draft-ietf-tram-turnbis-18.txt   draft-ietf-tram-turnbis-19.txt 
TRAM WG T. Reddy, Ed. TRAM WG T. Reddy, Ed.
Internet-Draft McAfee Internet-Draft McAfee
Obsoletes: 5766,6156 (if approved) A. Johnston, Ed. Obsoletes: 5766,6156 (if approved) A. Johnston, Ed.
Intended status: Standards Track Rowan University Intended status: Standards Track Rowan University
Expires: November 30, 2018 P. Matthews Expires: December 5, 2018 P. Matthews
Alcatel-Lucent Alcatel-Lucent
J. Rosenberg J. Rosenberg
jdrosen.net jdrosen.net
May 29, 2018 June 03, 2018
Traversal Using Relays around NAT (TURN): Relay Extensions to Session Traversal Using Relays around NAT (TURN): Relay Extensions to Session
Traversal Utilities for NAT (STUN) Traversal Utilities for NAT (STUN)
draft-ietf-tram-turnbis-18 draft-ietf-tram-turnbis-19
Abstract Abstract
If a host is located behind a NAT, then in certain situations it can If a host is located behind a NAT, then in certain situations it can
be impossible for that host to communicate directly with other hosts be impossible for that host to communicate directly with other hosts
(peers). In these situations, it is necessary for the host to use (peers). In these situations, it is necessary for the host to use
the services of an intermediate node that acts as a communication the services of an intermediate node that acts as a communication
relay. This specification defines a protocol, called TURN (Traversal relay. This specification defines a protocol, called TURN (Traversal
Using Relays around NAT), that allows the host to control the Using Relays around NAT), that allows the host to control the
operation of the relay and to exchange packets with its peers using operation of the relay and to exchange packets with its peers using
skipping to change at page 2, line 4 skipping to change at page 2, line 4
Internet-Drafts are working documents of the Internet Engineering Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF). Note that other groups may also distribute Task Force (IETF). Note that other groups may also distribute
working documents as Internet-Drafts. The list of current Internet- working documents as Internet-Drafts. The list of current Internet-
Drafts is at https://datatracker.ietf.org/drafts/current/. Drafts is at https://datatracker.ietf.org/drafts/current/.
Internet-Drafts are draft documents valid for a maximum of six months Internet-Drafts are draft documents valid for a maximum of six months
and may be updated, replaced, or obsoleted by other documents at any and may be updated, replaced, or obsoleted by other documents at any
time. It is inappropriate to use Internet-Drafts as reference time. It is inappropriate to use Internet-Drafts as reference
material or to cite them other than as "work in progress." material or to cite them other than as "work in progress."
This Internet-Draft will expire on November 30, 2018. This Internet-Draft will expire on December 5, 2018.
Copyright Notice Copyright Notice
Copyright (c) 2018 IETF Trust and the persons identified as the Copyright (c) 2018 IETF Trust and the persons identified as the
document authors. All rights reserved. document authors. All rights reserved.
This document is subject to BCP 78 and the IETF Trust's Legal This document is subject to BCP 78 and the IETF Trust's Legal
Provisions Relating to IETF Documents Provisions Relating to IETF Documents
(https://trustee.ietf.org/license-info) in effect on the date of (https://trustee.ietf.org/license-info) in effect on the date of
publication of this document. Please review these documents publication of this document. Please review these documents
skipping to change at page 12, line 5 skipping to change at page 12, line 5
An allocation can have zero or more permissions. Each permission An allocation can have zero or more permissions. Each permission
consists of an IP address and a lifetime. When the server receives a consists of an IP address and a lifetime. When the server receives a
UDP datagram on the allocation's relayed transport address, it first UDP datagram on the allocation's relayed transport address, it first
checks the list of permissions. If the source IP address of the checks the list of permissions. If the source IP address of the
datagram matches a permission, the application data is relayed to the datagram matches a permission, the application data is relayed to the
client, otherwise the UDP datagram is silently discarded. A TURN client, otherwise the UDP datagram is silently discarded. A TURN
server can be configured to permit inbound STUN packets on the server can be configured to permit inbound STUN packets on the
allocation's relayed address even if the source IP addresses of the allocation's relayed address even if the source IP addresses of the
STUN packets do not match the permissions installed. The filtering STUN packets do not match the permissions installed. The filtering
rule to block all traffic except STUN packets speeds up STUN rule to block all traffic except STUN packets speeds up STUN
connectivity checks, allowing the remote peer to initiate connectivity checks, addressing the race condition that exists when
connectivity checks to the client while the client is creating the remote peer sends connectivity checks before the client has had a
permissions in the TURN server for the remote peer IP addresses. chance to create permissions in the TURN server for the remote peer
IP addresses.
A permission expires after 5 minutes if it is not refreshed, and A permission expires after 5 minutes if it is not refreshed, and
there is no way to explicitly delete a permission. This behavior was there is no way to explicitly delete a permission. This behavior was
selected to match the behavior of a NAT that complies with [RFC4787]. selected to match the behavior of a NAT that complies with [RFC4787].
The client can install or refresh a permission using either a The client can install or refresh a permission using either a
CreatePermission request or a ChannelBind request. Using the CreatePermission request or a ChannelBind request. Using the
CreatePermission request, multiple permissions can be installed or CreatePermission request, multiple permissions can be installed or
refreshed with a single request -- this is important for applications refreshed with a single request -- this is important for applications
that use ICE. For security reasons, permissions can only be that use ICE. For security reasons, permissions can only be
skipping to change at page 72, line 35 skipping to change at page 72, line 35
communications to the client will be less restrictive than what the communications to the client will be less restrictive than what the
firewall would normally allow. firewall would normally allow.
When a TURN server is configured to permit inbound STUN packets on When a TURN server is configured to permit inbound STUN packets on
the allocation's relayed address even if the source IP addresses of the allocation's relayed address even if the source IP addresses of
the STUN packets do not match the permissions installed, the TURN the STUN packets do not match the permissions installed, the TURN
server MUST have a security policy for inbound STUN packets from IP server MUST have a security policy for inbound STUN packets from IP
addresses not matching the permissions installed in order to prevent addresses not matching the permissions installed in order to prevent
an attacker from flooding the TURN client with STUN-like packets. an attacker from flooding the TURN client with STUN-like packets.
The TURN server can limit forwarding to well-formed STUN connectivity The TURN server can limit forwarding to well-formed STUN connectivity
check packets by looking for the STUN atrributes USERNAME and check packets by looking for the STUN attributes USERNAME and
MESSAGE-INTEGRITY and verifying that the message does not exceed a MESSAGE-INTEGRITY and verifying that the message does not exceed a
specific configurable packet size. Additionally, the TURN server specific configurable packet size. Additionally, the TURN server
policy can be configured with maximum rate-limits for the number of policy can be configured with maximum rate-limits for the number of
STUN packets allowed in a TURN session, STUN packets allowed per STUN packets allowed in a TURN session, STUN packets allowed per
second, and IP addresses allowed to send STUN packets. second, and IP addresses allowed to send STUN packets.
19.2.1. Faked Permissions 19.2.1. Faked Permissions
In firewalls and NAT devices, permissions are granted implicitly In firewalls and NAT devices, permissions are granted implicitly
through the traversal of a packet from the inside of the network through the traversal of a packet from the inside of the network
skipping to change at page 78, line 49 skipping to change at page 78, line 49
Most of the text in this note comes from the original TURN Most of the text in this note comes from the original TURN
specification, [RFC5766]. The authors would like to thank Rohan Mahy specification, [RFC5766]. The authors would like to thank Rohan Mahy
co-author of original TURN specification and everyone who had co-author of original TURN specification and everyone who had
contributed to that document. The authors would also like to contributed to that document. The authors would also like to
acknowledge that this document inherits material from [RFC6156]. acknowledge that this document inherits material from [RFC6156].
Thanks to Justin Uberti, Pal Martinsen, Oleg Moskalenko, Aijun Wang Thanks to Justin Uberti, Pal Martinsen, Oleg Moskalenko, Aijun Wang
and Simon Perreault for their help on SSODA mechanism. Authors would and Simon Perreault for their help on SSODA mechanism. Authors would
like to thank Gonzalo Salgueiro, Simon Perreault, Jonathan Lennox, like to thank Gonzalo Salgueiro, Simon Perreault, Jonathan Lennox,
Brandon Williams, Karl Stahl, Noriyuki Torii and Oleg Moskalenko for Brandon Williams, Karl Stahl, Noriyuki Torii, Nils Ohlmeier, Justin
comments and review. The authors would like to thank Marc for his Uberti and Oleg Moskalenko for comments and review. The authors
contributions to the text. Thanks to Eric Rescorla for proposing the would like to thank Marc for his contributions to the text. Thanks
update to allow the TURN server to forward inbound STUN connectivity to Eric Rescorla for proposing the update to allow the TURN server to
checks without permission. forward inbound STUN connectivity checks without permission.
24. References 24. References
24.1. Normative References 24.1. Normative References
[I-D.ietf-tram-stunbis] [I-D.ietf-tram-stunbis]
Petit-Huguenin, M., Salgueiro, G., Rosenberg, J., Wing, Petit-Huguenin, M., Salgueiro, G., Rosenberg, J., Wing,
D., Mahy, R., and P. Matthews, "Session Traversal D., Mahy, R., and P. Matthews, "Session Traversal
Utilities for NAT (STUN)", draft-ietf-tram-stunbis-18 Utilities for NAT (STUN)", draft-ietf-tram-stunbis-18
(work in progress), May 2018. (work in progress), May 2018.
 End of changes. 7 change blocks. 
13 lines changed or deleted 14 lines changed or added

This html diff was produced by rfcdiff 1.46. The latest version is available from http://tools.ietf.org/tools/rfcdiff/