tech-invite   World Map     

IETF     RFCs     Groups     SIP     ABNFs    |    3GPP     Specs     Gloss.     Arch.     IMS     UICC    |    Misc.    |    search     info

RFC 5766

 Errata 
Proposed STD
Pages: 67
Top     in Index     Prev     Next
in Group Index     Prev in Group     Next in Group     Group: BEHAVE

Traversal Using Relays around NAT (TURN): Relay Extensions to Session Traversal Utilities for NAT (STUN)

Part 1 of 4, p. 1 to 17
None       Next RFC Part

 


Top       ToC       Page 1 
Internet Engineering Task Force (IETF)                           R. Mahy
Request for Comments: 5766                                  Unaffiliated
Category: Standards Track                                    P. Matthews
ISSN: 2070-1721                                           Alcatel-Lucent
                                                            J. Rosenberg
                                                             jdrosen.net
                                                              April 2010


               Traversal Using Relays around NAT (TURN):
     Relay Extensions to Session Traversal Utilities for NAT (STUN)

Abstract

   If a host is located behind a NAT, then in certain situations it can
   be impossible for that host to communicate directly with other hosts
   (peers).  In these situations, it is necessary for the host to use
   the services of an intermediate node that acts as a communication
   relay.  This specification defines a protocol, called TURN (Traversal
   Using Relays around NAT), that allows the host to control the
   operation of the relay and to exchange packets with its peers using
   the relay.  TURN differs from some other relay control protocols in
   that it allows a client to communicate with multiple peers using a
   single relay address.

   The TURN protocol was designed to be used as part of the ICE
   (Interactive Connectivity Establishment) approach to NAT traversal,
   though it also can be used without ICE.

Status of This Memo

   This is an Internet Standards Track document.

   This document is a product of the Internet Engineering Task Force
   (IETF).  It represents the consensus of the IETF community.  It has
   received public review and has been approved for publication by the
   Internet Engineering Steering Group (IESG).  Further information on
   Internet Standards is available in Section 2 of RFC 5741.

   Information about the current status of this document, any errata,
   and how to provide feedback on it may be obtained at
   http://www.rfc-editor.org/info/rfc5766.

Page 2 
Copyright Notice

   Copyright (c) 2010 IETF Trust and the persons identified as the
   document authors.  All rights reserved.

   This document is subject to BCP 78 and the IETF Trust's Legal
   Provisions Relating to IETF Documents
   (http://trustee.ietf.org/license-info) in effect on the date of
   publication of this document.  Please review these documents
   carefully, as they describe your rights and restrictions with respect
   to this document.  Code Components extracted from this document must
   include Simplified BSD License text as described in Section 4.e of
   the Trust Legal Provisions and are provided without warranty as
   described in the Simplified BSD License.

Table of Contents

   1.  Introduction . . . . . . . . . . . . . . . . . . . . . . . . .  4
   2.  Overview of Operation  . . . . . . . . . . . . . . . . . . . .  5
     2.1.  Transports . . . . . . . . . . . . . . . . . . . . . . . .  8
     2.2.  Allocations  . . . . . . . . . . . . . . . . . . . . . . .  9
     2.3.  Permissions  . . . . . . . . . . . . . . . . . . . . . . . 11
     2.4.  Send Mechanism . . . . . . . . . . . . . . . . . . . . . . 12
     2.5.  Channels . . . . . . . . . . . . . . . . . . . . . . . . . 13
     2.6.  Unprivileged TURN Servers  . . . . . . . . . . . . . . . . 15
     2.7.  Avoiding IP Fragmentation  . . . . . . . . . . . . . . . . 16
     2.8.  RTP Support  . . . . . . . . . . . . . . . . . . . . . . . 17
     2.9.  Anycast Discovery of Servers . . . . . . . . . . . . . . . 17
   3.  Terminology  . . . . . . . . . . . . . . . . . . . . . . . . . 18
   4.  General Behavior . . . . . . . . . . . . . . . . . . . . . . . 19
   5.  Allocations  . . . . . . . . . . . . . . . . . . . . . . . . . 22
   6.  Creating an Allocation . . . . . . . . . . . . . . . . . . . . 23
     6.1.  Sending an Allocate Request  . . . . . . . . . . . . . . . 23
     6.2.  Receiving an Allocate Request  . . . . . . . . . . . . . . 24
     6.3.  Receiving an Allocate Success Response . . . . . . . . . . 28
     6.4.  Receiving an Allocate Error Response . . . . . . . . . . . 29
   7.  Refreshing an Allocation . . . . . . . . . . . . . . . . . . . 31
     7.1.  Sending a Refresh Request  . . . . . . . . . . . . . . . . 31
     7.2.  Receiving a Refresh Request  . . . . . . . . . . . . . . . 31
     7.3.  Receiving a Refresh Response . . . . . . . . . . . . . . . 32
   8.  Permissions  . . . . . . . . . . . . . . . . . . . . . . . . . 32
   9.  CreatePermission . . . . . . . . . . . . . . . . . . . . . . . 34
     9.1.  Forming a CreatePermission Request . . . . . . . . . . . . 34
     9.2.  Receiving a CreatePermission Request . . . . . . . . . . . 34
     9.3.  Receiving a CreatePermission Response  . . . . . . . . . . 35
   10. Send and Data Methods  . . . . . . . . . . . . . . . . . . . . 35
     10.1. Forming a Send Indication  . . . . . . . . . . . . . . . . 35
     10.2. Receiving a Send Indication  . . . . . . . . . . . . . . . 35

Top      ToC       Page 3 
     10.3. Receiving a UDP Datagram . . . . . . . . . . . . . . . . . 36
     10.4. Receiving a Data Indication  . . . . . . . . . . . . . . . 37
   11. Channels . . . . . . . . . . . . . . . . . . . . . . . . . . . 37
     11.1. Sending a ChannelBind Request  . . . . . . . . . . . . . . 39
     11.2. Receiving a ChannelBind Request  . . . . . . . . . . . . . 39
     11.3. Receiving a ChannelBind Response . . . . . . . . . . . . . 40
     11.4. The ChannelData Message  . . . . . . . . . . . . . . . . . 41
     11.5. Sending a ChannelData Message  . . . . . . . . . . . . . . 41
     11.6. Receiving a ChannelData Message  . . . . . . . . . . . . . 42
     11.7. Relaying Data from the Peer  . . . . . . . . . . . . . . . 43
   12. IP Header Fields . . . . . . . . . . . . . . . . . . . . . . . 43
   13. New STUN Methods . . . . . . . . . . . . . . . . . . . . . . . 45
   14. New STUN Attributes  . . . . . . . . . . . . . . . . . . . . . 45
     14.1. CHANNEL-NUMBER . . . . . . . . . . . . . . . . . . . . . . 45
     14.2. LIFETIME . . . . . . . . . . . . . . . . . . . . . . . . . 46
     14.3. XOR-PEER-ADDRESS . . . . . . . . . . . . . . . . . . . . . 46
     14.4. DATA . . . . . . . . . . . . . . . . . . . . . . . . . . . 46
     14.5. XOR-RELAYED-ADDRESS  . . . . . . . . . . . . . . . . . . . 46
     14.6. EVEN-PORT  . . . . . . . . . . . . . . . . . . . . . . . . 46
     14.7. REQUESTED-TRANSPORT  . . . . . . . . . . . . . . . . . . . 47
     14.8. DONT-FRAGMENT  . . . . . . . . . . . . . . . . . . . . . . 47
     14.9. RESERVATION-TOKEN  . . . . . . . . . . . . . . . . . . . . 48
   15. New STUN Error Response Codes  . . . . . . . . . . . . . . . . 48
   16. Detailed Example . . . . . . . . . . . . . . . . . . . . . . . 48
   17. Security Considerations  . . . . . . . . . . . . . . . . . . . 55
     17.1. Outsider Attacks . . . . . . . . . . . . . . . . . . . . . 55
       17.1.1.  Obtaining Unauthorized Allocations  . . . . . . . . . 55
       17.1.2.  Offline Dictionary Attacks  . . . . . . . . . . . . . 56
       17.1.3.  Faked Refreshes and Permissions . . . . . . . . . . . 56
       17.1.4.  Fake Data . . . . . . . . . . . . . . . . . . . . . . 56
       17.1.5.  Impersonating a Server  . . . . . . . . . . . . . . . 57
       17.1.6.  Eavesdropping Traffic . . . . . . . . . . . . . . . . 58
       17.1.7.  TURN Loop Attack  . . . . . . . . . . . . . . . . . . 58
     17.2. Firewall Considerations  . . . . . . . . . . . . . . . . . 59
       17.2.1.  Faked Permissions . . . . . . . . . . . . . . . . . . 59
       17.2.2.  Blacklisted IP Addresses  . . . . . . . . . . . . . . 60
       17.2.3.  Running Servers on Well-Known Ports . . . . . . . . . 60
     17.3. Insider Attacks  . . . . . . . . . . . . . . . . . . . . . 60
       17.3.1.  DoS against TURN Server . . . . . . . . . . . . . . . 60
       17.3.2.  Anonymous Relaying of Malicious Traffic . . . . . . . 61
       17.3.3.  Manipulating Other Allocations  . . . . . . . . . . . 61
     17.4. Other Considerations . . . . . . . . . . . . . . . . . . . 61
   18. IANA Considerations  . . . . . . . . . . . . . . . . . . . . . 61
   19. IAB Considerations . . . . . . . . . . . . . . . . . . . . . . 62
   20. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . . 63
   21. References . . . . . . . . . . . . . . . . . . . . . . . . . . 64
     21.1. Normative References . . . . . . . . . . . . . . . . . . . 64
     21.2. Informative References . . . . . . . . . . . . . . . . . . 64

Top      ToC       Page 4 
1.  Introduction

   A host behind a NAT may wish to exchange packets with other hosts,
   some of which may also be behind NATs.  To do this, the hosts
   involved can use "hole punching" techniques (see [RFC5128]) in an
   attempt discover a direct communication path; that is, a
   communication path that goes from one host to another through
   intervening NATs and routers, but does not traverse any relays.

   As described in [RFC5128] and [RFC4787], hole punching techniques
   will fail if both hosts are behind NATs that are not well behaved.
   For example, if both hosts are behind NATs that have a mapping
   behavior of "address-dependent mapping" or "address- and port-
   dependent mapping", then hole punching techniques generally fail.

   When a direct communication path cannot be found, it is necessary to
   use the services of an intermediate host that acts as a relay for the
   packets.  This relay typically sits in the public Internet and relays
   packets between two hosts that both sit behind NATs.

   This specification defines a protocol, called TURN, that allows a
   host behind a NAT (called the TURN client) to request that another
   host (called the TURN server) act as a relay.  The client can arrange
   for the server to relay packets to and from certain other hosts
   (called peers) and can control aspects of how the relaying is done.
   The client does this by obtaining an IP address and port on the
   server, called the relayed transport address.  When a peer sends a
   packet to the relayed transport address, the server relays the packet
   to the client.  When the client sends a data packet to the server,
   the server relays it to the appropriate peer using the relayed
   transport address as the source.

   A client using TURN must have some way to communicate the relayed
   transport address to its peers, and to learn each peer's IP address
   and port (more precisely, each peer's server-reflexive transport
   address, see Section 2).  How this is done is out of the scope of the
   TURN protocol.  One way this might be done is for the client and
   peers to exchange email messages.  Another way is for the client and
   its peers to use a special-purpose "introduction" or "rendezvous"
   protocol (see [RFC5128] for more details).

   If TURN is used with ICE [RFC5245], then the relayed transport
   address and the IP addresses and ports of the peers are included in
   the ICE candidate information that the rendezvous protocol must
   carry.  For example, if TURN and ICE are used as part of a multimedia
   solution using SIP [RFC3261], then SIP serves the role of the
   rendezvous protocol, carrying the ICE candidate information inside
   the body of SIP messages.  If TURN and ICE are used with some other

Top      ToC       Page 5 
   rendezvous protocol, then [MMUSIC-ICE-NONSIP] provides guidance on
   the services the rendezvous protocol must perform.

   Though the use of a TURN server to enable communication between two
   hosts behind NATs is very likely to work, it comes at a high cost to
   the provider of the TURN server, since the server typically needs a
   high-bandwidth connection to the Internet.  As a consequence, it is
   best to use a TURN server only when a direct communication path
   cannot be found.  When the client and a peer use ICE to determine the
   communication path, ICE will use hole punching techniques to search
   for a direct path first and only use a TURN server when a direct path
   cannot be found.

   TURN was originally invented to support multimedia sessions signaled
   using SIP.  Since SIP supports forking, TURN supports multiple peers
   per relayed transport address; a feature not supported by other
   approaches (e.g., SOCKS [RFC1928]).  However, care has been taken to
   make sure that TURN is suitable for other types of applications.

   TURN was designed as one piece in the larger ICE approach to NAT
   traversal.  Implementors of TURN are urged to investigate ICE and
   seriously consider using it for their application.  However, it is
   possible to use TURN without ICE.

   TURN is an extension to the STUN (Session Traversal Utilities for
   NAT) protocol [RFC5389].  Most, though not all, TURN messages are
   STUN-formatted messages.  A reader of this document should be
   familiar with STUN.

2.  Overview of Operation

   This section gives an overview of the operation of TURN.  It is non-
   normative.

   In a typical configuration, a TURN client is connected to a private
   network [RFC1918] and through one or more NATs to the public
   Internet.  On the public Internet is a TURN server.  Elsewhere in the
   Internet are one or more peers with which the TURN client wishes to
   communicate.  These peers may or may not be behind one or more NATs.
   The client uses the server as a relay to send packets to these peers
   and to receive packets from these peers.

Top      ToC       Page 6 
                                        Peer A
                                        Server-Reflexive    +---------+
                                        Transport Address   |         |
                                        192.0.2.150:32102   |         |
                                            |              /|         |
                          TURN              |            / ^|  Peer A |
    Client's              Server            |           /  ||         |
    Host Transport        Transport         |         //   ||         |
    Address               Address           |       //     |+---------+
   10.1.1.2:49721       192.0.2.15:3478     |+-+  //     Peer A
            |               |               ||N| /       Host Transport
            |   +-+         |               ||A|/        Address
            |   | |         |               v|T|     192.168.100.2:49582
            |   | |         |               /+-+
 +---------+|   | |         |+---------+   /              +---------+
 |         ||   |N|         ||         | //               |         |
 | TURN    |v   | |         v| TURN    |/                 |         |
 | Client  |----|A|----------| Server  |------------------|  Peer B |
 |         |    | |^         |         |^                ^|         |
 |         |    |T||         |         ||                ||         |
 +---------+    | ||         +---------+|                |+---------+
                | ||                    |                |
                | ||                    |                |
                +-+|                    |                |
                   |                    |                |
                   |                    |                |
             Client's                   |            Peer B
             Server-Reflexive    Relayed             Transport
             Transport Address   Transport Address   Address
             192.0.2.1:7000      192.0.2.15:50000     192.0.2.210:49191

                                 Figure 1

   Figure 1 shows a typical deployment.  In this figure, the TURN client
   and the TURN server are separated by a NAT, with the client on the
   private side and the server on the public side of the NAT.  This NAT
   is assumed to be a "bad" NAT; for example, it might have a mapping
   property of "address-and-port-dependent mapping" (see [RFC4787]).

   The client talks to the server from a (IP address, port) combination
   called the client's HOST TRANSPORT ADDRESS.  (The combination of an
   IP address and port is called a TRANSPORT ADDRESS.)

   The client sends TURN messages from its host transport address to a
   transport address on the TURN server that is known as the TURN SERVER
   TRANSPORT ADDRESS.  The client learns the TURN server transport
   address through some unspecified means (e.g., configuration), and
   this address is typically used by many clients simultaneously.

Top      ToC       Page 7 
   Since the client is behind a NAT, the server sees packets from the
   client as coming from a transport address on the NAT itself.  This
   address is known as the client's SERVER-REFLEXIVE transport address;
   packets sent by the server to the client's server-reflexive transport
   address will be forwarded by the NAT to the client's host transport
   address.

   The client uses TURN commands to create and manipulate an ALLOCATION
   on the server.  An allocation is a data structure on the server.
   This data structure contains, amongst other things, the RELAYED
   TRANSPORT ADDRESS for the allocation.  The relayed transport address
   is the transport address on the server that peers can use to have the
   server relay data to the client.  An allocation is uniquely
   identified by its relayed transport address.

   Once an allocation is created, the client can send application data
   to the server along with an indication of to which peer the data is
   to be sent, and the server will relay this data to the appropriate
   peer.  The client sends the application data to the server inside a
   TURN message; at the server, the data is extracted from the TURN
   message and sent to the peer in a UDP datagram.  In the reverse
   direction, a peer can send application data in a UDP datagram to the
   relayed transport address for the allocation; the server will then
   encapsulate this data inside a TURN message and send it to the client
   along with an indication of which peer sent the data.  Since the TURN
   message always contains an indication of which peer the client is
   communicating with, the client can use a single allocation to
   communicate with multiple peers.

   When the peer is behind a NAT, then the client must identify the peer
   using its server-reflexive transport address rather than its host
   transport address.  For example, to send application data to Peer A
   in the example above, the client must specify 192.0.2.150:32102 (Peer
   A's server-reflexive transport address) rather than 192.168.100.2:
   49582 (Peer A's host transport address).

   Each allocation on the server belongs to a single client and has
   exactly one relayed transport address that is used only by that
   allocation.  Thus, when a packet arrives at a relayed transport
   address on the server, the server knows for which client the data is
   intended.

   The client may have multiple allocations on a server at the same
   time.

Top      ToC       Page 8 
2.1.  Transports

   TURN, as defined in this specification, always uses UDP between the
   server and the peer.  However, this specification allows the use of
   any one of UDP, TCP, or Transport Layer Security (TLS) over TCP to
   carry the TURN messages between the client and the server.

           +----------------------------+---------------------+
           | TURN client to TURN server | TURN server to peer |
           +----------------------------+---------------------+
           |             UDP            |         UDP         |
           |             TCP            |         UDP         |
           |        TLS over TCP        |         UDP         |
           +----------------------------+---------------------+

   If TCP or TLS-over-TCP is used between the client and the server,
   then the server will convert between these transports and UDP
   transport when relaying data to/from the peer.

   Since this version of TURN only supports UDP between the server and
   the peer, it is expected that most clients will prefer to use UDP
   between the client and the server as well.  That being the case, some
   readers may wonder: Why also support TCP and TLS-over-TCP?

   TURN supports TCP transport between the client and the server because
   some firewalls are configured to block UDP entirely.  These firewalls
   block UDP but not TCP, in part because TCP has properties that make
   the intention of the nodes being protected by the firewall more
   obvious to the firewall.  For example, TCP has a three-way handshake
   that makes in clearer that the protected node really wishes to have
   that particular connection established, while for UDP the best the
   firewall can do is guess which flows are desired by using filtering
   rules.  Also, TCP has explicit connection teardown; while for UDP,
   the firewall has to use timers to guess when the flow is finished.

   TURN supports TLS-over-TCP transport between the client and the
   server because TLS provides additional security properties not
   provided by TURN's default digest authentication; properties that
   some clients may wish to take advantage of.  In particular, TLS
   provides a way for the client to ascertain that it is talking to the
   correct server, and provides for confidentiality of TURN control
   messages.  TURN does not require TLS because the overhead of using
   TLS is higher than that of digest authentication; for example, using
   TLS likely means that most application data will be doubly encrypted
   (once by TLS and once to ensure it is still encrypted in the UDP
   datagram).

Top      ToC       Page 9 
   There is a planned extension to TURN to add support for TCP between
   the server and the peers [TURN-TCP].  For this reason, allocations
   that use UDP between the server and the peers are known as UDP
   allocations, while allocations that use TCP between the server and
   the peers are known as TCP allocations.  This specification describes
   only UDP allocations.

   TURN, as defined in this specification, only supports IPv4.  All IP
   addresses in this specification must be IPv4 addresses.  There is a
   planned extension to TURN to add support for IPv6 and for relaying
   between IPv4 and IPv6 [TURN-IPv6].

   In some applications for TURN, the client may send and receive
   packets other than TURN packets on the host transport address it uses
   to communicate with the server.  This can happen, for example, when
   using TURN with ICE.  In these cases, the client can distinguish TURN
   packets from other packets by examining the source address of the
   arriving packet: those arriving from the TURN server will be TURN
   packets.

2.2.  Allocations

   To create an allocation on the server, the client uses an Allocate
   transaction.  The client sends an Allocate request to the server, and
   the server replies with an Allocate success response containing the
   allocated relayed transport address.  The client can include
   attributes in the Allocate request that describe the type of
   allocation it desires (e.g., the lifetime of the allocation).  Since
   relaying data has security implications, the server requires that the
   client authenticate itself, typically using STUN's long-term
   credential mechanism, to show that it is authorized to use the
   server.

   Once a relayed transport address is allocated, a client must keep the
   allocation alive.  To do this, the client periodically sends a
   Refresh request to the server.  TURN deliberately uses a different
   method (Refresh rather than Allocate) for refreshes to ensure that
   the client is informed if the allocation vanishes for some reason.

   The frequency of the Refresh transaction is determined by the
   lifetime of the allocation.  The default lifetime of an allocation is
   10 minutes -- this value was chosen to be long enough so that
   refreshing is not typically a burden on the client, while expiring
   allocations where the client has unexpectedly quit in a timely
   manner.  However, the client can request a longer lifetime in the
   Allocate request and may modify its request in a Refresh request, and
   the server always indicates the actual lifetime in the response.  The
   client must issue a new Refresh transaction within "lifetime" seconds

Top      ToC       Page 10 
   of the previous Allocate or Refresh transaction.  Once a client no
   longer wishes to use an allocation, it should delete the allocation
   using a Refresh request with a requested lifetime of 0.

   Both the server and client keep track of a value known as the
   5-TUPLE.  At the client, the 5-tuple consists of the client's host
   transport address, the server transport address, and the transport
   protocol used by the client to communicate with the server.  At the
   server, the 5-tuple value is the same except that the client's host
   transport address is replaced by the client's server-reflexive
   address, since that is the client's address as seen by the server.

   Both the client and the server remember the 5-tuple used in the
   Allocate request.  Subsequent messages between the client and the
   server use the same 5-tuple.  In this way, the client and server know
   which allocation is being referred to.  If the client wishes to
   allocate a second relayed transport address, it must create a second
   allocation using a different 5-tuple (e.g., by using a different
   client host address or port).

      NOTE: While the terminology used in this document refers to
      5-tuples, the TURN server can store whatever identifier it likes
      that yields identical results.  Specifically, an implementation
      may use a file-descriptor in place of a 5-tuple to represent a TCP
      connection.

  TURN                                 TURN           Peer          Peer
  client                               server          A             B
    |-- Allocate request --------------->|             |             |
    |                                    |             |             |
    |<--------------- Allocate failure --|             |             |
    |                 (401 Unauthorized) |             |             |
    |                                    |             |             |
    |-- Allocate request --------------->|             |             |
    |                                    |             |             |
    |<---------- Allocate success resp --|             |             |
    |            (192.0.2.15:50000)      |             |             |
    //                                   //            //            //
    |                                    |             |             |
    |-- Refresh request ---------------->|             |             |
    |                                    |             |             |
    |<----------- Refresh success resp --|             |             |
    |                                    |             |             |

                                 Figure 2

Top      ToC       Page 11 
   In Figure 2, the client sends an Allocate request to the server
   without credentials.  Since the server requires that all requests be
   authenticated using STUN's long-term credential mechanism, the server
   rejects the request with a 401 (Unauthorized) error code.  The client
   then tries again, this time including credentials (not shown).  This
   time, the server accepts the Allocate request and returns an Allocate
   success response containing (amongst other things) the relayed
   transport address assigned to the allocation.  Sometime later, the
   client decides to refresh the allocation and thus sends a Refresh
   request to the server.  The refresh is accepted and the server
   replies with a Refresh success response.

2.3.  Permissions

   To ease concerns amongst enterprise IT administrators that TURN could
   be used to bypass corporate firewall security, TURN includes the
   notion of permissions.  TURN permissions mimic the address-restricted
   filtering mechanism of NATs that comply with [RFC4787].

   An allocation can have zero or more permissions.  Each permission
   consists of an IP address and a lifetime.  When the server receives a
   UDP datagram on the allocation's relayed transport address, it first
   checks the list of permissions.  If the source IP address of the
   datagram matches a permission, the application data is relayed to the
   client, otherwise the UDP datagram is silently discarded.

   A permission expires after 5 minutes if it is not refreshed, and
   there is no way to explicitly delete a permission.  This behavior was
   selected to match the behavior of a NAT that complies with [RFC4787].

   The client can install or refresh a permission using either a
   CreatePermission request or a ChannelBind request.  Using the
   CreatePermission request, multiple permissions can be installed or
   refreshed with a single request -- this is important for applications
   that use ICE.  For security reasons, permissions can only be
   installed or refreshed by transactions that can be authenticated;
   thus, Send indications and ChannelData messages (which are used to
   send data to peers) do not install or refresh any permissions.

   Note that permissions are within the context of an allocation, so
   adding or expiring a permission in one allocation does not affect
   other allocations.

Top      ToC       Page 12 
2.4.  Send Mechanism

   There are two mechanisms for the client and peers to exchange
   application data using the TURN server.  The first mechanism uses the
   Send and Data methods, the second way uses channels.  Common to both
   ways is the ability of the client to communicate with multiple peers
   using a single allocated relayed transport address; thus, both ways
   include a means for the client to indicate to the server which peer
   should receive the data, and for the server to indicate to the client
   which peer sent the data.

   The Send mechanism uses Send and Data indications.  Send indications
   are used to send application data from the client to the server,
   while Data indications are used to send application data from the
   server to the client.

   When using the Send mechanism, the client sends a Send indication to
   the TURN server containing (a) an XOR-PEER-ADDRESS attribute
   specifying the (server-reflexive) transport address of the peer and
   (b) a DATA attribute holding the application data.  When the TURN
   server receives the Send indication, it extracts the application data
   from the DATA attribute and sends it in a UDP datagram to the peer,
   using the allocated relay address as the source address.  Note that
   there is no need to specify the relayed transport address, since it
   is implied by the 5-tuple used for the Send indication.

   In the reverse direction, UDP datagrams arriving at the relayed
   transport address on the TURN server are converted into Data
   indications and sent to the client, with the server-reflexive
   transport address of the peer included in an XOR-PEER-ADDRESS
   attribute and the data itself in a DATA attribute.  Since the relayed
   transport address uniquely identified the allocation, the server
   knows which client should receive the data.

   Send and Data indications cannot be authenticated, since the long-
   term credential mechanism of STUN does not support authenticating
   indications.  This is not as big an issue as it might first appear,
   since the client-to-server leg is only half of the total path to the
   peer.  Applications that want proper security should encrypt the data
   sent between the client and a peer.

   Because Send indications are not authenticated, it is possible for an
   attacker to send bogus Send indications to the server, which will
   then relay these to a peer.  To partly mitigate this attack, TURN
   requires that the client install a permission towards a peer before
   sending data to it using a Send indication.

Top      ToC       Page 13 
  TURN                                 TURN           Peer          Peer
  client                               server          A             B
    |                                    |             |             |
    |-- CreatePermission req (Peer A) -->|             |             |
    |<-- CreatePermission success resp --|             |             |
    |                                    |             |             |
    |--- Send ind (Peer A)-------------->|             |             |
    |                                    |=== data ===>|             |
    |                                    |             |             |
    |                                    |<== data ====|             |
    |<-------------- Data ind (Peer A) --|             |             |
    |                                    |             |             |
    |                                    |             |             |
    |--- Send ind (Peer B)-------------->|             |             |
    |                                    | dropped     |             |
    |                                    |             |             |
    |                                    |<== data ==================|
    |                            dropped |             |             |
    |                                    |             |             |

                                 Figure 3

   In Figure 3, the client has already created an allocation and now
   wishes to send data to its peers.  The client first creates a
   permission by sending the server a CreatePermission request
   specifying Peer A's (server-reflexive) IP address in the XOR-PEER-
   ADDRESS attribute; if this was not done, the server would not relay
   data between the client and the server.  The client then sends data
   to Peer A using a Send indication; at the server, the application
   data is extracted and forwarded in a UDP datagram to Peer A, using
   the relayed transport address as the source transport address.  When
   a UDP datagram from Peer A is received at the relayed transport
   address, the contents are placed into a Data indication and forwarded
   to the client.  Later, the client attempts to exchange data with Peer
   B; however, no permission has been installed for Peer B, so the Send
   indication from the client and the UDP datagram from the peer are
   both dropped by the server.

2.5.  Channels

   For some applications (e.g., Voice over IP), the 36 bytes of overhead
   that a Send indication or Data indication adds to the application
   data can substantially increase the bandwidth required between the
   client and the server.  To remedy this, TURN offers a second way for
   the client and server to associate data with a specific peer.

   This second way uses an alternate packet format known as the
   ChannelData message.  The ChannelData message does not use the STUN

Top      ToC       Page 14 
   header used by other TURN messages, but instead has a 4-byte header
   that includes a number known as a channel number.  Each channel
   number in use is bound to a specific peer and thus serves as a
   shorthand for the peer's host transport address.

   To bind a channel to a peer, the client sends a ChannelBind request
   to the server, and includes an unbound channel number and the
   transport address of the peer.  Once the channel is bound, the client
   can use a ChannelData message to send the server data destined for
   the peer.  Similarly, the server can relay data from that peer
   towards the client using a ChannelData message.

   Channel bindings last for 10 minutes unless refreshed -- this
   lifetime was chosen to be longer than the permission lifetime.
   Channel bindings are refreshed by sending another ChannelBind request
   rebinding the channel to the peer.  Like permissions (but unlike
   allocations), there is no way to explicitly delete a channel binding;
   the client must simply wait for it to time out.

  TURN                                 TURN           Peer          Peer
  client                               server          A             B
    |                                    |             |             |
    |-- ChannelBind req ---------------->|             |             |
    | (Peer A to 0x4001)                 |             |             |
    |                                    |             |             |
    |<---------- ChannelBind succ resp --|             |             |
    |                                    |             |             |
    |-- [0x4001] data ------------------>|             |             |
    |                                    |=== data ===>|             |
    |                                    |             |             |
    |                                    |<== data ====|             |
    |<------------------ [0x4001] data --|             |             |
    |                                    |             |             |
    |--- Send ind (Peer A)-------------->|             |             |
    |                                    |=== data ===>|             |
    |                                    |             |             |
    |                                    |<== data ====|             |
    |<------------------ [0x4001] data --|             |             |
    |                                    |             |             |

                                 Figure 4

   Figure 4 shows the channel mechanism in use.  The client has already
   created an allocation and now wishes to bind a channel to Peer A.  To
   do this, the client sends a ChannelBind request to the server,
   specifying the transport address of Peer A and a channel number
   (0x4001).  After that, the client can send application data
   encapsulated inside ChannelData messages to Peer A: this is shown as

Top      ToC       Page 15 
   "[0x4001] data" where 0x4001 is the channel number.  When the
   ChannelData message arrives at the server, the server transfers the
   data to a UDP datagram and sends it to Peer A (which is the peer
   bound to channel number 0x4001).

   In the reverse direction, when Peer A sends a UDP datagram to the
   relayed transport address, this UDP datagram arrives at the server on
   the relayed transport address assigned to the allocation.  Since the
   UDP datagram was received from Peer A, which has a channel number
   assigned to it, the server encapsulates the data into a ChannelData
   message when sending the data to the client.

   Once a channel has been bound, the client is free to intermix
   ChannelData messages and Send indications.  In the figure, the client
   later decides to use a Send indication rather than a ChannelData
   message to send additional data to Peer A.  The client might decide
   to do this, for example, so it can use the DONT-FRAGMENT attribute
   (see the next section).  However, once a channel is bound, the server
   will always use a ChannelData message, as shown in the call flow.

   Note that ChannelData messages can only be used for peers to which
   the client has bound a channel.  In the example above, Peer A has
   been bound to a channel, but Peer B has not, so application data to
   and from Peer B would use the Send mechanism.

2.6.  Unprivileged TURN Servers

   This version of TURN is designed so that the server can be
   implemented as an application that runs in user space under commonly
   available operating systems without requiring special privileges.
   This design decision was made to make it easy to deploy a TURN
   server: for example, to allow a TURN server to be integrated into a
   peer-to-peer application so that one peer can offer NAT traversal
   services to another peer.

   This design decision has the following implications for data relayed
   by a TURN server:

   o  The value of the Diffserv field may not be preserved across the
      server;

   o  The Time to Live (TTL) field may be reset, rather than
      decremented, across the server;

   o  The Explicit Congestion Notification (ECN) field may be reset by
      the server;

   o  ICMP messages are not relayed by the server;

Top      ToC       Page 16 
   o  There is no end-to-end fragmentation, since the packet is re-
      assembled at the server.

   Future work may specify alternate TURN semantics that address these
   limitations.

2.7.  Avoiding IP Fragmentation

   For reasons described in [Frag-Harmful], applications, especially
   those sending large volumes of data, should try hard to avoid having
   their packets fragmented.  Applications using TCP can more or less
   ignore this issue because fragmentation avoidance is now a standard
   part of TCP, but applications using UDP (and thus any application
   using this version of TURN) must handle fragmentation avoidance
   themselves.

   The application running on the client and the peer can take one of
   two approaches to avoid IP fragmentation.

   The first approach is to avoid sending large amounts of application
   data in the TURN messages/UDP datagrams exchanged between the client
   and the peer.  This is the approach taken by most VoIP
   (Voice-over-IP) applications.  In this approach, the application
   exploits the fact that the IP specification [RFC0791] specifies that
   IP packets up to 576 bytes should never need to be fragmented.

   The exact amount of application data that can be included while
   avoiding fragmentation depends on the details of the TURN session
   between the client and the server: whether UDP, TCP, or TLS transport
   is used, whether ChannelData messages or Send/Data indications are
   used, and whether any additional attributes (such as the DONT-
   FRAGMENT attribute) are included.  Another factor, which is hard to
   determine, is whether the MTU is reduced somewhere along the path for
   other reasons, such as the use of IP-in-IP tunneling.

   As a guideline, sending a maximum of 500 bytes of application data in
   a single TURN message (by the client on the client-to-server leg) or
   a UDP datagram (by the peer on the peer-to-server leg) will generally
   avoid IP fragmentation.  To further reduce the chance of
   fragmentation, it is recommended that the client use ChannelData
   messages when transferring significant volumes of data, since the
   overhead of the ChannelData message is less than Send and Data
   indications.

   The second approach the client and peer can take to avoid
   fragmentation is to use a path MTU discovery algorithm to determine
   the maximum amount of application data that can be sent without
   fragmentation.

Top      ToC       Page 17 
   Unfortunately, because servers implementing this version of TURN do
   not relay ICMP messages, the classic path MTU discovery algorithm
   defined in [RFC1191] is not able to discover the MTU of the
   transmission path between the client and the peer.  (Even if they did
   relay ICMP messages, the algorithm would not always work since ICMP
   messages are often filtered out by combined NAT/firewall devices).

   So the client and server need to use a path MTU discovery algorithm
   that does not require ICMP messages.  The Packetized Path MTU
   Discovery algorithm defined in [RFC4821] is one such algorithm.

   The details of how to use the algorithm of [RFC4821] with TURN are
   still under investigation.  However, as a step towards this goal,
   this version of TURN supports a DONT-FRAGMENT attribute.  When the
   client includes this attribute in a Send indication, this tells the
   server to set the DF bit in the resulting UDP datagram that it sends
   to the peer.  Since some servers may be unable to set the DF bit, the
   client should also include this attribute in the Allocate request --
   any server that does not support the DONT-FRAGMENT attribute will
   indicate this by rejecting the Allocate request.

2.8.  RTP Support

   One of the envisioned uses of TURN is as a relay for clients and
   peers wishing to exchange real-time data (e.g., voice or video) using
   RTP.  To facilitate the use of TURN for this purpose, TURN includes
   some special support for older versions of RTP.

   Old versions of RTP [RFC3550] required that the RTP stream be on an
   even port number and the associated RTP Control Protocol (RTCP)
   stream, if present, be on the next highest port.  To allow clients to
   work with peers that still require this, TURN allows the client to
   request that the server allocate a relayed transport address with an
   even port number, and to optionally request the server reserve the
   next-highest port number for a subsequent allocation.

2.9.  Anycast Discovery of Servers

   This version of TURN has been designed to permit the future
   specification of a method of doing anycast discovery of a TURN server
   over UDP.

   Specifically, a TURN server can reject an Allocate request with the
   suggestion that the client try an alternate server.  To avoid certain
   types of attacks, the client must use the same credentials with the
   alternate server as it would have with the initial server.


Next RFC Part