Behave J. Rosenberg Internet-Draft Cisco Systems Intended status: Standards Track R. Mahy Expires: May 7, 2009 Unaffiliated November 3, 2008 Traversal Using Relays around NAT (TURN) Extensions for TCP Allocations draft-ietf-behave-turn-tcp-01.txt Status of this Memo By submitting this Internet-Draft, each author represents that any applicable patent or other IPR claims of which he or she is aware have been or will be disclosed, and any of which he or she becomes aware will be disclosed, in accordance with Section 6 of BCP 79. Internet-Drafts are working documents of the Internet Engineering Task Force (IETF), its areas, and its working groups. Note that other groups may also distribute working documents as Internet- Drafts. Internet-Drafts are draft documents valid for a maximum of six months and may be updated, replaced, or obsoleted by other documents at any time. It is inappropriate to use Internet-Drafts as reference material or to cite them other than as "work in progress." The list of current Internet-Drafts can be accessed at http://www.ietf.org/ietf/1id-abstracts.txt. The list of Internet-Draft Shadow Directories can be accessed at http://www.ietf.org/shadow.html. This Internet-Draft will expire on May 7, 2009. Copyright Notice Copyright (C) The IETF Trust (2008). Abstract This specification defines an extension of Traversal Using Relays around NAT (TURN), a relay protocol for NAT traversal, to allows a TURN client to request TCP allocations, and defines new requests and indications for the TURN server to open and accept TCP connections with the client's peers. TURN and this extension both purposefully restrict the ways in which the relayed address can be used. In particular, it prevents users from running general purpose servers Rosenberg & Mahy Expires May 7, 2009 [Page 1]
Internet-Draft TURN TCP November 2008 from ports obtained from the STUN server. Table of Contents 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . . 3 2. Overview of Operation . . . . . . . . . . . . . . . . . . . . 3 3. Client Processing . . . . . . . . . . . . . . . . . . . . . . 6 3.1. Creating an Allocation . . . . . . . . . . . . . . . . . . 6 3.2. Refreshing an Allocation . . . . . . . . . . . . . . . . . 6 3.3. Initiating a Connection . . . . . . . . . . . . . . . . . 6 3.4. Receiving a Connection . . . . . . . . . . . . . . . . . . 7 3.5. Sending and Receiving Data . . . . . . . . . . . . . . . . 7 3.6. Data Connection Maintenance . . . . . . . . . . . . . . . 7 4. TURN Server Behavior . . . . . . . . . . . . . . . . . . . . . 7 4.1. Receiving a TCP Allocate Request . . . . . . . . . . . . . 7 4.2. Receiving a Connect Request . . . . . . . . . . . . . . . 7 4.3. Receiving a TCP Connection on an Allocated Port . . . . . 7 4.4. Receiving a ConnectionBind Request . . . . . . . . . . . . 7 4.5. Connection Maintenance . . . . . . . . . . . . . . . . . . 7 5. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 7 5.1. New STUN Methods . . . . . . . . . . . . . . . . . . . . . 8 5.2. New STUN Attributes . . . . . . . . . . . . . . . . . . . 8 5.3. New STUN response codes . . . . . . . . . . . . . . . . . 8 6. Security Considerations . . . . . . . . . . . . . . . . . . . 8 7. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 8 8. IAB Considerations . . . . . . . . . . . . . . . . . . . . . . 8 9. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . . 8 10. References . . . . . . . . . . . . . . . . . . . . . . . . . . 8 10.1. Normative References . . . . . . . . . . . . . . . . . . . 8 10.2. Informative References . . . . . . . . . . . . . . . . . . 9 Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . . 9 Intellectual Property and Copyright Statements . . . . . . . . . . 10 Rosenberg & Mahy Expires May 7, 2009 [Page 2]
Internet-Draft TURN TCP November 2008 1. Introduction Traversal Using Relays around NAT (TURN) [2] is an extension to the Session Traversal Utilities for NAT [1] protocol. TURN allows for clients to communicate with a TURN server, and ask it to allocate ports on one of its host interfaces, and then relay traffic between that port and the client itself. TURN, when used in concert with STUN and Interactive Connectivity Establishment (ICE) [4] form a solution for NAT traversal for UDP-based media sessions. However, TURN itself does not provide a way for a client to allocate a TCP-based port on a TURN server. Such an allocation is needed for cases where a TCP-based session is desired with a peer, and NATs prevent a direct TCP connection. Examples include application sharing between desktop softphones, or transmission of pictures during a voice communications session. This document defines an extension to TURN which allows a client to obtain a TCP allocation. It also allows the client to initiate connections from that allocation to peers, and accept connection requests from peers made towards that allocation. 2. Overview of Operation Rosenberg & Mahy Expires May 7, 2009 [Page 3]
Internet-Draft TURN TCP November 2008 +--------+ | | | Peer1 | / | | / | | / +--------+ / / / Peer Data 1 / +--------+ Control +--------+ / | | -------------- | | / | Client | Client Data 1 | TURN | | | -------------- | Server | \ | | -------------- | | \ +--------+ Client Data 2 +--------+ \ \ \ \ +--------+ \ | | Peer Data 2 \ | Peer2 | \ | | | | +--------+ Figure 1: TURN TCP Model The overall model for TURN-TCP is shown in Figure 1. The client will have two different types of connections to its TURN server. For each allocated port, it will have a single control connection. Control connections are used to obtain allocations and open up new connections. Furthermore, for each connection to a peer, the client will have a single connection to its TURN server. These connections are called data connections. Consequently, there is a data connection from the client to its TURN server (the client data connection) and one from the TURN server to a peer (the peer data connection). Actual application data is sent on these connections. Indeed, after an initial TURN message which binds the client data connection to a peer data connection, only application data can be sent - no TURN messaging. This is in contrast to the control connection, which only allows TURN messages and not application data. To obtain a TCP-based allocation, a client must have a TCP or TLS connection to its TURN server. Using that connection, it sends an Allocate request. That request contains a REQUESTED-TRANSPORT attribute, which indicates a TCP-based allocation is desired. A server which supports this extension will allocate a TCP port and Rosenberg & Mahy Expires May 7, 2009 [Page 4]
Internet-Draft TURN TCP November 2008 begin listening for connection requests on that port. It then returns the allocated port to the client in the resposne to the Allocate request. The connection on which the Allocate request was sent is the control connection. If a client wishes to establish a TCP connection to a peer from that allocated address, it issues a Connect request to the TURN server over the control connection. That request contains a XOR-PEER- ADDRESS attribute identifying the peer IP address and port to which a connection is to be made. The TURN server attempts to open the TCP connection, and assuming it succeeds, then responds to the Connect request with a success response. The server also creates a connection identifier associated with this connection, and passes that connection identifier back to the client in the success response. In order to actually send data on the new connection or otherwise utilize it in any way, the client establishes a new TCP connection to its TURN server. Once established, it issues a ConnectionBind request to the server. That request echoes back the connection identifier to the TURN server. The TURN server uses it to correlate the two connections. As a consequence, the TCP connection to the peer is associated with a TCP connection to the client 1-to-1. The two connections are now data connections. At this point, if the server receives data from the peer, it forwards that data towards the client, without any kind of encapsulation. Any data received by the TURN server from the client over the client data connection are forwarded to the peer, again without encapsulation or framing of any kind. Once a connection has been bound using the ConnectionBind request, TURN processing is no longer permitted on the connection. In a similar way, when a peer attempts to open a TCP towards the allocated port, if there is no permission in place for that peer, the connection attempt is discarded. Permissions are created with the CreatePermission request sent over the control connection, just as for UDP TURN. If there is a permission in place, the TURN server sends, to the client, a ConnectionAttempt Indication over the control connection. That indication contains a connection identifier. Once again, the client initiates a separate TCP connection to its TURN server, and over that connection, issues a ConnectionBind request. Once received, the TURN server will accept the connection from the peer and begin relaying data back and forth. If the client closes a client data connection, the corresponding peer data connection is closed. If the peer closes a peer data connection, the corresponding client data connection is closed. In this way, the status of the connection is directly known to the client. Rosenberg & Mahy Expires May 7, 2009 [Page 5]
Internet-Draft TURN TCP November 2008 The TURN server will relay the data between the client and peer data connections, utilizing an internal buffer. However, back pressure is used in order to achieve end-to-end flow control. If the buffer from client to peer fills up, the TURN server ceases to read off the client data connection, which causes TCP backpressure through the OS towards the client. 3. Client Processing 3.1. Creating an Allocation To create a TCP allocation, a client MUST initiate a new TCP or TLS connection to its TURN server, identical to the TCP or TLS procedures defined in [2]. TCP allocations cannot be obtained using a UDP association between client and server. Once set up, a client MUST send a TURN Allocate request. That request MUST contain a REQUESTED-TRANSPORT attribute whose value is 6, corresponding to TCP. The request MUST NOT include a DONT-FRAGMENT, RESERVATION-TOKEN or EVEN-PORT attribute. The corresponding features are specific to UDP based capabilities and are not utilized by TURN-TCP. However, a LIFETIME attribute MAY be included, with semantics identical to the TCP case. The procedures for authentication of the Allocate request and processing of success and failure responses are identical to those for TCP. Once a success response is received, the TCP connection to the TURN server is called the control connection for that allocation. 3.2. Refreshing an Allocation The procedures for refreshing an allocation are identical to those for UDP. Note that the Refresh MUST be sent on the control connection. 3.3. Initiating a Connection To initiate a TCP connection to a peer, a client MUST send a Connect request over the control channel for the desired allocation. This request MUST NOT be sent until an Allocate request has been completed successfully over that connection. The Connect request MUST include a XOR-PEER-ADDRESS attribute containing the IP address and port of the peer to which a connection is desired. Rosenberg & Mahy Expires May 7, 2009 [Page 6]
Internet-Draft TURN TCP November 2008 If the connection is successfully established, the client will receive a success response. That response will contain a CONNECTION-ID attribute. The client MUST initiate a new TCP connection to the server, utilizing the same destination IP address and port on which the control connection was established to. This connection MUST be made using a different local IP address and port. Once established, the client MUST send a ConnectionBind request. That request MUST include the CONNECTION-ID attribute, mirrored from the Connect Success response. When a response to the ConnectionBind request is recevied, if it is a success, the TCP connection on which it was sent is called the client data connection corresponding to the peer. If the result of the Connect request was a Error Response, and the response code was XXX, it means that the TURN server was unable to connect to the peer. The client MAY retry, but MUST wait at least 10 seconds. 3.4. Receiving a Connection 3.5. Sending and Receiving Data 3.6. Data Connection Maintenance 4. TURN Server Behavior 4.1. Receiving a TCP Allocate Request 4.2. Receiving a Connect Request 4.3. Receiving a TCP Connection on an Allocated Port 4.4. Receiving a ConnectionBind Request 4.5. Connection Maintenance 5. IANA Considerations This specification defines several new STUN methods, STUN attributes, and STUN response codes. This section directs IANA to add these new protocol elements to the IANA registry of STUN protocol elements. Rosenberg & Mahy Expires May 7, 2009 [Page 7]
Internet-Draft TURN TCP November 2008 5.1. New STUN Methods 0x007 : Connect 0x008 : ConnectionBind 0x009 : ConnectionAttempt 5.2. New STUN Attributes 0xTBD : ConnectionID 5.3. New STUN response codes 446 Connection Already Exists XXX Connection Timeout or Failure 6. Security Considerations TBD 7. IANA Considerations TBD 8. IAB Considerations TBD. 9. Acknowledgements The authors would like to thank Marc Petit-Huguenin for his comments and suggestions. 10. References 10.1. Normative References [1] Rosenberg, J., Mahy, R., Matthews, P., and D. Wing, "Session Traversal Utilities for NAT (STUN)", RFC 5389, October 2008. [2] Rosenberg, J., Mahy, R., and P. Matthews, "Traversal Using Rosenberg & Mahy Expires May 7, 2009 [Page 8]
Internet-Draft TURN TCP November 2008 Relays around NAT (TURN): Relay Extensions to Session Traversal Utilities for NAT (STUN)", draft-ietf-behave-turn-11 (work in progress), October 2008. [3] Bradner, S., "Key words for use in RFCs to Indicate Requirement Levels", BCP 14, RFC 2119, March 1997. 10.2. Informative References [4] Rosenberg, J., "Interactive Connectivity Establishment (ICE): A Protocol for Network Address Translator (NAT) Traversal for Offer/Answer Protocols", draft-ietf-mmusic-ice-19 (work in progress), October 2007. Authors' Addresses Jonathan Rosenberg Cisco Systems 600 Lanidex Plaza Parsippany, NJ 07054 US Phone: +1 973 952-5000 Email: jdrosen@cisco.com URI: http://www.jdrosen.net Rohan Mahy Unaffiliated Email: rohan@ekabal.com Rosenberg & Mahy Expires May 7, 2009 [Page 9]
Internet-Draft TURN TCP November 2008 Full Copyright Statement Copyright (C) The IETF Trust (2008). This document is subject to the rights, licenses and restrictions contained in BCP 78, and except as set forth therein, the authors retain all their rights. This document and the information contained herein are provided on an "AS IS" basis and THE CONTRIBUTOR, THE ORGANIZATION HE/SHE REPRESENTS OR IS SPONSORED BY (IF ANY), THE INTERNET SOCIETY, THE IETF TRUST AND THE INTERNET ENGINEERING TASK FORCE DISCLAIM ALL WARRANTIES, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE INFORMATION HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE. Intellectual Property The IETF takes no position regarding the validity or scope of any Intellectual Property Rights or other rights that might be claimed to pertain to the implementation or use of the technology described in this document or the extent to which any license under such rights might or might not be available; nor does it represent that it has made any independent effort to identify any such rights. Information on the procedures with respect to rights in RFC documents can be found in BCP 78 and BCP 79. Copies of IPR disclosures made to the IETF Secretariat and any assurances of licenses to be made available, or the result of an attempt made to obtain a general license or permission for the use of such proprietary rights by implementers or users of this specification can be obtained from the IETF on-line IPR repository at http://www.ietf.org/ipr. The IETF invites any interested party to bring to its attention any copyrights, patents or patent applications, or other proprietary rights that may cover technology that may be required to implement this standard. Please address the information to the IETF at ietf-ipr@ietf.org. Acknowledgment Funding for the RFC Editor function is provided by the IETF Administrative Support Activity (IASA). Rosenberg & Mahy Expires May 7, 2009 [Page 10]