Monitoring, Management & Location Tracking

Ability to Intercept and Nullify BLE based mDNS discovery of APPLE TV
Q:

Ability to Intercept and Nullify BLE based mDNS discovery of APPLE TV



A:

As part of the iOS 7.1 release, Apple also updated the software running on their Apple TV’s.

This adds support to allow an AirPlay device to discover Apple TV over Bluetooth in environments where multicast or Bonjour traffic is blocked on the network or the AirPlay device is on a different subnet.

The ipad or iphone with iOS 7.1 and later apple TVs use proximity based discovery using BLE for Apple TVs. Apple TV advertises itself using iBeacon.

The ipads or iphones in the bluetooth range of the Apple TV will be able to discover the Apple TV using BLE.

Impact of BLE

  1. With the new feature by Apple, the airgroup policies will not work.
  2. Personal devices can be discovered by users other than device owner or shared user list. Bluetooth based discovery shall allow users in vicinity to be able to  discover the apple TV
  3. Role/ Group/ user name based sharing of devices shall break.
  4. Time based sharing shall break.

Functionality of BLE

  • IPAD`s and Apple TVs use BLE based signalling for the discovery mechanism to work over Bluetooth.
  • BLE based signaling cannot be controlled.
  • The RTSP unicast message flows through Aruba topology over TCP port 5000.
  • The subsequent RTSP unicast message over TCP port 5000 could be controlled by AirGroup.
  • Completely block BLE based discovery.
  • BLE based discovery subject to AirGroup policies.

Implementation

  • Port 5000 is permitted by user role ACL.
  • All packets sent to destination port 5000 are deep inspected.
  • Datapath  performs a lookup for “GET /info?txtAirPlay&txtRAOP RTSP/1.0” in the payload.
  • If there is no match: send it back to DP: Assumption is that this RTSP message has been sent due to the MDNS-based discovery
  • If there is a match, drop the packet . The BLE discovery packets are dropped by the controller and not forwarded

Caveats

iOS 8 uses peer to peer communication with Apple TV 7.x  and this will override the mDNS discovery and mirroring .

Verifications

  • Bluetooth enabled on both AG users and servers
  • Bluetooth based discovery is blocked with the above mentioned implementation and our policies are applied.
  • All new versions of ATV and iOS 6,7,8 ipads are tested
  • BLE traffic from anchor controller is also blocked
  • Check for “D” flag in “show datapath session” for the sessions on port 5000
Version History
Revision #:
2 of 2
Last update:
‎05-18-2016 01:38 PM
Updated by:
 
Labels (1)
Contributors
Search Airheads
Showing results for 
Search instead for 
Did you mean: 
Is this a frequent problem?

Request an official Aruba knowledge base article to be written by our experts.