Tech-invite  3GPPspecsRELsGlossariesSIPRFCs
8887868584838281807978777675747372717069686766656463626160595857565554535251504948474645444342414039383736353433323130292827262524232221201918171615141312111009080706050403020100

in Index   Prev   Next

RFC 5766

Traversal Using Relays around NAT (TURN): Relay Extensions to Session Traversal Utilities for NAT (STUN)

Pages: 67
Obsoleted by:  8656
Updated by:  81558553
Part 1 of 4 – Pages 1 to 17
None   None   Next

Top   ToC   RFC5766 - Page 1
Internet Engineering Task Force (IETF)                           R. Mahy
Request for Comments: 5766                                  Unaffiliated
Category: Standards Track                                    P. Matthews
ISSN: 2070-1721                                           Alcatel-Lucent
                                                            J. Rosenberg
                                                             jdrosen.net
                                                              April 2010


               Traversal Using Relays around NAT (TURN):
     Relay Extensions to Session Traversal Utilities for NAT (STUN)

Abstract

If a host is located behind a NAT, then in certain situations it can be impossible for that host to communicate directly with other hosts (peers). In these situations, it is necessary for the host to use the services of an intermediate node that acts as a communication relay. This specification defines a protocol, called TURN (Traversal Using Relays around NAT), that allows the host to control the operation of the relay and to exchange packets with its peers using the relay. TURN differs from some other relay control protocols in that it allows a client to communicate with multiple peers using a single relay address. The TURN protocol was designed to be used as part of the ICE (Interactive Connectivity Establishment) approach to NAT traversal, though it also can be used without ICE. Status of This Memo This is an Internet Standards Track document. This document is a product of the Internet Engineering Task Force (IETF). It represents the consensus of the IETF community. It has received public review and has been approved for publication by the Internet Engineering Steering Group (IESG). Further information on Internet Standards is available in Section 2 of RFC 5741. Information about the current status of this document, any errata, and how to provide feedback on it may be obtained at http://www.rfc-editor.org/info/rfc5766.
Top   ToC   RFC5766 - Page 2
Copyright Notice

   Copyright (c) 2010 IETF Trust and the persons identified as the
   document authors.  All rights reserved.

   This document is subject to BCP 78 and the IETF Trust's Legal
   Provisions Relating to IETF Documents
   (http://trustee.ietf.org/license-info) in effect on the date of
   publication of this document.  Please review these documents
   carefully, as they describe your rights and restrictions with respect
   to this document.  Code Components extracted from this document must
   include Simplified BSD License text as described in Section 4.e of
   the Trust Legal Provisions and are provided without warranty as
   described in the Simplified BSD License.

Table of Contents

1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . . 4 2. Overview of Operation . . . . . . . . . . . . . . . . . . . . 5 2.1. Transports . . . . . . . . . . . . . . . . . . . . . . . . 8 2.2. Allocations . . . . . . . . . . . . . . . . . . . . . . . 9 2.3. Permissions . . . . . . . . . . . . . . . . . . . . . . . 11 2.4. Send Mechanism . . . . . . . . . . . . . . . . . . . . . . 12 2.5. Channels . . . . . . . . . . . . . . . . . . . . . . . . . 13 2.6. Unprivileged TURN Servers . . . . . . . . . . . . . . . . 15 2.7. Avoiding IP Fragmentation . . . . . . . . . . . . . . . . 16 2.8. RTP Support . . . . . . . . . . . . . . . . . . . . . . . 17 2.9. Anycast Discovery of Servers . . . . . . . . . . . . . . . 17 3. Terminology . . . . . . . . . . . . . . . . . . . . . . . . . 18 4. General Behavior . . . . . . . . . . . . . . . . . . . . . . . 19 5. Allocations . . . . . . . . . . . . . . . . . . . . . . . . . 22 6. Creating an Allocation . . . . . . . . . . . . . . . . . . . . 23 6.1. Sending an Allocate Request . . . . . . . . . . . . . . . 23 6.2. Receiving an Allocate Request . . . . . . . . . . . . . . 24 6.3. Receiving an Allocate Success Response . . . . . . . . . . 28 6.4. Receiving an Allocate Error Response . . . . . . . . . . . 29 7. Refreshing an Allocation . . . . . . . . . . . . . . . . . . . 31 7.1. Sending a Refresh Request . . . . . . . . . . . . . . . . 31 7.2. Receiving a Refresh Request . . . . . . . . . . . . . . . 31 7.3. Receiving a Refresh Response . . . . . . . . . . . . . . . 32 8. Permissions . . . . . . . . . . . . . . . . . . . . . . . . . 32 9. CreatePermission . . . . . . . . . . . . . . . . . . . . . . . 34 9.1. Forming a CreatePermission Request . . . . . . . . . . . . 34 9.2. Receiving a CreatePermission Request . . . . . . . . . . . 34 9.3. Receiving a CreatePermission Response . . . . . . . . . . 35 10. Send and Data Methods . . . . . . . . . . . . . . . . . . . . 35 10.1. Forming a Send Indication . . . . . . . . . . . . . . . . 35 10.2. Receiving a Send Indication . . . . . . . . . . . . . . . 35
Top   ToC   RFC5766 - Page 3
     10.3. Receiving a UDP Datagram . . . . . . . . . . . . . . . . . 36
     10.4. Receiving a Data Indication  . . . . . . . . . . . . . . . 37
   11. Channels . . . . . . . . . . . . . . . . . . . . . . . . . . . 37
     11.1. Sending a ChannelBind Request  . . . . . . . . . . . . . . 39
     11.2. Receiving a ChannelBind Request  . . . . . . . . . . . . . 39
     11.3. Receiving a ChannelBind Response . . . . . . . . . . . . . 40
     11.4. The ChannelData Message  . . . . . . . . . . . . . . . . . 41
     11.5. Sending a ChannelData Message  . . . . . . . . . . . . . . 41
     11.6. Receiving a ChannelData Message  . . . . . . . . . . . . . 42
     11.7. Relaying Data from the Peer  . . . . . . . . . . . . . . . 43
   12. IP Header Fields . . . . . . . . . . . . . . . . . . . . . . . 43
   13. New STUN Methods . . . . . . . . . . . . . . . . . . . . . . . 45
   14. New STUN Attributes  . . . . . . . . . . . . . . . . . . . . . 45
     14.1. CHANNEL-NUMBER . . . . . . . . . . . . . . . . . . . . . . 45
     14.2. LIFETIME . . . . . . . . . . . . . . . . . . . . . . . . . 46
     14.3. XOR-PEER-ADDRESS . . . . . . . . . . . . . . . . . . . . . 46
     14.4. DATA . . . . . . . . . . . . . . . . . . . . . . . . . . . 46
     14.5. XOR-RELAYED-ADDRESS  . . . . . . . . . . . . . . . . . . . 46
     14.6. EVEN-PORT  . . . . . . . . . . . . . . . . . . . . . . . . 46
     14.7. REQUESTED-TRANSPORT  . . . . . . . . . . . . . . . . . . . 47
     14.8. DONT-FRAGMENT  . . . . . . . . . . . . . . . . . . . . . . 47
     14.9. RESERVATION-TOKEN  . . . . . . . . . . . . . . . . . . . . 48
   15. New STUN Error Response Codes  . . . . . . . . . . . . . . . . 48
   16. Detailed Example . . . . . . . . . . . . . . . . . . . . . . . 48
   17. Security Considerations  . . . . . . . . . . . . . . . . . . . 55
     17.1. Outsider Attacks . . . . . . . . . . . . . . . . . . . . . 55
       17.1.1.  Obtaining Unauthorized Allocations  . . . . . . . . . 55
       17.1.2.  Offline Dictionary Attacks  . . . . . . . . . . . . . 56
       17.1.3.  Faked Refreshes and Permissions . . . . . . . . . . . 56
       17.1.4.  Fake Data . . . . . . . . . . . . . . . . . . . . . . 56
       17.1.5.  Impersonating a Server  . . . . . . . . . . . . . . . 57
       17.1.6.  Eavesdropping Traffic . . . . . . . . . . . . . . . . 58
       17.1.7.  TURN Loop Attack  . . . . . . . . . . . . . . . . . . 58
     17.2. Firewall Considerations  . . . . . . . . . . . . . . . . . 59
       17.2.1.  Faked Permissions . . . . . . . . . . . . . . . . . . 59
       17.2.2.  Blacklisted IP Addresses  . . . . . . . . . . . . . . 60
       17.2.3.  Running Servers on Well-Known Ports . . . . . . . . . 60
     17.3. Insider Attacks  . . . . . . . . . . . . . . . . . . . . . 60
       17.3.1.  DoS against TURN Server . . . . . . . . . . . . . . . 60
       17.3.2.  Anonymous Relaying of Malicious Traffic . . . . . . . 61
       17.3.3.  Manipulating Other Allocations  . . . . . . . . . . . 61
     17.4. Other Considerations . . . . . . . . . . . . . . . . . . . 61
   18. IANA Considerations  . . . . . . . . . . . . . . . . . . . . . 61
   19. IAB Considerations . . . . . . . . . . . . . . . . . . . . . . 62
   20. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . . 63
   21. References . . . . . . . . . . . . . . . . . . . . . . . . . . 64
     21.1. Normative References . . . . . . . . . . . . . . . . . . . 64
     21.2. Informative References . . . . . . . . . . . . . . . . . . 64
Top   ToC   RFC5766 - Page 4

1. Introduction

A host behind a NAT may wish to exchange packets with other hosts, some of which may also be behind NATs. To do this, the hosts involved can use "hole punching" techniques (see [RFC5128]) in an attempt discover a direct communication path; that is, a communication path that goes from one host to another through intervening NATs and routers, but does not traverse any relays. As described in [RFC5128] and [RFC4787], hole punching techniques will fail if both hosts are behind NATs that are not well behaved. For example, if both hosts are behind NATs that have a mapping behavior of "address-dependent mapping" or "address- and port- dependent mapping", then hole punching techniques generally fail. When a direct communication path cannot be found, it is necessary to use the services of an intermediate host that acts as a relay for the packets. This relay typically sits in the public Internet and relays packets between two hosts that both sit behind NATs. This specification defines a protocol, called TURN, that allows a host behind a NAT (called the TURN client) to request that another host (called the TURN server) act as a relay. The client can arrange for the server to relay packets to and from certain other hosts (called peers) and can control aspects of how the relaying is done. The client does this by obtaining an IP address and port on the server, called the relayed transport address. When a peer sends a packet to the relayed transport address, the server relays the packet to the client. When the client sends a data packet to the server, the server relays it to the appropriate peer using the relayed transport address as the source. A client using TURN must have some way to communicate the relayed transport address to its peers, and to learn each peer's IP address and port (more precisely, each peer's server-reflexive transport address, see Section 2). How this is done is out of the scope of the TURN protocol. One way this might be done is for the client and peers to exchange email messages. Another way is for the client and its peers to use a special-purpose "introduction" or "rendezvous" protocol (see [RFC5128] for more details). If TURN is used with ICE [RFC5245], then the relayed transport address and the IP addresses and ports of the peers are included in the ICE candidate information that the rendezvous protocol must carry. For example, if TURN and ICE are used as part of a multimedia solution using SIP [RFC3261], then SIP serves the role of the rendezvous protocol, carrying the ICE candidate information inside the body of SIP messages. If TURN and ICE are used with some other
Top   ToC   RFC5766 - Page 5
   rendezvous protocol, then [MMUSIC-ICE-NONSIP] provides guidance on
   the services the rendezvous protocol must perform.

   Though the use of a TURN server to enable communication between two
   hosts behind NATs is very likely to work, it comes at a high cost to
   the provider of the TURN server, since the server typically needs a
   high-bandwidth connection to the Internet.  As a consequence, it is
   best to use a TURN server only when a direct communication path
   cannot be found.  When the client and a peer use ICE to determine the
   communication path, ICE will use hole punching techniques to search
   for a direct path first and only use a TURN server when a direct path
   cannot be found.

   TURN was originally invented to support multimedia sessions signaled
   using SIP.  Since SIP supports forking, TURN supports multiple peers
   per relayed transport address; a feature not supported by other
   approaches (e.g., SOCKS [RFC1928]).  However, care has been taken to
   make sure that TURN is suitable for other types of applications.

   TURN was designed as one piece in the larger ICE approach to NAT
   traversal.  Implementors of TURN are urged to investigate ICE and
   seriously consider using it for their application.  However, it is
   possible to use TURN without ICE.

   TURN is an extension to the STUN (Session Traversal Utilities for
   NAT) protocol [RFC5389].  Most, though not all, TURN messages are
   STUN-formatted messages.  A reader of this document should be
   familiar with STUN.

2. Overview of Operation

This section gives an overview of the operation of TURN. It is non- normative. In a typical configuration, a TURN client is connected to a private network [RFC1918] and through one or more NATs to the public Internet. On the public Internet is a TURN server. Elsewhere in the Internet are one or more peers with which the TURN client wishes to communicate. These peers may or may not be behind one or more NATs. The client uses the server as a relay to send packets to these peers and to receive packets from these peers.
Top   ToC   RFC5766 - Page 6
                                        Peer A
                                        Server-Reflexive    +---------+
                                        Transport Address   |         |
                                        192.0.2.150:32102   |         |
                                            |              /|         |
                          TURN              |            / ^|  Peer A |
    Client's              Server            |           /  ||         |
    Host Transport        Transport         |         //   ||         |
    Address               Address           |       //     |+---------+
   10.1.1.2:49721       192.0.2.15:3478     |+-+  //     Peer A
            |               |               ||N| /       Host Transport
            |   +-+         |               ||A|/        Address
            |   | |         |               v|T|     192.168.100.2:49582
            |   | |         |               /+-+
 +---------+|   | |         |+---------+   /              +---------+
 |         ||   |N|         ||         | //               |         |
 | TURN    |v   | |         v| TURN    |/                 |         |
 | Client  |----|A|----------| Server  |------------------|  Peer B |
 |         |    | |^         |         |^                ^|         |
 |         |    |T||         |         ||                ||         |
 +---------+    | ||         +---------+|                |+---------+
                | ||                    |                |
                | ||                    |                |
                +-+|                    |                |
                   |                    |                |
                   |                    |                |
             Client's                   |            Peer B
             Server-Reflexive    Relayed             Transport
             Transport Address   Transport Address   Address
             192.0.2.1:7000      192.0.2.15:50000     192.0.2.210:49191

                                 Figure 1

   Figure 1 shows a typical deployment.  In this figure, the TURN client
   and the TURN server are separated by a NAT, with the client on the
   private side and the server on the public side of the NAT.  This NAT
   is assumed to be a "bad" NAT; for example, it might have a mapping
   property of "address-and-port-dependent mapping" (see [RFC4787]).

   The client talks to the server from a (IP address, port) combination
   called the client's HOST TRANSPORT ADDRESS.  (The combination of an
   IP address and port is called a TRANSPORT ADDRESS.)

   The client sends TURN messages from its host transport address to a
   transport address on the TURN server that is known as the TURN SERVER
   TRANSPORT ADDRESS.  The client learns the TURN server transport
   address through some unspecified means (e.g., configuration), and
   this address is typically used by many clients simultaneously.
Top   ToC   RFC5766 - Page 7
   Since the client is behind a NAT, the server sees packets from the
   client as coming from a transport address on the NAT itself.  This
   address is known as the client's SERVER-REFLEXIVE transport address;
   packets sent by the server to the client's server-reflexive transport
   address will be forwarded by the NAT to the client's host transport
   address.

   The client uses TURN commands to create and manipulate an ALLOCATION
   on the server.  An allocation is a data structure on the server.
   This data structure contains, amongst other things, the RELAYED
   TRANSPORT ADDRESS for the allocation.  The relayed transport address
   is the transport address on the server that peers can use to have the
   server relay data to the client.  An allocation is uniquely
   identified by its relayed transport address.

   Once an allocation is created, the client can send application data
   to the server along with an indication of to which peer the data is
   to be sent, and the server will relay this data to the appropriate
   peer.  The client sends the application data to the server inside a
   TURN message; at the server, the data is extracted from the TURN
   message and sent to the peer in a UDP datagram.  In the reverse
   direction, a peer can send application data in a UDP datagram to the
   relayed transport address for the allocation; the server will then
   encapsulate this data inside a TURN message and send it to the client
   along with an indication of which peer sent the data.  Since the TURN
   message always contains an indication of which peer the client is
   communicating with, the client can use a single allocation to
   communicate with multiple peers.

   When the peer is behind a NAT, then the client must identify the peer
   using its server-reflexive transport address rather than its host
   transport address.  For example, to send application data to Peer A
   in the example above, the client must specify 192.0.2.150:32102 (Peer
   A's server-reflexive transport address) rather than 192.168.100.2:
   49582 (Peer A's host transport address).

   Each allocation on the server belongs to a single client and has
   exactly one relayed transport address that is used only by that
   allocation.  Thus, when a packet arrives at a relayed transport
   address on the server, the server knows for which client the data is
   intended.

   The client may have multiple allocations on a server at the same
   time.
Top   ToC   RFC5766 - Page 8

2.1. Transports

TURN, as defined in this specification, always uses UDP between the server and the peer. However, this specification allows the use of any one of UDP, TCP, or Transport Layer Security (TLS) over TCP to carry the TURN messages between the client and the server. +----------------------------+---------------------+ | TURN client to TURN server | TURN server to peer | +----------------------------+---------------------+ | UDP | UDP | | TCP | UDP | | TLS over TCP | UDP | +----------------------------+---------------------+ If TCP or TLS-over-TCP is used between the client and the server, then the server will convert between these transports and UDP transport when relaying data to/from the peer. Since this version of TURN only supports UDP between the server and the peer, it is expected that most clients will prefer to use UDP between the client and the server as well. That being the case, some readers may wonder: Why also support TCP and TLS-over-TCP? TURN supports TCP transport between the client and the server because some firewalls are configured to block UDP entirely. These firewalls block UDP but not TCP, in part because TCP has properties that make the intention of the nodes being protected by the firewall more obvious to the firewall. For example, TCP has a three-way handshake that makes in clearer that the protected node really wishes to have that particular connection established, while for UDP the best the firewall can do is guess which flows are desired by using filtering rules. Also, TCP has explicit connection teardown; while for UDP, the firewall has to use timers to guess when the flow is finished. TURN supports TLS-over-TCP transport between the client and the server because TLS provides additional security properties not provided by TURN's default digest authentication; properties that some clients may wish to take advantage of. In particular, TLS provides a way for the client to ascertain that it is talking to the correct server, and provides for confidentiality of TURN control messages. TURN does not require TLS because the overhead of using TLS is higher than that of digest authentication; for example, using TLS likely means that most application data will be doubly encrypted (once by TLS and once to ensure it is still encrypted in the UDP datagram).
Top   ToC   RFC5766 - Page 9
   There is a planned extension to TURN to add support for TCP between
   the server and the peers [TURN-TCP].  For this reason, allocations
   that use UDP between the server and the peers are known as UDP
   allocations, while allocations that use TCP between the server and
   the peers are known as TCP allocations.  This specification describes
   only UDP allocations.

   TURN, as defined in this specification, only supports IPv4.  All IP
   addresses in this specification must be IPv4 addresses.  There is a
   planned extension to TURN to add support for IPv6 and for relaying
   between IPv4 and IPv6 [TURN-IPv6].

   In some applications for TURN, the client may send and receive
   packets other than TURN packets on the host transport address it uses
   to communicate with the server.  This can happen, for example, when
   using TURN with ICE.  In these cases, the client can distinguish TURN
   packets from other packets by examining the source address of the
   arriving packet: those arriving from the TURN server will be TURN
   packets.

2.2. Allocations

To create an allocation on the server, the client uses an Allocate transaction. The client sends an Allocate request to the server, and the server replies with an Allocate success response containing the allocated relayed transport address. The client can include attributes in the Allocate request that describe the type of allocation it desires (e.g., the lifetime of the allocation). Since relaying data has security implications, the server requires that the client authenticate itself, typically using STUN's long-term credential mechanism, to show that it is authorized to use the server. Once a relayed transport address is allocated, a client must keep the allocation alive. To do this, the client periodically sends a Refresh request to the server. TURN deliberately uses a different method (Refresh rather than Allocate) for refreshes to ensure that the client is informed if the allocation vanishes for some reason. The frequency of the Refresh transaction is determined by the lifetime of the allocation. The default lifetime of an allocation is 10 minutes -- this value was chosen to be long enough so that refreshing is not typically a burden on the client, while expiring allocations where the client has unexpectedly quit in a timely manner. However, the client can request a longer lifetime in the Allocate request and may modify its request in a Refresh request, and the server always indicates the actual lifetime in the response. The client must issue a new Refresh transaction within "lifetime" seconds
Top   ToC   RFC5766 - Page 10
   of the previous Allocate or Refresh transaction.  Once a client no
   longer wishes to use an allocation, it should delete the allocation
   using a Refresh request with a requested lifetime of 0.

   Both the server and client keep track of a value known as the
   5-TUPLE.  At the client, the 5-tuple consists of the client's host
   transport address, the server transport address, and the transport
   protocol used by the client to communicate with the server.  At the
   server, the 5-tuple value is the same except that the client's host
   transport address is replaced by the client's server-reflexive
   address, since that is the client's address as seen by the server.

   Both the client and the server remember the 5-tuple used in the
   Allocate request.  Subsequent messages between the client and the
   server use the same 5-tuple.  In this way, the client and server know
   which allocation is being referred to.  If the client wishes to
   allocate a second relayed transport address, it must create a second
   allocation using a different 5-tuple (e.g., by using a different
   client host address or port).

      NOTE: While the terminology used in this document refers to
      5-tuples, the TURN server can store whatever identifier it likes
      that yields identical results.  Specifically, an implementation
      may use a file-descriptor in place of a 5-tuple to represent a TCP
      connection.

  TURN                                 TURN           Peer          Peer
  client                               server          A             B
    |-- Allocate request --------------->|             |             |
    |                                    |             |             |
    |<--------------- Allocate failure --|             |             |
    |                 (401 Unauthorized) |             |             |
    |                                    |             |             |
    |-- Allocate request --------------->|             |             |
    |                                    |             |             |
    |<---------- Allocate success resp --|             |             |
    |            (192.0.2.15:50000)      |             |             |
    //                                   //            //            //
    |                                    |             |             |
    |-- Refresh request ---------------->|             |             |
    |                                    |             |             |
    |<----------- Refresh success resp --|             |             |
    |                                    |             |             |

                                 Figure 2
Top   ToC   RFC5766 - Page 11
   In Figure 2, the client sends an Allocate request to the server
   without credentials.  Since the server requires that all requests be
   authenticated using STUN's long-term credential mechanism, the server
   rejects the request with a 401 (Unauthorized) error code.  The client
   then tries again, this time including credentials (not shown).  This
   time, the server accepts the Allocate request and returns an Allocate
   success response containing (amongst other things) the relayed
   transport address assigned to the allocation.  Sometime later, the
   client decides to refresh the allocation and thus sends a Refresh
   request to the server.  The refresh is accepted and the server
   replies with a Refresh success response.

2.3. Permissions

To ease concerns amongst enterprise IT administrators that TURN could be used to bypass corporate firewall security, TURN includes the notion of permissions. TURN permissions mimic the address-restricted filtering mechanism of NATs that comply with [RFC4787]. An allocation can have zero or more permissions. Each permission consists of an IP address and a lifetime. When the server receives a UDP datagram on the allocation's relayed transport address, it first checks the list of permissions. If the source IP address of the datagram matches a permission, the application data is relayed to the client, otherwise the UDP datagram is silently discarded. A permission expires after 5 minutes if it is not refreshed, and there is no way to explicitly delete a permission. This behavior was selected to match the behavior of a NAT that complies with [RFC4787]. The client can install or refresh a permission using either a CreatePermission request or a ChannelBind request. Using the CreatePermission request, multiple permissions can be installed or refreshed with a single request -- this is important for applications that use ICE. For security reasons, permissions can only be installed or refreshed by transactions that can be authenticated; thus, Send indications and ChannelData messages (which are used to send data to peers) do not install or refresh any permissions. Note that permissions are within the context of an allocation, so adding or expiring a permission in one allocation does not affect other allocations.
Top   ToC   RFC5766 - Page 12

2.4. Send Mechanism

There are two mechanisms for the client and peers to exchange application data using the TURN server. The first mechanism uses the Send and Data methods, the second way uses channels. Common to both ways is the ability of the client to communicate with multiple peers using a single allocated relayed transport address; thus, both ways include a means for the client to indicate to the server which peer should receive the data, and for the server to indicate to the client which peer sent the data. The Send mechanism uses Send and Data indications. Send indications are used to send application data from the client to the server, while Data indications are used to send application data from the server to the client. When using the Send mechanism, the client sends a Send indication to the TURN server containing (a) an XOR-PEER-ADDRESS attribute specifying the (server-reflexive) transport address of the peer and (b) a DATA attribute holding the application data. When the TURN server receives the Send indication, it extracts the application data from the DATA attribute and sends it in a UDP datagram to the peer, using the allocated relay address as the source address. Note that there is no need to specify the relayed transport address, since it is implied by the 5-tuple used for the Send indication. In the reverse direction, UDP datagrams arriving at the relayed transport address on the TURN server are converted into Data indications and sent to the client, with the server-reflexive transport address of the peer included in an XOR-PEER-ADDRESS attribute and the data itself in a DATA attribute. Since the relayed transport address uniquely identified the allocation, the server knows which client should receive the data. Send and Data indications cannot be authenticated, since the long- term credential mechanism of STUN does not support authenticating indications. This is not as big an issue as it might first appear, since the client-to-server leg is only half of the total path to the peer. Applications that want proper security should encrypt the data sent between the client and a peer. Because Send indications are not authenticated, it is possible for an attacker to send bogus Send indications to the server, which will then relay these to a peer. To partly mitigate this attack, TURN requires that the client install a permission towards a peer before sending data to it using a Send indication.
Top   ToC   RFC5766 - Page 13
  TURN                                 TURN           Peer          Peer
  client                               server          A             B
    |                                    |             |             |
    |-- CreatePermission req (Peer A) -->|             |             |
    |<-- CreatePermission success resp --|             |             |
    |                                    |             |             |
    |--- Send ind (Peer A)-------------->|             |             |
    |                                    |=== data ===>|             |
    |                                    |             |             |
    |                                    |<== data ====|             |
    |<-------------- Data ind (Peer A) --|             |             |
    |                                    |             |             |
    |                                    |             |             |
    |--- Send ind (Peer B)-------------->|             |             |
    |                                    | dropped     |             |
    |                                    |             |             |
    |                                    |<== data ==================|
    |                            dropped |             |             |
    |                                    |             |             |

                                 Figure 3

   In Figure 3, the client has already created an allocation and now
   wishes to send data to its peers.  The client first creates a
   permission by sending the server a CreatePermission request
   specifying Peer A's (server-reflexive) IP address in the XOR-PEER-
   ADDRESS attribute; if this was not done, the server would not relay
   data between the client and the server.  The client then sends data
   to Peer A using a Send indication; at the server, the application
   data is extracted and forwarded in a UDP datagram to Peer A, using
   the relayed transport address as the source transport address.  When
   a UDP datagram from Peer A is received at the relayed transport
   address, the contents are placed into a Data indication and forwarded
   to the client.  Later, the client attempts to exchange data with Peer
   B; however, no permission has been installed for Peer B, so the Send
   indication from the client and the UDP datagram from the peer are
   both dropped by the server.

2.5. Channels

For some applications (e.g., Voice over IP), the 36 bytes of overhead that a Send indication or Data indication adds to the application data can substantially increase the bandwidth required between the client and the server. To remedy this, TURN offers a second way for the client and server to associate data with a specific peer. This second way uses an alternate packet format known as the ChannelData message. The ChannelData message does not use the STUN
Top   ToC   RFC5766 - Page 14
   header used by other TURN messages, but instead has a 4-byte header
   that includes a number known as a channel number.  Each channel
   number in use is bound to a specific peer and thus serves as a
   shorthand for the peer's host transport address.

   To bind a channel to a peer, the client sends a ChannelBind request
   to the server, and includes an unbound channel number and the
   transport address of the peer.  Once the channel is bound, the client
   can use a ChannelData message to send the server data destined for
   the peer.  Similarly, the server can relay data from that peer
   towards the client using a ChannelData message.

   Channel bindings last for 10 minutes unless refreshed -- this
   lifetime was chosen to be longer than the permission lifetime.
   Channel bindings are refreshed by sending another ChannelBind request
   rebinding the channel to the peer.  Like permissions (but unlike
   allocations), there is no way to explicitly delete a channel binding;
   the client must simply wait for it to time out.

  TURN                                 TURN           Peer          Peer
  client                               server          A             B
    |                                    |             |             |
    |-- ChannelBind req ---------------->|             |             |
    | (Peer A to 0x4001)                 |             |             |
    |                                    |             |             |
    |<---------- ChannelBind succ resp --|             |             |
    |                                    |             |             |
    |-- [0x4001] data ------------------>|             |             |
    |                                    |=== data ===>|             |
    |                                    |             |             |
    |                                    |<== data ====|             |
    |<------------------ [0x4001] data --|             |             |
    |                                    |             |             |
    |--- Send ind (Peer A)-------------->|             |             |
    |                                    |=== data ===>|             |
    |                                    |             |             |
    |                                    |<== data ====|             |
    |<------------------ [0x4001] data --|             |             |
    |                                    |             |             |

                                 Figure 4

   Figure 4 shows the channel mechanism in use.  The client has already
   created an allocation and now wishes to bind a channel to Peer A.  To
   do this, the client sends a ChannelBind request to the server,
   specifying the transport address of Peer A and a channel number
   (0x4001).  After that, the client can send application data
   encapsulated inside ChannelData messages to Peer A: this is shown as
Top   ToC   RFC5766 - Page 15
   "[0x4001] data" where 0x4001 is the channel number.  When the
   ChannelData message arrives at the server, the server transfers the
   data to a UDP datagram and sends it to Peer A (which is the peer
   bound to channel number 0x4001).

   In the reverse direction, when Peer A sends a UDP datagram to the
   relayed transport address, this UDP datagram arrives at the server on
   the relayed transport address assigned to the allocation.  Since the
   UDP datagram was received from Peer A, which has a channel number
   assigned to it, the server encapsulates the data into a ChannelData
   message when sending the data to the client.

   Once a channel has been bound, the client is free to intermix
   ChannelData messages and Send indications.  In the figure, the client
   later decides to use a Send indication rather than a ChannelData
   message to send additional data to Peer A.  The client might decide
   to do this, for example, so it can use the DONT-FRAGMENT attribute
   (see the next section).  However, once a channel is bound, the server
   will always use a ChannelData message, as shown in the call flow.

   Note that ChannelData messages can only be used for peers to which
   the client has bound a channel.  In the example above, Peer A has
   been bound to a channel, but Peer B has not, so application data to
   and from Peer B would use the Send mechanism.

2.6. Unprivileged TURN Servers

This version of TURN is designed so that the server can be implemented as an application that runs in user space under commonly available operating systems without requiring special privileges. This design decision was made to make it easy to deploy a TURN server: for example, to allow a TURN server to be integrated into a peer-to-peer application so that one peer can offer NAT traversal services to another peer. This design decision has the following implications for data relayed by a TURN server: o The value of the Diffserv field may not be preserved across the server; o The Time to Live (TTL) field may be reset, rather than decremented, across the server; o The Explicit Congestion Notification (ECN) field may be reset by the server; o ICMP messages are not relayed by the server;
Top   ToC   RFC5766 - Page 16
   o  There is no end-to-end fragmentation, since the packet is re-
      assembled at the server.

   Future work may specify alternate TURN semantics that address these
   limitations.

2.7. Avoiding IP Fragmentation

For reasons described in [Frag-Harmful], applications, especially those sending large volumes of data, should try hard to avoid having their packets fragmented. Applications using TCP can more or less ignore this issue because fragmentation avoidance is now a standard part of TCP, but applications using UDP (and thus any application using this version of TURN) must handle fragmentation avoidance themselves. The application running on the client and the peer can take one of two approaches to avoid IP fragmentation. The first approach is to avoid sending large amounts of application data in the TURN messages/UDP datagrams exchanged between the client and the peer. This is the approach taken by most VoIP (Voice-over-IP) applications. In this approach, the application exploits the fact that the IP specification [RFC0791] specifies that IP packets up to 576 bytes should never need to be fragmented. The exact amount of application data that can be included while avoiding fragmentation depends on the details of the TURN session between the client and the server: whether UDP, TCP, or TLS transport is used, whether ChannelData messages or Send/Data indications are used, and whether any additional attributes (such as the DONT- FRAGMENT attribute) are included. Another factor, which is hard to determine, is whether the MTU is reduced somewhere along the path for other reasons, such as the use of IP-in-IP tunneling. As a guideline, sending a maximum of 500 bytes of application data in a single TURN message (by the client on the client-to-server leg) or a UDP datagram (by the peer on the peer-to-server leg) will generally avoid IP fragmentation. To further reduce the chance of fragmentation, it is recommended that the client use ChannelData messages when transferring significant volumes of data, since the overhead of the ChannelData message is less than Send and Data indications. The second approach the client and peer can take to avoid fragmentation is to use a path MTU discovery algorithm to determine the maximum amount of application data that can be sent without fragmentation.
Top   ToC   RFC5766 - Page 17
   Unfortunately, because servers implementing this version of TURN do
   not relay ICMP messages, the classic path MTU discovery algorithm
   defined in [RFC1191] is not able to discover the MTU of the
   transmission path between the client and the peer.  (Even if they did
   relay ICMP messages, the algorithm would not always work since ICMP
   messages are often filtered out by combined NAT/firewall devices).

   So the client and server need to use a path MTU discovery algorithm
   that does not require ICMP messages.  The Packetized Path MTU
   Discovery algorithm defined in [RFC4821] is one such algorithm.

   The details of how to use the algorithm of [RFC4821] with TURN are
   still under investigation.  However, as a step towards this goal,
   this version of TURN supports a DONT-FRAGMENT attribute.  When the
   client includes this attribute in a Send indication, this tells the
   server to set the DF bit in the resulting UDP datagram that it sends
   to the peer.  Since some servers may be unable to set the DF bit, the
   client should also include this attribute in the Allocate request --
   any server that does not support the DONT-FRAGMENT attribute will
   indicate this by rejecting the Allocate request.

2.8. RTP Support

One of the envisioned uses of TURN is as a relay for clients and peers wishing to exchange real-time data (e.g., voice or video) using RTP. To facilitate the use of TURN for this purpose, TURN includes some special support for older versions of RTP. Old versions of RTP [RFC3550] required that the RTP stream be on an even port number and the associated RTP Control Protocol (RTCP) stream, if present, be on the next highest port. To allow clients to work with peers that still require this, TURN allows the client to request that the server allocate a relayed transport address with an even port number, and to optionally request the server reserve the next-highest port number for a subsequent allocation.

2.9. Anycast Discovery of Servers

This version of TURN has been designed to permit the future specification of a method of doing anycast discovery of a TURN server over UDP. Specifically, a TURN server can reject an Allocate request with the suggestion that the client try an alternate server. To avoid certain types of attacks, the client must use the same credentials with the alternate server as it would have with the initial server.


(next page on part 2)

Next Section