P2P has its advantages for the less network technical individuals; however, it does add administrative overhead not initially, but in the long run of support. It is also prone to security issues as the client, server, and security devices are making connections to a cloud server exchanging information on how to connect. Have you ever captured packets on a cloud P2P, not interesting at all; a matter of fact, little bit scary considering security is the primary application.
Depending on the application and the customer, we will use VPN access back into the network or change the default port, update the password and PAT (Port forward) the necessary ports for inbound connections to the DVR/NVR/Camera.
UDP hole punching is the most common solution on P2P Cloud Access for CCTV; and it does have its advantages. However, with the service in the hands of a third party with no encryption, I find it unusable for a variety of other reasons too.
However, for a security company monitoring a lot of residential or small business, it's great to not have to deal with port forwarding and router configuration at each client.
Until that P2P cloud is unreachable; your customers are in the mercy of that 3rd party service.
However, for a security company monitoring a lot of residential or small business, it is great to not having to deal with port forwarding and router configuration at each client.
We have used P2P only once "TRY OUT"; and we have had to go back 4 times due to the application crashing or the P2P cloud not available. All of our solutions that have been implemented with NAT/PAT have been rock solid.
I wonder what is the percentage of scenarios where the NAT transversal will work properly (I guess > 85%)
I do not know, but it is becoming more common; if the vendors designed the P2P solution that allowed you to specify your own server, you could essentially develop your own infrastructure for that purpose; however, it might be cost prohibitive due to resources and technical skills.
We use only one vendor for our residential market and port forwards have worked out with no issues. You could argue that there is administrative overhead with static network maps with port forward solutions in where customers are jacking with the settings; however, NAT/PAT solutions has worked well for us with no issues. Futhermore, we have a clause in the contract that if any changes are made that requires us to come out and service the equipment and adjust any settings will be a billable call.
Based off Hikvisions security issues ezviz makes me very nervous.
If you are just looking to deal with port forwarding those appliances from Dahu and Hik have UPnP. Almost all routers also have UPnP. That makes the appliance like your XBox or Playstation, it does it's own port forwarding automatically. That should get you around the port forwarding headache.
As for using the Dahua and Hik P2P .... well servers used to be in China. I am told they are now in the US. But who knows where tehy really are or who has access to them or what else may be on them.
IPVMU Certified | 10/06/15 11:41pm
There are many different routers out there, each one has its own UI and can be time consuming for technicians to learn them all. P2P seems nice but has it’s own problems, the biggest is security, then relying on someone else for a connection. In my opinion, the best solution is to include a router in the proposal, send it with he technicians pre configured. This ensures that your customers are going to get remote access that day and often improves their home or business network since they usually have some crappy linksys circa 2002.
We've asked Hikvision about EZVIZ a couple of times. The official response has been that it's not available in North America. But I've been able to add cameras and view them just fine. From what I remember, cloud recording didn't work, but I didn't investigate why.
We'll take a look at Dahua's P2P.
As soon as we hear back from either, we'll post here.
This is just DNS server access with a friendly GUI. We all run security risks when giving ourselves remote access.
It seems that Axis has joined P2P too:
"2. Axis solution to remote access Axis Secure Remote Access makes it possible for a smartphone or PC client to access Axis network cameras when the client and the cameras are located on different local networks. Using external mediator servers1 , the client and the camera can find each other and establish a secure peer-to-peer connection. As a fallback the communication is automatically relayed through the mediator servers, when direct communication cannot be established."
Related post here.
The Engrish is strong in this one. And that's something of a problem when it comes to trust. I think most people will trust the transactional purchase of a Chinese made/manufactured device, but not so much a Chinese service provider. The big Chinese manufacturers will need to spend considerable marketing dollars in the US to sell professional cloud services as adjunct to their hardware.
That being said it goes to show that more advanced remote access than manual port forwarding is/will be a common feature that's simply expected in all cameras/VMS. Axis provides it as a convenience and that's good.
As others have pointed out true P2P uses STUN/TURN/ICE to broker a P2P connection between the camera/client. The advantages are lower cost to the service provider since the majority of the network traffic need not traverse their network, and low latency (in the case of STUN). P2P is pretty much the only way to go when the service needs to be free. Disadvantages are that it's not always guaranteed to work 100% of the time which is problem in any professional systems.
We thought a lot and did a lot of experimentation with true P2P early on but eventually opted to go with a TLS connection to our media servers that reflect the (in our case HLS) stream between the customer site and our customer's client. We have a much more deterministic results starting a stream session and better control over the customer's experience. If the site can communicate with us at all, we can stream.
In reading these comments I wanted to clarify a question.....does Dahua or Hikvision offer a service similar to Axis' one-click..or any other camera manufacturer? Where you can implement it and use in our software? I'd love to part ways with Axis for some customers ($$) but need that ship to site and autoconnect to work (or ship to site and installer 'one-click' it to me). Do not want to have another device onsite.
Anyone generalizing that P2P is a security risk needs to know how it's implemented. It's a very secure protocol if implemented correctly. Peer to Peer (abbreviated to P2P) network protocol allows each computer accessing the application on the network to act as a client or server for the other trusted computers in the network. This allows shared access to various resources such as metadata, audio, video, access control data, event data, wireless mobile devices and sensors without the need for a proxy through a central server. The P2P protocol for sharing content such as audio, video, data, or anything in digital format allows numerous clients to view live video streams without limitations on the number of users. The P2P protocol must use distributed application architecture that partitions tasks or workloads among trusted peers using public key cryptography. Peers are equally trusted participants to video, audio and data which must also be encrypted with their data AES 128bit format or greater encryption.
When P2P is implemented correctly, there is an introduction server that makes a secure introduction between the client and server using public key cryptography. This implementation instructs the IP Camera or Server not to allow inbound network connectivity but to only listen for authorized connections from the introduction server. Thus, it protects systems from inbound security attacks. Since all Clients & Servers are utilizing public key cryptography; it protects the data transmissions and data authorization, data eavesdropping and can conceal identities/locations of the participants and authentication of the data/messages.
However, with that being said and without knowing how P2P implementation is done by these Chinese companies and their service providers, P2P could be implemented like many other protocols to exploit network security.
P2P may not fit your defination of a protocol. But, RTMFP is a P2P protocol.
RTMFP is (rfc7016) a secure protocol is identified by Internet Engineering Task Force which has been designed to be used as a secure P2P implementation.
But, I agree with you that it won't be wise to trust any Chinese manufactuer to follow 'trusted peers' method since they would have to be one.
Pro Focus LLC | 04/06/17 08:19pm
Dahua P2P is down today. Someone at ISC West should stop by their booth and ask why?