Simplify Sending and Receiving Video with RIST Relay

By Adi Rozenberg, CTO and Co founder, Alvalinks and RIST Forum Director

Firewalls, while a necessity for maintaining security and control over network traffic, also act as a roadblock to simple sending and receiving of video over the Internet.

If firewalls didn’t monitor and filter incoming and outgoing network connections, then they wouldn’t be doing their job properly. But this is problematic for transporting video because a firewall will typically block or restrict incoming traffic on specific ports to protect the network from unauthorized access.

Most reliable protocol solutions such as SRT, RIST, Zixi and VideoFlow, operate with one side acting as a server, so in these cases, a UDP port in the firewall must then be opened and a forwarding rule added. This typically requires media operators having to work closely with IT or network administrators to configure the firewall which is frustrating and time consuming. This way of working is particularly challenging when there is a last minute change of plan, and the stream needs to be sent to new receivers.

What about STUN, TURN or ICE?

Naturally, the first question a technical media operator will ask is why not just use STUN, TURN and ICE? After all, they are the standard method used to establish a connection between two devices on separate networks. STUN allows a client to figure out its public address, TURN is a relay server in case you can’t go directly, and ICE is a means to negotiate STUN and TURN. There are RFCs that provide ICE for using STUN and TURN to establish connectivity between two endpoints, but they do not provide the required functionality, so are not a complete solution. You would still need something like a SIP server, so the nodes can discover each other and create a connection.

To address this broadcasting challenge, the RIST Activity Group put their collective problem solving heads together and came up with a complete solution. It’s called RIST Relay.

Introducing RIST Relay

The RIST activity group has integrated the STUN, TURN and ICE functionality into one integrated solution, RIST Relay, powered by RIST Advanced Profile (TR-06-03).

RIST Relay enables senders to connect with receivers behind firewalls, without the need to open ports in advance. Using a proxy device that is external to the organization and a SIP like mechanism to connect peers and organizations, RIST Relay massively simplifies connectivity between organizations, even when the IP location is not known to each other. RIST Relay minimizes organization exposure by creating a proxy device that is external to the organizations. It pipes traffic between peers and groups through a relay like mechanism. This enables content to be distributed to multiple locations in a simple and efficient way. It also incorporates functionality to enable selective backup, protocol conversion, and single location for system-wide security and authentication.

How connectivity is established

The RIST Relay is placed somewhere where it can be reached on the internet or in the cloud. Each client will then connect to the RIST Relay to establish a secure and authenticated connection. Once the client or group is connected and authorized, communication is established, and they can send IP packets and streams to each other. This reduces workload for the IT team and simplifies connection for all parties.

Under this SIP like mechanism for connecting peers and organizations, RIST Relay maintains an address book of connected clients. The address book contains information on each client availability and is distributed to valid connecting clients. RIST Relay assigns a name to each client, and will add or deleted clients from the address book as required. Each client can download the address book (name of possible clients that it may interact with). A client can be a member of one or more call groups. Each client can send content to the group and the RIST Relay will distribute the content to the other group members. A client may also ask to be connected to another client or group once the other client is available and connected to the RIST relay.

Let’s talk security

The RIST Relay incorporates state of the art security and authentication. It is the only entity in the chain that is allowed to create and distribute authentication/certification files or create user/passwords. To use the RIST Relay solution, organizations must establish a RIST Advanced Profile connection with both encryption and authentication. To do this, users may implement DTLS with certificate-based authentication, DTLS with TLS-SRP (username and password authentication, PSK with EAP-SHA256-SRP-6 (username and password authentication) or Wireguard VPN.

The authentication information identifies the endpoint to the RIST Relay, and endpoints are identified by a human-readable name similar to Skype. The RIST Relay can say No and deny any request based on its security policies. In addition, the endpoint can reject any connection attempt.