RTPReal-Time Transport Protocol

Patrick Burke

Craig Webb

Outline

• Introduction

• RTP Network Stack

• Design Goals

• 2 Protocols in 1

• RTP Packet Format

• RTCP Packet Format

• Vulnerabilities

Intro / What is RTP?

• RFC 3550/3551 (obsoletes RFC 1889/1890)

• End-to-end delivery for real-time data– Video/audio conferencing– Simulations– VOIP

• Provides functions to support loss, out-of-order, jitter, source/payload identification, rate control

RTP Network Stack

• Closely coupled with the transport layer (usually UDP)

Design Goals / What it does...

• Lightweight - specification and implementation

• Flexible - provide mechanism, don’t dictate algorithms

• Protocol-neutral - UDP/IP, ST-II, IPX...

• Scalable - unicast, multicast 2 to O(107)

• Separate data and control - RTP / RTCP

• Separate packets for different media types

• Support for encryption

Design Goals / What it doesn’t do...

• Ensure timely delivery

• Ensure quality-of-service

• Prevent out-of-order delivery

Provides mechanisms for detecting/measuring these but relies on Transport layer and/or Application. Example: Relies on UDP checksum service.

Separate data and control

(Two protocols - consecutive UDP ports)

• RTP – encapsulates data

– adds sequencing, timestamp, source identification

• RTCP (RTP Control Protocol) – provides control information

– QoS feedback

RTP packet header

RTP packet header• Version - currently 2

• Padding - used in encryption

• Extension - used in some implementations

• CSRC count - number of contributing source indentifiers (maximum of 15)

• Marker - significant events, defined by implementation (i.e. frame boundaries)

• Payload type - audio/video encoding method

• SSRC - synchronization source, randomly generated at start of session (no 2 SSRC within the same RTP session can have the same identifier)

RTP Packet Header

• Sequence number – Initial value is random,

– Increment by 1 each RTP packet sent

– Loss detection

– Out-of-order detection

• Timestamp – Used for synchronization

– Allows for QoS feedback (jitter calculations)

– Rate adaptation

RTP mixers and translators

• Mixer– several media streams to one new stream

– becomes the new SSRC

• Translator – converts data encoding

RTCP packet types

• SR - sender report, transmission and reception statistics from active members

• RR - receiver report, reception statistics from non-active members

• SDES - source description items, CNAME (user@host) plus any other pertinent info

• BYE - end of participation

• APP - application-specific functions

RTCP packet

• Each RTCP packet begins with a fixed part followed by structured elements of variable length (must end on a 32 bit boundary).

• Stackable within 1 UDP packet.

RTCP packet

• Periodically sent from:– Transmitting terminal to receiving terminal

– Receiving terminal to transmitting terminal

• Main functions are:– Rate control

– Membership identification

– QoS tracking

Issues and Vulnerabilities

• Theoretical Vulnerabilities

• Security Philosophy

• Documented Vulnerabilities

Theoretical Vulnerabilities

• RTP is a relative new-comer– RFC 1889 approved in 1996– RFC 3550 approved in 2003

• Functionally identical with 1880

• Updates to rules and algorithms governing how the protocol is to be used

• Widely used, but few documented exploitations documented to date

Theoretical Vulnerabilities

• Theoretically vulnerable to common transportation-layer weaknesses:– Denial of Service

• SSRC assumption by unauthorized user• Packet injection• Fake content inserted before real

– QoS Bandwidth Attack– Embedded encryption breakable

• Sometimes KEY transmitted in the clear

Security Philosophy

• Network “attacks” hard to recognize without specific knowledge of application– Targeted communication is high-speed

• Audio/Visual Communicaiton

• Multicast Communication

• Authentication & Encryption, where required, are implemented at lower layers– RTCP statistics are available to help

– “Physician, heal thyself”

Documented Vulnerabilities

• Total of 24 patents found referencing RTP– Only 2 directly relate to RTP

• 6,856,613 – Throttling audio packets to processing capacity

• 6,728,265 – Controlling frame transmission rate

– Remainder merely mention RTP as a recommended or suggested transport method

Documented Vulnerabilities

• Only 3 documented CERT vulnerabilities– VU#460350 – Apple Quicktime Streaming

Server• There is an error in the way Quicktime parses

“DESCRIBE requests containing specially crafted User-Agent fields. An attacker could exploit this vulnerability by sending a DESCRIBE request with an overly large User-Agent field.”

– Legitimate users would be blocked from streamed content

• Apple released a patch for this condition

Documented Vulnerabilities

• CERT vulnerabilities (continued)– VU#148564 – Apple Quicktime Streaming

Server• Includes a utility called MP3Broadcaster which

contains an integer overflow which may be exploited to cause a DoS attack.

• No practical solution known by CERT

• Must be prevented by disabling unauthenticated remote broadcasts

Documented Vulnerabilities

• CERT vulnerabilities (continued)– VU#934932 – RealNetworks Helix Universal

Server 9• Contains buffer overflow protection in two plug-in

modules which has allowed remote attackers to execute arbitrary code causing the Server to crash

• No practical solution known by CERT

• Must be prevented by removing the associated plug-ins: vsrcplin and vsrc3260

References

• http://www/cs/columbia.edu/~hgs/rtp/faq.html• http://www.kb.cert.org/vuls• Kurose & Ross, Computer Networking, 2003

Questions

• What is the main purpose of RTP?– End-to-end delivery for real-time data

• Video/audio conferencing

• Simulations

• VOIP

• What is the purpose of RTCP?– Provide RTP control information and QoS

feedback

Questions

• Why does RTP rely on the applications to provide security measures?– Targeted communication is high-speed

(Audio/Visual and Multicast) making recognition of an attack without specific application knowledge difficult.