Menu
▾
▴
#189 Clarify multicast SETUP request
closed-fixed
5
2009-12-10
2008-09-11
No
When sending SETUP request to a RTSP server it can either itself indicate the multicast address to use or it can take a destination from the client. The later has the normal DDOS security issues. However, there need to be clarification on how one seperates the two.
I have looked into this and think there could be some benefit in clarifying this in the transport header text. I have added the below text into the document.
For Multicast there is several methods for specifying addresses but
they are different in how they work compared with unicast:
dest_addr with client picked address The address and relevant
parameters like TTL (scope) for the actual multicast group to
deliver the media to. There are security implications
(Section 21) with this method that needs to be addressed if
using this method because a RTSP server can be used as a DoS
attacker on a existing multicast group.
dest_addr using Session Decription Information: The information
included in the transport header can all be comming from the
session description, e.g. the SDP c= and m= line. This
mitigates some of the security issues of the previous methods
as it is the session provider that picks the multicast group
and scope. The client SHALL include the information if it is
available in the session description.
No dest_addr: The lack of an explicit multicast group request the
server to decide the group address and its scope. For this to
work the server needs to have a context about what scope that
works. This method is currently under specified.