Ability to Intercept and Nullify BLE based mDNS discovery of APPLE TV
As part of the iOS 7.1 release, Apple also updated the software running on their Apple TV’s.
This adds support to allow an AirPlay device to discover Apple TV over Bluetooth in environments where multicast or Bonjour traffic is blocked on the network or the AirPlay device is on a different subnet.
The ipad or iphone with iOS 7.1 and later apple TVs use proximity based discovery using BLE for Apple TVs. Apple TV advertises itself using iBeacon.
The ipads or iphones in the bluetooth range of the Apple TV will be able to discover the Apple TV using BLE.
Impact of BLE
- With the new feature by Apple, the airgroup policies will not work.
- Personal devices can be discovered by users other than device owner or shared user list. Bluetooth based discovery shall allow users in vicinity to be able to discover the apple TV
- Role/ Group/ user name based sharing of devices shall break.
- Time based sharing shall break.
Functionality of BLE
- IPAD`s and Apple TVs use BLE based signalling for the discovery mechanism to work over Bluetooth.
- BLE based signaling cannot be controlled.
- The RTSP unicast message flows through Aruba topology over TCP port 5000.
- The subsequent RTSP unicast message over TCP port 5000 could be controlled by AirGroup.
- Completely block BLE based discovery.
- BLE based discovery subject to AirGroup policies.
- Port 5000 is permitted by user role ACL.
- All packets sent to destination port 5000 are deep inspected.
- Datapath performs a lookup for “GET /info?txtAirPlay&txtRAOP RTSP/1.0” in the payload.
- If there is no match: send it back to DP: Assumption is that this RTSP message has been sent due to the MDNS-based discovery
- If there is a match, drop the packet . The BLE discovery packets are dropped by the controller and not forwarded
iOS 8 uses peer to peer communication with Apple TV 7.x and this will override the mDNS discovery and mirroring .
- Bluetooth enabled on both AG users and servers
- Bluetooth based discovery is blocked with the above mentioned implementation and our policies are applied.
- All new versions of ATV and iOS 6,7,8 ipads are tested
- BLE traffic from anchor controller is also blocked
- Check for “D” flag in “show datapath session” for the sessions on port 5000