[Live-devel] testRTSPClient loses sink context when receiving from multiple RTSP clients
Warren Young
wyml at etr-usa.com
Fri Oct 28 10:28:33 PDT 2016
On Oct 28, 2016, at 6:57 AM, Ross Finlayson <finlayson at live555.com> wrote:
>
>> Also, whilst I'm not arguing about the validity or otherwise of the cameras response (I'm no RTP expert), isn't it reasonable to interpret this as a security hole in the live555 library?
>
> No, because IP source addresses can always be forged - so they should never be used as a security mechanism.
If that’s what we’re trying to solve — as opposed to the non-ephemeral port number issue — then wouldn’t switching to RTP over TCP work?
You can’t usefully forge IPs with TCP because the SYN-ACK can’t go back to the forged IP, so the third handshake packet never happens. And you can’t inject a frame into the stream, because you probably can’t guess sequence numbers and such unless you’re in a MITM position.
As for MITM mitigation, that’s the same as always: TLS, VPN, or similar.
So, the security bug here is unencrypted UDP, not Live555.
More information about the live-devel
mailing list