draft-ietf-tram-stun-dtls-05.txt   rfc7350.txt 
TRAM M. Petit-Huguenin Internet Engineering Task Force (IETF) M. Petit-Huguenin
Internet-Draft Jive Communications Request for Comments: 7350 Jive Communications
Updates: 5389, 5928 (if approved) G. Salgueiro Updates: 5389, 5928 G. Salgueiro
Intended status: Standards Track Cisco Systems Category: Standards Track Cisco Systems
Expires: December 29, 2014 June 27, 2014 ISSN: 2070-1721 August 2014
Datagram Transport Layer Security (DTLS) as Transport for Session Datagram Transport Layer Security (DTLS) as Transport
Traversal Utilities for NAT (STUN) for Session Traversal Utilities for NAT (STUN)
draft-ietf-tram-stun-dtls-05
Abstract Abstract
This document specifies the usage of Datagram Transport Layer This document specifies the usage of Datagram Transport Layer
Security (DTLS) as a transport protocol for Session Traversal Security (DTLS) as a transport protocol for Session Traversal
Utilities for NAT (STUN). It provides guidances on when and how to Utilities for NAT (STUN). It provides guidance on when and how to
use DTLS with the currently standardized STUN Usages. It also use DTLS with the currently standardized STUN usages. It also
specifies modifications to the STUN URIs and TURN URIs and to the specifies modifications to the STUN and Traversal Using Relay NAT
TURN resolution mechanism to facilitate the resolution of STUN URIs (TURN) URIs and to the TURN resolution mechanism to facilitate the
and TURN URIs into the IP address and port of STUN and TURN servers resolution of STUN and TURN URIs into the IP address and port of STUN
supporting DTLS as a transport protocol. This document updates RFC and TURN servers supporting DTLS as a transport protocol. This
5389 and RFC 5928. document updates RFCs 5389 and 5928.
Status of This Memo Status of This Memo
This Internet-Draft is submitted in full conformance with the This is an Internet Standards Track document.
provisions of BCP 78 and BCP 79.
Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF). Note that other groups may also distribute
working documents as Internet-Drafts. The list of current Internet-
Drafts is at http://datatracker.ietf.org/drafts/current/.
Internet-Drafts are draft documents valid for a maximum of six months This document is a product of the Internet Engineering Task Force
and may be updated, replaced, or obsoleted by other documents at any (IETF). It represents the consensus of the IETF community. It has
time. It is inappropriate to use Internet-Drafts as reference received public review and has been approved for publication by the
material or to cite them other than as "work in progress." Internet Engineering Steering Group (IESG). Further information on
Internet Standards is available in Section 2 of RFC 5741.
This Internet-Draft will expire on December 29, 2014. Information about the current status of this document, any errata,
and how to provide feedback on it may be obtained at
http://www.rfc-editor.org/info/rfc7350.
Copyright Notice Copyright Notice
Copyright (c) 2014 IETF Trust and the persons identified as the Copyright (c) 2014 IETF Trust and the persons identified as the
document authors. All rights reserved. document authors. All rights reserved.
This document is subject to BCP 78 and the IETF Trust's Legal This document is subject to BCP 78 and the IETF Trust's Legal
Provisions Relating to IETF Documents Provisions Relating to IETF Documents
(http://trustee.ietf.org/license-info) in effect on the date of (http://trustee.ietf.org/license-info) in effect on the date of
publication of this document. Please review these documents publication of this document. Please review these documents
skipping to change at page 2, line 24 skipping to change at page 2, line 33
2. Terminology . . . . . . . . . . . . . . . . . . . . . . . . . 3 2. Terminology . . . . . . . . . . . . . . . . . . . . . . . . . 3
3. DTLS as Transport for STUN . . . . . . . . . . . . . . . . . 3 3. DTLS as Transport for STUN . . . . . . . . . . . . . . . . . 3
4. STUN Usages . . . . . . . . . . . . . . . . . . . . . . . . . 4 4. STUN Usages . . . . . . . . . . . . . . . . . . . . . . . . . 4
4.1. NAT Discovery Usage . . . . . . . . . . . . . . . . . . . 4 4.1. NAT Discovery Usage . . . . . . . . . . . . . . . . . . . 4
4.1.1. DTLS Support in STUN URIs . . . . . . . . . . . . . . 5 4.1.1. DTLS Support in STUN URIs . . . . . . . . . . . . . . 5
4.2. Connectivity Check Usage . . . . . . . . . . . . . . . . 5 4.2. Connectivity Check Usage . . . . . . . . . . . . . . . . 5
4.3. Media Keep-Alive Usage . . . . . . . . . . . . . . . . . 5 4.3. Media Keep-Alive Usage . . . . . . . . . . . . . . . . . 5
4.4. SIP Keep-Alive Usage . . . . . . . . . . . . . . . . . . 6 4.4. SIP Keep-Alive Usage . . . . . . . . . . . . . . . . . . 6
4.5. NAT Behavior Discovery Usage . . . . . . . . . . . . . . 6 4.5. NAT Behavior Discovery Usage . . . . . . . . . . . . . . 6
4.6. TURN Usage . . . . . . . . . . . . . . . . . . . . . . . 6 4.6. TURN Usage . . . . . . . . . . . . . . . . . . . . . . . 6
4.6.1. DTLS Support in TURN URIs . . . . . . . . . . . . . . 6 4.6.1. DTLS Support in TURN URIs . . . . . . . . . . . . . . 7
4.6.2. Resolution Mechanism for TURN over DTLS . . . . . . . 7 4.6.2. Resolution Mechanism for TURN over DTLS . . . . . . . 7
5. Implementation Status . . . . . . . . . . . . . . . . . . . . 8 5. Security Considerations . . . . . . . . . . . . . . . . . . . 8
5.1. turnuri . . . . . . . . . . . . . . . . . . . . . . . . . 8 6. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 9
5.2. rfc5766-turn-server . . . . . . . . . . . . . . . . . . . 9 6.1. S-NAPTR Application Protocol Tag . . . . . . . . . . . . 9
6. Security Considerations . . . . . . . . . . . . . . . . . . . 9 6.2. Service Name and Transport Protocol Port Number . . . . . 9
7. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 10 6.2.1. The "stuns" Service Name . . . . . . . . . . . . . . 10
7.1. S-NAPTR application protocol tag . . . . . . . . . . . . 10 6.2.2. The "turns" Service Name . . . . . . . . . . . . . . 11
7.2. Service Name and Transport Protocol Port Number . . . . . 10 7. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . 11
7.2.1. The stuns Service Name . . . . . . . . . . . . . . . 10 8. References . . . . . . . . . . . . . . . . . . . . . . . . . 12
7.2.2. The turns Service Name . . . . . . . . . . . . . . . 11 8.1. Normative References . . . . . . . . . . . . . . . . . . 12
8. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . 12 8.2. Informative References . . . . . . . . . . . . . . . . . 13
9. References . . . . . . . . . . . . . . . . . . . . . . . . . 12
9.1. Normative References . . . . . . . . . . . . . . . . . . 12
9.2. Informative References . . . . . . . . . . . . . . . . . 14
Appendix A. Examples . . . . . . . . . . . . . . . . . . . . . . 14 Appendix A. Examples . . . . . . . . . . . . . . . . . . . . . . 14
Appendix B. Release notes . . . . . . . . . . . . . . . . . . . 15
B.1. Modifications between ietf-tram-stun-dtls-04 and ietf-
tram-stun-dtls-05 . . . . . . . . . . . . . . . . . . . . 15
B.2. Modifications between ietf-tram-stun-dtls-03 and ietf-
tram-stun-dtls-04 . . . . . . . . . . . . . . . . . . . . 16
B.3. Modifications between ietf-tram-stun-dtls-02 and ietf-
tram-stun-dtls-03 . . . . . . . . . . . . . . . . . . . . 16
B.4. Modifications between ietf-tram-stun-dtls-01 and ietf-
tram-stun-dtls-02 . . . . . . . . . . . . . . . . . . . . 17
B.5. Modifications between ietf-tram-stun-dtls-00 and ietf-
tram-stun-dtls-01 . . . . . . . . . . . . . . . . . . . . 17
B.6. Modifications between petithuguenin-tram-stun-dtls-00 and
ietf-tram-stun-dtls-00 . . . . . . . . . . . . . . . . . 17
B.7. Modifications between petithuguenin-tram-turn-dtls-00 and
petithuguenin-tram-stun-dtls-00 . . . . . . . . . . . . . 17
Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 18
1. Introduction 1. Introduction
STUN [RFC5389] defines Transport Layer Security (TLS) over TCP STUN [RFC5389] defines Transport Layer Security (TLS) over TCP
(simply referred to as TLS [RFC5246]) as the transport for STUN due (simply referred to as TLS [RFC5246]) as the transport for STUN due
to additional security advantages it offers over plain UDP or TCP to additional security advantages it offers over plain UDP or TCP
transport. But TCP (and thus TLS-over-TCP) is not an optimal transport. But, TCP (and thus TLS-over-TCP) is not an optimal
transport when STUN is used for its originally intended purpose, transport when STUN is used for its originally intended purpose,
which is to support multimedia sessions. This is a well documented which is to support multimedia sessions. This is a well documented
and understood transport limitation for real-time communications. and understood transport limitation for real-time communications.
DTLS-over-UDP (referred to in this document as simply DTLS [RFC6347]) DTLS-over-UDP (referred to in this document as simply DTLS [RFC6347])
offers the same security advantages as TLS-over-TCP, but without the offers the same security advantages as TLS-over-TCP, but without the
undesirable concerns. undesirable concerns.
2. Terminology 2. Terminology
skipping to change at page 3, line 43 skipping to change at page 3, line 39
STUN [RFC5389] defines three transports: UDP, TCP, and TLS. This STUN [RFC5389] defines three transports: UDP, TCP, and TLS. This
document adds DTLS as a valid transport for STUN. document adds DTLS as a valid transport for STUN.
STUN over DTLS MUST use the same retransmission rules as STUN over STUN over DTLS MUST use the same retransmission rules as STUN over
UDP (as described in Section 7.2.1 of [RFC5389]). It MUST also use UDP (as described in Section 7.2.1 of [RFC5389]). It MUST also use
the same rules that are described in Section 7.2.2 of [RFC5389] to the same rules that are described in Section 7.2.2 of [RFC5389] to
verify the server identity. Instead of TLS_RSA_WITH_AES_128_CBC_SHA, verify the server identity. Instead of TLS_RSA_WITH_AES_128_CBC_SHA,
which is the default cipher suite for STUN over TLS, implementations which is the default cipher suite for STUN over TLS, implementations
of STUN over DTLS, and deployed clients and servers, MUST support of STUN over DTLS, and deployed clients and servers, MUST support
TLS_DHE_RSA_WITH_AES_128_GCM_SHA256 and TLS_DHE_RSA_WITH_AES_128_GCM_SHA256 and
TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256, and MAY support other TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256, and MAY support other cipher
ciphersuites. Perfect Forward Secrecy (PFS) cipher suites MUST be suites. Perfect Forward Secrecy (PFS) cipher suites MUST be
preferred over non-PFS cipher suites. Cipher suites with known preferred over non-PFS cipher suites. Cipher suites with known
weaknesses, such as those based on (single) DES and RC4, MUST NOT be weaknesses, such as those based on (single) DES and RC4, MUST NOT be
used. Implementations MUST disable TLS-level compression. The same used. Implementations MUST disable TLS-level compression. The same
rules established in Section 7.2.2 of [RFC5389] for keeping open and rules established in Section 7.2.2 of [RFC5389] for keeping open and
closing TCP/TLS connections MUST be used as well for DTLS closing TCP/TLS connections MUST be used as well for DTLS
associations. associations.
In addition to the path MTU rules described in Section 7.1 of In addition to the path MTU rules described in Section 7.1 of
[RFC5389], if the path MTU is unknown, the actual STUN message needs [RFC5389], if the path MTU is unknown, the actual STUN message needs
to be adjusted to take into account the size of the (13-byte) DTLS to be adjusted to take into account the size of the (13-byte) DTLS
Record header, the MAC size, and the padding size. Record header, the MAC size, and the padding size.
By default, STUN over DTLS MUST use port 5349, the same port number By default, STUN over DTLS MUST use port 5349, the same port number
as STUN over TLS. However, the SRV procedures can be implemented to as STUN over TLS. However, the Service Record (SRV) procedures can
use a different port (as described in Section 9 of [RFC5389]). When be implemented to use a different port (as described in Section 9 of
using SRV records, the service name MUST be set to "stuns" and the [RFC5389]). When using SRV records, the service name MUST be set to
protocol name to "udp". "stuns" and the protocol name to "udp".
Classic STUN [RFC3489] defines only UDP as a transport and DTLS MUST Classic STUN [RFC3489] (which was obsoleted by [RFC5389]) defines
NOT be used. Any STUN request or indication without the magic cookie only UDP as a transport, and DTLS MUST NOT be used. Any STUN request
(see Section 6 of [RFC5389]) over DTLS MUST always result in an or indication without the magic cookie (see Section 6 of [RFC5389])
error. over DTLS MUST always result in an error.
4. STUN Usages 4. STUN Usages
[RFC5389] Section 7.2 states that STUN usages must specify which Section 7.2 of [RFC5389] states that STUN usages must specify which
transport protocol is used. The following sections discuss if and transport protocol is used. The following sections discuss if and
how the existing STUN usages are used with DTLS as the transport. how the existing STUN usages are used with DTLS as the transport.
Future STUN usages MUST take into account DTLS as a transport and Future STUN usages MUST take into account DTLS as a transport and
discuss its applicability. In all cases, new STUN usages MUST discuss its applicability. In all cases, new STUN usages MUST
explicitly state if implementing the denial-of-service counter- explicitly state if implementing the denial-of-service countermeasure
measure described in Section 4.2.1 of [RFC6347] is mandatory. described in Section 4.2.1 of [RFC6347] is mandatory.
4.1. NAT Discovery Usage 4.1. NAT Discovery Usage
As stated by Section 13 of [RFC5389], "...TLS provides minimal As stated by Section 13 of [RFC5389], "...TLS provides minimal
security benefits..." for this particular STUN usage. DTLS will also security benefits..." for this particular STUN usage. DTLS will also
similarly offer only limited benefit. This is because the only similarly offer only limited benefit. This is because the only
mandatory attribute that is TLS/DTLS protected is the XOR-MAPPED- mandatory attribute that is TLS/DTLS protected is the
ADDRESS, which is already known by an on-path attacker, since it is XOR-MAPPED-ADDRESS, which is already known by an on-path attacker,
the same as the source address and port of the STUN request. On the since it is the same as the source address and port of the STUN
other hand, using TLS/DTLS will prevent an active attacker to inject request. On the other hand, using TLS/DTLS will prevent an active
XOR-MAPPED-ADDRESS in responses. The TLS/DTLS transport will also attacker to inject XOR-MAPPED-ADDRESS in responses. The TLS/DTLS
protect the SOFTWARE attribute, which can be used to find transport will also protect the SOFTWARE attribute, which can be used
vulnerabilities in STUN implementations. to find vulnerabilities in STUN implementations.
Regardless, this usage is rarely used by itself, since using TURN Regardless, this usage is rarely used by itself, since using TURN
[RFC5766] with ICE [RFC5245] is generally indispensable, and TURN [RFC5766] with Interactive Connectivity Establishment (ICE) [RFC5245]
provides the same NAT Discovery feature as part of an Allocation is generally indispensable, and TURN provides the same NAT Discovery
creation. In fact, with ICE, the NAT Discovery usage is only used feature as part of an allocation creation. In fact, with ICE, the
when there is no longer any resource available for new Allocations in NAT Discovery usage is only used when there is no longer any resource
the TURN server. available for new allocations in the TURN server.
A STUN server implementing the NAT Discovery Usage and using DTLS A STUN server implementing the NAT Discovery usage and using DTLS
MUST implement the denial-of-service counter-measure described in MUST implement the denial-of-service countermeasure described in
Section 4.2.1 of [RFC6347]. Section 4.2.1 of [RFC6347].
4.1.1. DTLS Support in STUN URIs 4.1.1. DTLS Support in STUN URIs
This document does not make any changes to the syntax of a STUN URI This document does not make any changes to the syntax of a STUN URI
[RFC7064]. As indicated in Section 3.2 of [RFC7064], secure [RFC7064]. As indicated in Section 3.2 of [RFC7064], secure
transports like STUN over TLS, and now STUN over DTLS, MUST use the transports like STUN over TLS, and now STUN over DTLS, MUST use the
"stuns" URI scheme. "stuns" URI scheme.
The <host> value MUST be used when using the rules in Section 7.2.2 The <host> value MUST be used when using the rules in Section 7.2.2
of [RFC5389] to verify the server identity. A STUN URI containing an of [RFC5389] to verify the server identity. A STUN URI containing an
IP address MUST be rejected, unless the domain name is provided by IP address MUST be rejected, unless the domain name is provided by
the same mechanism that provided the STUN URI, and that this domain the same mechanism that provided the STUN URI, and that domain name
name can be passed to the verification code. can be passed to the verification code.
4.2. Connectivity Check Usage 4.2. Connectivity Check Usage
Using DTLS would hide the USERNAME, PRIORITY, USE-CANDIDATE, ICE- Using DTLS would hide the USERNAME, PRIORITY, USE-CANDIDATE,
CONTROLLED and ICE-CONTROLLING attributes. But because MESSAGE- ICE-CONTROLLED, and ICE-CONTROLLING attributes. But, because
INTEGRITY protects the entire STUN response using a password that is MESSAGE-INTEGRITY protects the entire STUN response using a password
known only by looking at the SDP exchanged, it is not possible for an that is known only by looking at the Session Description Protocol
attacker that does not have access to this SDP to inject an incorrect (SDP) exchanged, it is not possible for an attacker that does not
XOR-MAPPED-ADDRESS, XOR-MAPPED-ADDRESS which would subsequently be have access to this SDP to inject an incorrect XOR-MAPPED-ADDRESS,
used as a peer reflexive candidate. which would subsequently be used as a peer reflexive candidate.
Adding DTLS on top of the connectivity check would delay, and Adding DTLS on top of the connectivity check would delay, and
consequently impair, the ICE process. Adding additional round-trips consequently impair, the ICE process. Adding additional round trips
to ICE is undesirable, so much that there is a proposal to ICE is undesirable, so much that there is a proposal ([ICE-DTLS])
([I-D.thomson-rtcweb-ice-dtls]) to use the DTLS handshake used by the to use the DTLS handshake used by the WebRTC Secure Real-time
WebRTC SRTP streams as a replacement for the connectivity checks. Transport Protocol (SRTP) streams as a replacement for the
connectivity checks.
STUN URIs are not used with this usage. STUN URIs are not used with this usage.
4.3. Media Keep-Alive Usage 4.3. Media Keep-Alive Usage
When STUN Binding Indications are being used for media keep-alive When STUN Binding Indications are being used for media keep-alive
(described in Section 10 of [RFC5245]), it runs alongside an RTP or (described in Section 10 of [RFC5245]), it runs alongside an RTP or
RTCP session. It is possible to send these media keep-alive packets RTP Control Protocol (RTCP) session. It is possible to send these
inside a separately negotiated non-SRTP DTLS session if DTLS-SRTP media keep-alive packets inside a separately negotiated non-SRTP DTLS
[RFC5764] is used, but that would add overhead, with minimal security session if DTLS-SRTP [RFC5764] is used, but that would add overhead,
benefit. with minimal security benefit.
STUN URIs are not used with this usage. STUN URIs are not used with this usage.
4.4. SIP Keep-Alive Usage 4.4. SIP Keep-Alive Usage
The SIP keep-alive (described in [RFC5626]) runs inside a SIP flow. The SIP keep-alive (described in [RFC5626]) runs inside a SIP flow.
This flow would be protected if a SIP over DTLS transport mechanism This flow would be protected if a SIP over DTLS transport mechanism
is implemented (such as described in [I-D.jennings-sip-dtls]). is implemented (such as described in [SIP-DTLS]).
STUN URIs are not used with this usage. STUN URIs are not used with this usage.
4.5. NAT Behavior Discovery Usage 4.5. NAT Behavior Discovery Usage
The NAT Behavior Discovery usage is Experimental and to date has The NAT Behavior Discovery usage is Experimental and to date has
never being effectively deployed. Despite this, using DTLS would add never been effectively deployed. Despite this, using DTLS would add
the same security properties as for the NAT Discovery Usage the same security properties as for the NAT Discovery usage
(Section 4.1). (Section 4.1).
The STUN URI can be used to access the NAT Discovery feature of a NAT The STUN URI can be used to access the NAT Discovery feature of a NAT
Behavior Discovery server, but accessing the full features would Behavior Discovery server, but accessing the full features would
require definition of a "stun-behaviors:" URI, which is out of scope require definition of a "stun-behaviors:" URI, which is out of scope
for this document. for this document.
A STUN server implementing the NAT Behavior Discovery Usage and using A STUN server implementing the NAT Behavior Discovery usage and using
DTLS MUST implement the denial-of-service counter-measure described DTLS MUST implement the denial-of-service countermeasure described in
in Section 4.2.1 of [RFC6347]. Section 4.2.1 of [RFC6347].
4.6. TURN Usage 4.6. TURN Usage
TURN [RFC5766] defines three combinations of transports/allocations: TURN [RFC5766] defines three combinations of transports/allocations:
UDP/UDP, TCP/UDP and TLS/UDP. This document adds DTLS/UDP as a valid UDP/UDP, TCP/UDP, and TLS/UDP. This document adds DTLS/UDP as a
combination. A TURN server using DTLS MUST implement the denial-of- valid combination. A TURN server using DTLS MUST implement the
service counter-measure described in Section 4.2.1 of [RFC6347]. denial-of-service countermeasure described in Section 4.2.1 of
[RFC6347].
[RFC6062] states that TCP allocations cannot be obtained using a UDP [RFC6062] states that TCP allocations cannot be obtained using a UDP
association between client and server. The fact that DTLS uses UDP association between client and server. The fact that DTLS uses UDP
implies that TCP allocations MUST NOT be obtained using a DTLS implies that TCP allocations MUST NOT be obtained using a DTLS
association between client and server. association between client and server.
By default, TURN over DTLS uses port 5349, the same port number as By default, TURN over DTLS uses port 5349, the same port number as
TURN over TLS. However, the SRV procedures can be implemented to use TURN over TLS. However, the SRV procedures can be implemented to use
a different port (as described in Section 6 of [RFC5766]. When using a different port (as described in Section 6 of [RFC5766]). When
SRV records, the service name MUST be set to "turns" and the protocol using SRV records, the service name MUST be set to "turns" and the
name to "udp". protocol name to "udp".
4.6.1. DTLS Support in TURN URIs 4.6.1. DTLS Support in TURN URIs
This document does not make any changes to the syntax of a TURN URI This document does not make any changes to the syntax of a TURN URI
[RFC7065]. As indicated in Section 3 of [RFC7065], secure transports [RFC7065]. As indicated in Section 3 of [RFC7065], secure transports
like TURN over TLS, and now TURN over DTLS, MUST use the "turns" URI like TURN over TLS, and now TURN over DTLS, MUST use the "turns" URI
scheme. When using the "turns" URI scheme to designate TURN over scheme. When using the "turns" URI scheme to designate TURN over
DTLS, the transport value of the TURN URI, if set, MUST be "udp". DTLS, the transport value of the TURN URI, if set, MUST be "udp".
The <host> value MUST be used when using the rules in Section 7.2.2 The <host> value MUST be used when using the rules in Section 7.2.2
of [RFC5389] to verify the server identity. A TURN URI containing an of [RFC5389] to verify the server identity. A TURN URI containing an
IP address MUST be rejected, unless the domain is provided by the IP address MUST be rejected, unless the domain is provided by the
same mechanism that provided the TURN URI, and that this domain name same mechanism that provided the TURN URI, and that domain name can
can be passed to the verification code. be passed to the verification code.
4.6.2. Resolution Mechanism for TURN over DTLS 4.6.2. Resolution Mechanism for TURN over DTLS
This document defines a new Straightforward Naming Authority Pointer This document defines a new Straightforward-Naming Authority Pointer
(S-NAPTR) application protocol tag: "turn.dtls". (S-NAPTR) application protocol tag: "turn.dtls".
The <transport> component, as provisioned or resulting from the The <transport> component, as provisioned or resulting from the
parsing of a TURN URI, is passed without modification to the TURN parsing of a TURN URI, is passed without modification to the TURN
resolution mechanism defined in Section 3 of [RFC5928], but with the resolution mechanism defined in Section 3 of [RFC5928], but with the
following alterations to that algorithm: following alterations to that algorithm:
o The acceptable values for transport name are extended with the o The acceptable values for the transport name are extended with the
addition of "dtls". addition of "dtls".
o The acceptable values in the ordered list of supported TURN o The acceptable values in the ordered list of supported TURN
transports is extended with the addition of "Datagram Transport transports is extended with the addition of "Datagram Transport
Layer Security (DTLS)". Layer Security (DTLS)".
o The resolution algorithm check rules list is extended with the o The resolution algorithm check rules list is extended with the
addition of the following step: addition of the following step:
If <secure> is true and <transport> is defined as "udp" but the If <secure> is true and <transport> is defined as "udp" but the
skipping to change at page 8, line 5 skipping to change at page 8, line 13
error. error.
o Table 1 is modified to add the following line: o Table 1 is modified to add the following line:
+----------+-------------+----------------+ +----------+-------------+----------------+
| <secure> | <transport> | TURN Transport | | <secure> | <transport> | TURN Transport |
+----------+-------------+----------------+ +----------+-------------+----------------+
| true | "udp" | DTLS | | true | "udp" | DTLS |
+----------+-------------+----------------+ +----------+-------------+----------------+
o In step 1 of the resolution algorithm the default port for DTLS is o In step 1 of the resolution algorithm, the default port for DTLS
5349. is 5349.
o In step 4 of the resolution algorithm the following is added to o In step 4 of the resolution algorithm, the following is added to
the list of conversions between the filtered list of TURN the list of conversions between the filtered list of TURN
transports supported by the application and application protocol transports supported by the application and application protocol
tags: tags:
"turn.dtls" is used if the TURN transport is DTLS. "turn.dtls" is used if the TURN transport is DTLS.
Note that using the [RFC5928] resolution mechanism does not imply Note that using the resolution mechanism in [RFC5928] does not imply
that additional round trips to the DNS server will be needed (e.g., that additional round trips to the DNS server will be needed (e.g.,
the TURN client will start immediately if the TURN URI contains an IP the TURN client will start immediately if the TURN URI contains an IP
address). address).
5. Implementation Status 5. Security Considerations
[[Note to RFC Editor: Please remove this section and the reference to
[RFC6982] before publication.]]
This section records the status of known implementations of the
protocol defined by this specification at the time of posting of this
Internet-Draft, and is based on a proposal described in [RFC6982].
The description of implementations in this section is intended to
assist the IETF in its decision processes in progressing drafts to
RFCs. Please note that the listing of any individual implementation
here does not imply endorsement by the IETF. Furthermore, no effort
has been spent to verify the information presented here that was
supplied by IETF contributors. This is not intended as, and must not
be construed to be, a catalog of available implementations or their
features. Readers are advised to note that other implementations may
exist.
According to [RFC6982], "this will allow reviewers and working groups
to assign due consideration to documents that have the benefit of
running code, which may serve as evidence of valuable experimentation
and feedback that have made the implemented protocols more mature.
It is up to the individual working groups to use this information as
they see fit".
5.1. turnuri
Organization: Impedance Mismatch
Name: turnuri 0.5.0 http://debian.implementers.org/stable/source/
turnuri.tar.gz
Description: A reference implementation of the URI and resolution
mechanism defined in this document, RFC 7065 [RFC7065] and RFC
5928 [RFC5928].
Level of maturity: Beta.
Coverage: Fully implements the URIs and resolution mechanism
defined in this specification, in RFC 7065 and in RFC 5928.
Licensing: AGPL3
Implementation experience: TBD
Contact: Marc Petit-Huguenin <marc@petit-huguenin.org>.
5.2. rfc5766-turn-server
Organization: This is a public project, the full list of authors
and contributors here: http://turnserver.open-sys.org/downloads/
AUTHORS.
Name: http://code.google.com/p/rfc5766-turn-server/
Description: A mature open-source TURN server specs implementation
(RFC 5766, RFC 6062, RFC 6156, etc) designed for high-performance
applications, especially geared for WebRTC.
Level of maturity: Production level.
Coverage: Fully implements DTLS with TURN protocol.
Licensing: BSD: http://turnserver.open-sys.org/downloads/LICENSE
Implementation experience: DTLS is recommended for secure media
applications. It has benefits of both UDP and TLS.
Contact: Oleg Moskalenko <mom040267@gmail.com>
6. Security Considerations
STUN over DTLS as a STUN transport does not introduce any specific STUN over DTLS as a STUN transport does not introduce any specific
security considerations beyond those for STUN over TLS detailed in security considerations beyond those for STUN over TLS detailed in
[RFC5389]. [RFC5389].
The usage of "udp" as a transport parameter with the "stuns" URI The usage of "udp" as a transport parameter with the "stuns" URI
scheme does not introduce any specific security issues beyond those scheme does not introduce any specific security issues beyond those
discussed in [RFC7064]. discussed in [RFC7064].
TURN over DTLS as a TURN transport does not introduce any specific TURN over DTLS as a TURN transport does not introduce any specific
skipping to change at page 10, line 18 skipping to change at page 9, line 5
The usage of "udp" as a transport parameter with the "turns" URI The usage of "udp" as a transport parameter with the "turns" URI
scheme does not introduce any specific security issues beyond those scheme does not introduce any specific security issues beyond those
discussed in [RFC7065]. discussed in [RFC7065].
The new S-NAPTR application protocol tag defined in this document as The new S-NAPTR application protocol tag defined in this document as
well as the modifications this document makes to the TURN resolution well as the modifications this document makes to the TURN resolution
mechanism described in [RFC5928] do not introduce any additional mechanism described in [RFC5928] do not introduce any additional
security considerations beyond those outlined in [RFC5928]. security considerations beyond those outlined in [RFC5928].
7. IANA Considerations 6. IANA Considerations
7.1. S-NAPTR application protocol tag 6.1. S-NAPTR Application Protocol Tag
This specification contains the registration information for one This specification contains the registration information for one
S-NAPTR application protocol tag in the "Straightforward-NAPTR S-NAPTR application protocol tag in the "Straightforward-NAPTR
(S-NAPTR) Parameters/S-NAPTR Application Protocol Tags" registry (in (S-NAPTR) Parameters" registry under "S-NAPTR Application Protocol
accordance with [RFC3958]). Tags" (in accordance with [RFC3958]).
Application Protocol Tag: turn.dtls
Intended Usage: See Section 4.6.2
Interoperability considerations: N/A
Security considerations: See Section 6
Relevant publications: This document
Contact information: Marc Petit-Huguenin <petithug@acm.org>
Author/Change controller: The IESG Application Protocol Tag: turn.dtls
Intended Usage: See Section 4.6.2
Interoperability considerations: N/A
Security considerations: See Section 5
Relevant publications: This document
Contact information: Marc Petit-Huguenin <petithug@acm.org>
Author/Change controller: The IESG
7.2. Service Name and Transport Protocol Port Number 6.2. Service Name and Transport Protocol Port Number
This specification contains the registration information for two This specification contains the registration information for two
Service Name and Transport Protocol Port Numbers in the "Service Service Name and Transport Protocol Port Numbers in the "Service
Names and Transport Protocol Port Numbers/Service Name and Transport Names and Transport Protocol Port Numbers/Service Name and Transport
Protocol Port Number" registry (in accordance with [RFC6335]). Protocol Port Number" registry (in accordance with [RFC6335]).
7.2.1. The stuns Service Name 6.2.1. The "stuns" Service Name
IANA is requested to modify the following entry in the registry
"Service Names and Transport Protocol Port Numbers/Service Name and
Transport Protocol Port Number":
Service Name: stuns
Transport Protocol(s): UDP
Assignee:
Contact:
Description: Reserved for a future enhancement of STUN
Reference: RFC5389
Port Number: 5349
Such as it contains the following:
Service Name: stuns
Transport Protocol(s): UDP
Assignee: IESG
Contact: IETF Chair <chair@ietf.org>
Description: STUN over DTLS
Reference: RFC-to-be
Port Number: 5349
Assignment Notes: This service name was initially created by RFC
5389
7.2.2. The turns Service Name
IANA is requested to modify the following entry in the registry
"Service Names and Transport Protocol Port Numbers/Service Name and
Transport Protocol Port Number":
Service Name: turns
Transport Protocol(s): UDP
Assignee:
Contact:
Description: Reserved for a future enhancement of TURN
Reference: RFC5766
Port Number: 5349
Such as it contains the following: IANA has modified the following entry in the registry "Service Names
and Transport Protocol Port Numbers/Service Name and Transport
Protocol Port Number":
Service Name: turns Service Name: stuns
PortNumber: 5349
Transport Protocol: udp
Description: Reserved for a future enhancement of STUN
Assignee:
Contact:
Reference: RFC 5389
Transport Protocol(s): UDP So that it contains the following:
Assignee: IESG Service Name: stuns
Port Number: 5349
Transport Protocol: udp
Description: STUN over DTLS
Assignee: IESG
Contact: IETF Chair <chair@ietf.org>
Reference: RFC 7350
Assignment Notes: This service name was initially created by
RFC 5389.
Contact: IETF Chair <chair@ietf.org> 6.2.2. The "turns" Service Name
Description: TURN over DTLS IANA has modified the following entry in the registry "Service Names
and Transport Protocol Port Numbers/Service Name and Transport
Protocol Port Number":
Reference: RFC-to-be Service Name: turns
Port Number: 5349
Transport Protocol: udp
Description: Reserved for a future enhancement of TURN
Assignee:
Contact:
Reference: RFC 5766
Port Number: 5349 So that it contains the following:
Assignment Notes: This service name was initially created by RFC Service Name: turns
5766 Port Number: 5349
Transport Protocol: udp
Description: TURN over DTLS
Assignee: IESG
Contact: IETF Chair <chair@ietf.org>
Reference: RFC 7350
Assignment Notes: This service name was initially created by
RFC 5766.
8. Acknowledgements 7. Acknowledgements
Thanks to Alan Johnston, Oleg Moskalenko, Simon Perreault, Thomas Thanks to Alan Johnston, Oleg Moskalenko, Simon Perreault, Thomas
Stach, Simon Josefsson, Roni Even, Kathleen Moriarty, Benoit Claise, Stach, Simon Josefsson, Roni Even, Kathleen Moriarty, Benoit Claise,
Martin Stiemerling, Jari Arkko, and Stephen Farrell for the comments, Martin Stiemerling, Jari Arkko, and Stephen Farrell for the comments,
suggestions, and questions that helped improve this document. suggestions, and questions that helped improve this document.
9. References 8. References
9.1. Normative References 8.1. Normative References
[RFC2119] Bradner, S., "Key words for use in RFCs to Indicate [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate
Requirement Levels", BCP 14, RFC 2119, March 1997. Requirement Levels", BCP 14, RFC 2119, March 1997.
[RFC3489] Rosenberg, J., Weinberger, J., Huitema, C., and R. Mahy, [RFC3489] Rosenberg, J., Weinberger, J., Huitema, C., and R. Mahy,
"STUN - Simple Traversal of User Datagram Protocol (UDP) "STUN - Simple Traversal of User Datagram Protocol (UDP)
Through Network Address Translators (NATs)", RFC 3489, Through Network Address Translators (NATs)", RFC 3489,
March 2003. March 2003.
[RFC3958] Daigle, L. and A. Newton, "Domain-Based Application [RFC3958] Daigle, L. and A. Newton, "Domain-Based Application
skipping to change at page 14, line 5 skipping to change at page 13, line 22
Security Version 1.2", RFC 6347, January 2012. Security Version 1.2", RFC 6347, January 2012.
[RFC7064] Nandakumar, S., Salgueiro, G., Jones, P., and M. Petit- [RFC7064] Nandakumar, S., Salgueiro, G., Jones, P., and M. Petit-
Huguenin, "URI Scheme for the Session Traversal Utilities Huguenin, "URI Scheme for the Session Traversal Utilities
for NAT (STUN) Protocol", RFC 7064, November 2013. for NAT (STUN) Protocol", RFC 7064, November 2013.
[RFC7065] Petit-Huguenin, M., Nandakumar, S., Salgueiro, G., and P. [RFC7065] Petit-Huguenin, M., Nandakumar, S., Salgueiro, G., and P.
Jones, "Traversal Using Relays around NAT (TURN) Uniform Jones, "Traversal Using Relays around NAT (TURN) Uniform
Resource Identifiers", RFC 7065, November 2013. Resource Identifiers", RFC 7065, November 2013.
9.2. Informative References 8.2. Informative References
[RFC6982] Sheffer, Y. and A. Farrel, "Improving Awareness of Running
Code: The Implementation Status Section", RFC 6982, July
2013.
[I-D.thomson-rtcweb-ice-dtls] [ICE-DTLS] Thomson, M., "Using Datagram Transport Layer Security
Thomson, M., "Using Datagram Transport Layer Security
(DTLS) For Interactivity Connectivity Establishment (ICE) (DTLS) For Interactivity Connectivity Establishment (ICE)
Connectivity Checking: ICE-DTLS", draft-thomson-rtcweb- Connectivity Checking: ICE-DTLS", Work in Progress, March
ice-dtls-00 (work in progress), March 2012. 2012.
[I-D.jennings-sip-dtls] [SIP-DTLS] Jennings, C. and N. Modadugu, "Session Initiation Protocol
Jennings, C. and N. Modadugu, "Using Interactive (SIP) over Datagram Transport Layer Security (DTLS)", Work
Connectivity Establishment (ICE) in Web Real-Time in Progress, October 2007.
Communications (WebRTC)", draft-jennings-sip-dtls-05 (work
in progress), October 2007.
Appendix A. Examples Appendix A. Examples
Table 1 shows how the <secure>, <port> and <transport> components are Table 1 shows how the <secure>, <port>, and <transport> components
populated for a TURN URI that uses DTLS as its transport. For all are populated for a TURN URI that uses DTLS as its transport. For
these examples, the <host> component is populated with "example.net". all these examples, the <host> component is populated with
"example.net".
+---------------------------------+----------+--------+-------------+ +---------------------------------+----------+--------+-------------+
| URI | <secure> | <port> | <transport> | | URI | <secure> | <port> | <transport> |
+---------------------------------+----------+--------+-------------+ +---------------------------------+----------+--------+-------------+
| turns:example.net?transport=udp | true | | DTLS | | turns:example.net?transport=udp | true | | DTLS |
+---------------------------------+----------+--------+-------------+ +---------------------------------+----------+--------+-------------+
Table 1 Table 1
With the DNS RRs in Figure 1 and an ordered TURN transport list of With the DNS Resource Records (RRs) in Figure 1 and an ordered TURN
{DTLS, TLS, TCP, UDP}, the resolution algorithm will convert the TURN transport list of {DTLS, TLS, TCP, UDP}, the resolution algorithm
URI "turns:example.net" to the ordered list of IP address, port, and will convert the TURN URI "turns:example.net" to the ordered list of
protocol tuples in Table 2. IP address, port, and protocol tuples in Table 2.
example.net. example.net.
IN NAPTR 100 10 "" RELAY:turn.udp:turn.dtls "" datagram.example.net. IN NAPTR 100 10 "" RELAY:turn.udp:turn.dtls "" datagram.example.net.
IN NAPTR 200 10 "" RELAY:turn.tcp:turn.tls "" stream.example.net. IN NAPTR 200 10 "" RELAY:turn.tcp:turn.tls "" stream.example.net.
datagram.example.net. datagram.example.net.
IN NAPTR 100 10 S RELAY:turn.udp "" _turn._udp.example.net. IN NAPTR 100 10 S RELAY:turn.udp "" _turn._udp.example.net.
IN NAPTR 200 10 S RELAY:turn.dtls "" _turns._udp.example.net. IN NAPTR 200 10 S RELAY:turn.dtls "" _turns._udp.example.net.
stream.example.net. stream.example.net.
skipping to change at page 15, line 40 skipping to change at page 16, line 5
+-------+----------+------------+------+ +-------+----------+------------+------+
| Order | Protocol | IP address | Port | | Order | Protocol | IP address | Port |
+-------+----------+------------+------+ +-------+----------+------------+------+
| 1 | DTLS | 192.0.2.1 | 5349 | | 1 | DTLS | 192.0.2.1 | 5349 |
| 2 | TLS | 192.0.2.1 | 5349 | | 2 | TLS | 192.0.2.1 | 5349 |
+-------+----------+------------+------+ +-------+----------+------------+------+
Table 2 Table 2
Appendix B. Release notes
This section must be removed before publication as an RFC.
B.1. Modifications between ietf-tram-stun-dtls-04 and ietf-tram-stun-
dtls-05
o Resolve nits: Updates RFC in abstract.
o Update short title to reflect long title
o Simplify the introduction to simply states that TCP is not optimal
for realtime communications.
o Add refereence to RFC 5389 section 6 for the magic cookie.
o s/domain/domain name/
o Make clear that knowledge of the SDP is needed to be able to
inject a false XOR-MAPPED-ADDRESS.
o Invert the sentence about ICE round-trips to make clear that the
cited draft is just an evidence, not an advice.
o Rewrite of the IANA templates for Port numbers.
o Remove compression from the list of element to take in accoutn to
adjust the PMTU size, as it is now forbidden.
B.2. Modifications between ietf-tram-stun-dtls-03 and ietf-tram-stun-
dtls-04
o Add text to disable TLS compression.
o Add text to require usage of the DTLS cookie for NAT discovery and
NAT behavior discovery.
o Add text to so new usages talk about cookie usage.
o Change TLS-over-UDP to DTLS-over-UDP and use DTLS as alias for
DTLS over UDP..
o Use new text proposed by Simon Josefsson for the cipher suites.
o s/the same port/the same port number/
o s/application name/protocol name/
o Make clear that section 4.3 is only about the STUN Indication
method of media keep-alive.
o Changed contact information to IETF Chair in Port number template.
o Added email addresses in IANA templates.
B.3. Modifications between ietf-tram-stun-dtls-02 and ietf-tram-stun-
dtls-03
o Make it clear that both cipher suites are mandatory.
o Clarify that the ciphers suites listed are replacing the TLS
cipher suites.
o Change text so "mandatory" is not understood as compliance.
o Clarify that STUN URI are not to be used with some usages.
o Fix incorrect interpretation of ICE media keep-alive (and fixed
section #).
o Explain that sending media keep-alive inside DTLS is possible if
RFC 5764 is used.
o Added title/subtitle of IANA registries.
o Change to normatively update RFC 5389 and RFC 5928.
B.4. Modifications between ietf-tram-stun-dtls-01 and ietf-tram-stun-
dtls-02
o Add text saying that PFS is preferred over non-PFS, to be in sync
with the decision in the rtcweb session in London.
o Add text about IP address in STUN/TURN URIs.
o Nits
B.5. Modifications between ietf-tram-stun-dtls-00 and ietf-tram-stun-
dtls-01
o Update the mandatory cipher suites.
o Add a new open item to determine if we want to specify favoring
cipher suites which support PFS over non-PFS cipher suites.
o Close remaining opening items from previous draft.
B.6. Modifications between petithuguenin-tram-stun-dtls-00 and ietf-
tram-stun-dtls-00
o Draft renamed after WG adoption.
B.7. Modifications between petithuguenin-tram-turn-dtls-00 and
petithuguenin-tram-stun-dtls-00
o Add RFC 6982 information for rfc5766-turn-server project.
o Rename the draft as TURN is now just one of the usages.
o Remove the references in the abstract to make idnits happy.
o No longer updates other standard drafts.
o Rewrite from a STUN over DTLS point of view. The previous text
becomes section 4.6.
o Add IANA request for stuns port.
o Add acknowledgement section.
Authors' Addresses Authors' Addresses
Marc Petit-Huguenin Marc Petit-Huguenin
Jive Communications Jive Communications
1275 West 1600 North, Suite 100 1275 West 1600 North, Suite 100
Orem, UT 84057 Orem, UT 84057
USA USA
Email: marcph@getjive.com EMail: marcph@getjive.com
Gonzalo Salgueiro Gonzalo Salgueiro
Cisco Systems Cisco Systems
7200-12 Kit Creek Road 7200-12 Kit Creek Road
Research Triangle Park, NC 27709 Research Triangle Park, NC 27709
US USA
Email: gsalguei@cisco.com EMail: gsalguei@cisco.com
 End of changes. 62 change blocks. 
425 lines changed or deleted 176 lines changed or added

This html diff was produced by rfcdiff 1.41. The latest version is available from http://tools.ietf.org/tools/rfcdiff/