTCP) packets are intended to be 'real time' data, and by carrying them over TCP, you're introducing often excessive (and usually unnecessary) delay, and also making the streaming less data efficient,
Post by Alejandro Ferrari
* Our camera work inside of a home, and push to cloud servers, I think in this scenario, UDP will be not an issue, right?
Do you mean "UDP packets will not be able to pass between your clients and servers"? Perhaps they will; why not try it and check?
Post by Alejandro Ferrari
* Has live555 a library to push from Android?
Are you asking it the "LIVE555 Streaming Media" code can run on 'Android'. Yes it can; remember that 'Android' is basically just Linux. So use one of the "config.linux*' configuration files when you build the software.
Post by Alejandro Ferrari
* Can guide me to some documentation, about how to extend business logic with your server?
I'm not sure what you mean by "extend business logic" (that sounds like marketing talk :-), but remember that there's a limit as to how much advice/help I can dispense 'for free' on this mailing list.
Post by Alejandro Ferrari
we need record all the incoming streams into mp4 to made this available later to watch as VOD.
I suggest that you start by looking at our "openRTSP" application - http://www.live555.com/openRTSP/ - and also reviewing the code for the "testRTSPClient" demo application.


Ross Finlayson
Live Networks, Inc.
http://www.live555.com/
Alejandro Ferrari
2014-10-08 19:40:49 UTC
Permalink
Ross,

Yes sure! thanks for the help, really I'm evaluating replacement to our
current media server, I like but just need some security features that I
saw build-in into Live555 Streaming media.

When I say Business Logic, I mean that we need be able to authenticate the
user with our Rest Service, and can handle MP4 file names in base to the
camera id, thinks like this... we are using Java media server with and API,
my question is related to this part, if we can add custom handlers to
capture some events, like login, and recordings.

Sorry for my English, and regards from Argentine.

Alejandro
Post by Alejandro Ferrari
* Why is not recommended use RTSP over TCP?
Just to be clear, the RTSP protocol (the 'control protocol') is always
over TCP. By default, however, the *media* packets (i.e., RTP/RTCP) are
sent over UDP. It is possible, however, to also stream the media packets
(RTP/RTCP) interleaved over the RTSP (i.e., TCP) connection. The basic
reason why this is not recommended - unless you're behind a firewall that
blocks UDP packets - is that the media (RTP/RTCP) packets are intended to
be 'real time' data, and by carrying them over TCP, you're introducing
often excessive (and usually unnecessary) delay, and also making the
streaming less data efficient,
* Our camera work inside of a home, and push to cloud servers, I think in
this scenario, UDP will be not an issue, right?
Do you mean "UDP packets will not be able to pass between your clients and
servers"? Perhaps they will; why not try it and check?
* Has live555 a library to push from Android?
Are you asking it the "LIVE555 Streaming Media" code can run on
'Android'. Yes it can; remember that 'Android' is basically just Linux.
So use one of the "config.linux*' configuration files when you build the
software.
* Can guide me to some documentation, about how to extend business logic
with your server?
I'm not sure what you mean by "extend business logic" (that sounds like
marketing talk :-), but remember that there's a limit as to how much
advice/help I can dispense 'for free' on this mailing list.
we need record all the incoming streams into mp4 to made this available
later to watch as VOD.
I suggest that you start by looking at our "openRTSP" application -
http://www.live555.com/openRTSP/ - and also reviewing the code for the
"testRTSPClient" demo application.
Ross Finlayson
Live Networks, Inc.
http://www.live555.com/
_______________________________________________
live-devel mailing list
http://lists.live555.com/mailman/listinfo/live-devel
Continue reading on narkive:
Loading...