Transcript PPT Version

Modification Proposals to Current TURN
Spec
Mikael Latvala
Company Confidential
1
© 2005 Nokia
V1-Filename.ppt / yyyy-mm-dd / Initials
One Motivating Use Case
Home Network
Home Gateway
Internet
Remote Network
The Internet
Remote Network
Company Confidential
2
© 2005 Nokia
V1-Filename.ppt / yyyy-mm-dd / Initials
Problem Statement #1
• Restriction how TURN can be used (draft-ietf-behave-turn-05.txt)
“A successful Allocate transaction just reserves a transport address on the TURN
server. Data does not flow through an allocated transport address until the TURN
client asks the TURN server to open a permission, which is done with a Send
Indication. While the client can request more than one permission per allocation, it
needs to request each permission explicitly and one at a time. This insures that a
client can't use a TURN server to run a traditional server, and partially protects the
client from DoS attacks. “
• Particular problems for home network
• Home owner cannot know beforehand from which IP address (external IP address)
s/he is going to access the home network
• Even if home owner did magically know all the external IP addresses, most of the
home automation and many AV based device would not be able to request such
permissions, because there are no mechanisms how home owner could tell the
devices what these external IP addresses are
Company Confidential
3
© 2005 Nokia
V1-Filename.ppt / yyyy-mm-dd / Initials
Problem Statement #2
• Restriction how ports are allocated (draft-ietf-behave-turn-05.txt)
“The server SHOULD only allocate ports in the range 1024-65535. “
• The document should not take a stand on how TURN is used.
• This is a deployment issue and must left up to individual entity to decide whether such
restrictions should be enforced
Company Confidential
4
© 2005 Nokia
V1-Filename.ppt / yyyy-mm-dd / Initials
Change proposals
1. Allow TURN client to disable/enable permission functionality in TURN server
•
Add new attribute PERMISSION which can have following values
•
•
•
Address dependent
Address/port dependent (does someone really need this?)
Disabled
2. Change/remove appropriate sections in the spec to reflect the proposed change
in 1.
•
E.g. in 7.2.2 (there are other sections too)
•
“If a server receives a UDP packet on an allocated UDP transport address, it checks the
permissions associated with that allocation. If the source IP address of the UDP packet
matches one of the permissions (the source port is not used), the UDP packet is
accepted. Otherwise, it is discarded. If the packet is accepted, it is forwarded to the
client as described below.”
3. Remove the following paragraph in 6.2.1.4
•
“The server SHOULD only allocate ports in the range 1024-65535. This is one of
several ways to prohibit relayed transport addresses from being used to attempt to
run standard services.”
Company Confidential
5
© 2005 Nokia
V1-Filename.ppt / yyyy-mm-dd / Initials