TRAM M. Thomson Internet-Draft Mozilla Intended status: Standards Track B. Aboba Expires: January 5, 2015 Microsoft A. Johnston Avaya O. Moskalenko public project rfc5766-turn-server July 4, 2014 A Bandwidth Attribute for TURN draft-thomson-tram-turn-bandwidth-01 Abstract An attribute is defined for Session Traversal Utilities for NAT (STUN) that allows for declarations of bandwidth limits on the negotiated flow. The application of this attribute is the negotiation of bandwidth between a Traversal Using Relays around NAT (TURN) client and a TURN server. Status of this Memo This Internet-Draft is submitted in full conformance with the provisions of BCP 78 and BCP 79. Internet-Drafts are working documents of the Internet Engineering Task Force (IETF). Note that other groups may also distribute working documents as Internet-Drafts. The list of current Internet- Drafts is at http://datatracker.ietf.org/drafts/current/. Internet-Drafts are draft documents valid for a maximum of six months and may be updated, replaced, or obsoleted by other documents at any time. It is inappropriate to use Internet-Drafts as reference material or to cite them other than as "work in progress." This Internet-Draft will expire on January 5, 2015. Copyright Notice Copyright (c) 2014 IETF Trust and the persons identified as the document authors. All rights reserved. This document is subject to BCP 78 and the IETF Trust's Legal Provisions Relating to IETF Documents (http://trustee.ietf.org/license-info) in effect on the date of Thomson, et al. Expires January 5, 2015 [Page 1] Internet-Draft TURN Bandwidth July 2014 publication of this document. Please review these documents carefully, as they describe your rights and restrictions with respect to this document. Code Components extracted from this document must include Simplified BSD License text as described in Section 4.e of the Trust Legal Provisions and are provided without warranty as described in the Simplified BSD License. Table of Contents 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . . 3 2. Terminology . . . . . . . . . . . . . . . . . . . . . . . . . . 4 3. The BANDWIDTH Attribute . . . . . . . . . . . . . . . . . . . . 4 4. Applications . . . . . . . . . . . . . . . . . . . . . . . . . 4 4.1. STUN Usage . . . . . . . . . . . . . . . . . . . . . . . . 4 4.2. TURN Usage . . . . . . . . . . . . . . . . . . . . . . . . 5 4.3. ICE Usage . . . . . . . . . . . . . . . . . . . . . . . . . 5 5. Bandwidth Measurement Considerations . . . . . . . . . . . . . 5 5.1. Rate Enforcement . . . . . . . . . . . . . . . . . . . . . 6 6. Security Considerations . . . . . . . . . . . . . . . . . . . . 6 7. IANA Considerations . . . . . . . . . . . . . . . . . . . . . . 6 8. Implementation Status . . . . . . . . . . . . . . . . . . . . . 6 9. References . . . . . . . . . . . . . . . . . . . . . . . . . . 7 9.1. Normative References . . . . . . . . . . . . . . . . . . . 7 9.2. Informative References . . . . . . . . . . . . . . . . . . 8 Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . . 8 Thomson, et al. Expires January 5, 2015 [Page 2] Internet-Draft TURN Bandwidth July 2014 1. Introduction This document defines a BANDWIDTH attribute that can be used to request and allocate bandwidth at a Traversal Using Relays around NAT (TURN) relay [RFC5766]. The operator of a TURN server will likely wish to provide fairness between relayed sessions. A TURN server might also wish to limit the use of service to audio-only sessions, or low bandwidth video and audio sessions. In addition, the server may apply rate-limiting policy depending on the credential used for authentication, or the origin of the client. Without the BANDWIDTH attribute, there is no way for a client to indicate the expected bandwidth utilization, or for the server to indicate the maximum bandwidth utilization allowed before rate limiting could be applied. This attribute is used for indicating a bandwidth limit that is set in policy. The sender is not advised or required to utilize bandwidth up to this limit; limits are usually set well in excess of application needs. Senders also limit their use of bandwidth in reaction to path congestion and "circuit breakers". Note that the BANDWIDTH attribute was originally in the TURN draft up to version draft-ietf-behave-turn-07 where it was removed as "the requirements for this feature were not clear and it was felt the feature could be easily added later." This draft proposes adding this attribute back into TURN. A related error code 507 "Insufficient Bandwidth Capacity" was also defined in the TURN Internet-Draft, but is not proposed in this draft. This attribute has also been proposed to be used by ICE to provide communication consent [I-D.thomson-mmusic-rtcweb-bw-consent]. No use cases have been identified where bandwidth information is useful for a STUN server which is responding to STUN binding requests. There have been discussions about what other media-related information could be usefully exchanged between a TURN client and a TURN server. One proposal was for the actual media type (voice, video, data) to be exchanged. Other proposals include more granularity over the bandwidth, including max, min, average, etc. While these could be added, the authors do not feel the use cases for these data have been sufficiently developed yet. Also, this information is known in signaling through the SDP attributes and parameters. In a particular implementation, it could be possible for a signaling-aware entity to share this information with a TURN server in order to apply policy for the media relay. Thomson, et al. Expires January 5, 2015 [Page 3] Internet-Draft TURN Bandwidth July 2014 2. Terminology In this document, the key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and "OPTIONAL" are to be interpreted as described in BCP 14, RFC 2119 [RFC2119] and indicate requirement levels for compliant implementations. The terms client, server, and peer are those used for TURN, as defined in [RFC5766]. 3. The BANDWIDTH Attribute The BANDWIDTH attribute (identifier TBD) identifies the rate of packet transmission in kilobits per second that is permitted for a given transport flow. The BANDWIDTH attribute is a comprehension- optional attribute (see Section 15 from [RFC5389]). Figure 1 shows the format of this attribute. 0 1 2 3 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Attribute Type (TBD) | Length (4) | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Bandwidth | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ Figure 1: Bandwidth Attribute Format The value of this attribute is an unsigned integer that represents the maximum bandwidth for the flow in kilobits per second (1 kilobit = 1024 bits). This is the original format of the Bandwidth attribute. This format could include a maximum and average bandwidth, as the BANDWIDTH-USAGE attribute proposed in [I-D.martinsen-tram-discuss]. 4. Applications This section discusses the application of the BANDWIDTH attribute for STUN, TURN, and ICE. 4.1. STUN Usage Since the bandwidth of a communications session has no bearing on a STUN server that simply responds to binding requests, this attribute MUST NOT be used for client-server STUN requests or responses. Thomson, et al. Expires January 5, 2015 [Page 4] Internet-Draft TURN Bandwidth July 2014 4.2. TURN Usage This attribute can be useful for communication between a TURN client and a TURN server. The BANDWIDTH attribute indicates a limit to available bandwidth for TURN [RFC5766] allocation. The bandwidth limit is symmetric; the value covers the bandwidth of data sent from a peer toward the TURN server and the bandwidth of data sent from client to the TURN server. A BANDWIDTH attribute MAY be present in an Allocate request. This attribute indicates that the given bandwidth is requested. A BANDWIDTH attribute MAY be present in an Allocate response. This attribute in a response indicates the limit that will be applied by the TURN server. The value a TURN server provides could be influenced by the value that a TURN client requests at the discretion of server policy. A client could use this bandwidth limitation of the TURN server in choosing media types or in choosing codecs for a media session. 4.3. ICE Usage While [I-D.thomson-mmusic-rtcweb-bw-consent] proposed the use of the BANDWIDTH attribute to provide bandwidth consent for ICE, this draft does not do so. This attribute MUST NOT be used with ICE. 5. Bandwidth Measurement Considerations Allocation messages (Binding and Allocate) sent to and from the TURN server are exempt from any bandwidth measurement accounting. In calculating bandwidth, the entire IP packet - including the header - is measured. This is identical to the measurement performed by the Real-time Transport Protocol (RTP) [RFC3550]. At a TURN server, bandwidth measurement is performed on the packets arriving at or leaving from the TURN server, prior to the encapsulation that occurs between TURN server and TURN client. Determining the rate requires that the bits be allocated to specific intervals of time. How bits are allocated MAY vary between implementations. Measurement of bandwidth is imperfect and inconsistent. Packet jitter can result in fluctuations in received packet rate so that a receiver might see an instantaneous bandwidth that is different to what the sender might have transmitted. Jitter can cause the observed bandwidth of incoming packets to temporarily increase above Thomson, et al. Expires January 5, 2015 [Page 5] Internet-Draft TURN Bandwidth July 2014 the permitted rate. At a minimum, implementations SHOULD allow for short periods of excessive bandwidth to allow for these temporary increases. 5.1. Rate Enforcement Enforcement of limits by the TURN server SHOULD provide an allowance for application usages that temporarily exceed the limit. For example, assessing observed bandwidth usage as an average over 10 seconds ensures that real-time video does not clip unnecessarily; shorter durations could result in the enforcement affecting valuable intra-frames. 6. Security Considerations For STUN requests or responses that are not sent using TLS or DTLS transport, the bandwidth information contained in the BANDWIDTH attribute will be available to an eavesdropper who could use it to learn about the nature of a session to be established. For example, they might be able to deduce from the bandwidth requested that the session is likely to be audio only, or audio and video. However, an on-path attacker can likely learn this same information from either the signaling channel or by inspecting the RTP packet headers, which are in the clear for SRTP, or simply by measuring the media bandwidth used. If a STUN request or response is transported using TCP or UDP, the BANDWIDTH attribute will have integrity protection from the MESSAGE- INTEGRITY attribute if the request is authenticated using the STUN short-term or long-term authentication method. Unauthenticated TCP or UDP requests will not have integrity protection and could be modified by a MitM attacker. The use of DTLS transport [I-D.ietf-tram-stun-dtls] provides integrity protection for the BANDWIDTH attribute regardless of the STUN authentication method used. 7. IANA Considerations The STUN BANDWIDTH attribute uses the TBD value in the comprehension- optional range. This attribute is registered in the "STUN Attribute" Registry following the procedures of Section 18.2 of [RFC5389]. 8. Implementation Status Note to RFC Editor: Please remove this entire section prior to Thomson, et al. Expires January 5, 2015 [Page 6] Internet-Draft TURN Bandwidth July 2014 publication, including the reference to RFC 6982. This section records the status of known implementations of the protocol defined by this specification at the time of posting of this Internet-Draft, and is based on a proposal described in [RFC6982]. The description of implementations in this section is intended to assist the IETF in its decision processes in progressing drafts to RFCs. Please note that the listing of any individual implementation here does not imply endorsement by the IETF. Furthermore, no effort has been spent to verify the information presented here that was supplied by IETF contributors. This is not intended as, and must not be construed to be, a catalog of available implementations or their features. Readers are advised to note that other implementations may exist. According to [RFC6982], "this will allow reviewers and working groups to assign due consideration to documents that have the benefit of running code, which may serve as evidence of valuable experimentation and feedback that have made the implemented protocols more mature. It is up to the individual working groups to use this information as they see fit". A multiple realms capable advanced open source TURN server (named 'Coturn') has been created by Oleg Moskalenko and is freely licensed under the New BSD license. This reference implementation and proof- of-concept provides a clone (a spin-off) of the rfc5766-turn-server project adding STUN BANDWIDTH attribute support, among other TRAM Working Group STUN and TURN extensions. 'Coturn' is backward-compatible with rfc5766-turn-server project but the code is more complex and it uses a different (also more complex) database structure. It is the intent to add all IETF TRAM TURN server related capabilities to this project as they mature. 'Coturn' is publicly available and can be found at: https://code.google.com/p/coturn/ 9. References 9.1. Normative References [I-D.ietf-tram-stun-dtls] Petit-Huguenin, M. and G. Salgueiro, "Datagram Transport Layer Security (DTLS) as Transport for Session Traversal Utilities for NAT (STUN)", draft-ietf-tram-stun-dtls-05 (work in progress), June 2014. [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate Thomson, et al. Expires January 5, 2015 [Page 7] Internet-Draft TURN Bandwidth July 2014 Requirement Levels", BCP 14, RFC 2119, March 1997. [RFC5245] Rosenberg, J., "Interactive Connectivity Establishment (ICE): A Protocol for Network Address Translator (NAT) Traversal for Offer/Answer Protocols", RFC 5245, April 2010. [RFC5389] Rosenberg, J., Mahy, R., Matthews, P., and D. Wing, "Session Traversal Utilities for NAT (STUN)", RFC 5389, October 2008. [RFC5766] Mahy, R., Matthews, P., and J. Rosenberg, "Traversal Using Relays around NAT (TURN): Relay Extensions to Session Traversal Utilities for NAT (STUN)", RFC 5766, April 2010. 9.2. Informative References [I-D.martinsen-tram-discuss] Martinsen, P. and H. Wildfeuer, "Differentiated prIorities and Status Code-points Using Stun Signalling (DISCUSS)", draft-martinsen-tram-discuss-00 (work in progress), February 2014. [I-D.thomson-mmusic-rtcweb-bw-consent] Thomson, M. and B. Aboba, "Bandwidth Constraints for Session Traversal Utilities for NAT (STUN)", draft-thomson-mmusic-rtcweb-bw-consent-00 (work in progress), October 2012. [RFC3550] Schulzrinne, H., Casner, S., Frederick, R., and V. Jacobson, "RTP: A Transport Protocol for Real-Time Applications", STD 64, RFC 3550, July 2003. [RFC6982] Sheffer, Y. and A. Farrel, "Improving Awareness of Running Code: The Implementation Status Section", RFC 6982, July 2013. Thomson, et al. Expires January 5, 2015 [Page 8] Internet-Draft TURN Bandwidth July 2014 Authors' Addresses Martin Thomson Mozilla 331 E Evelyn Street Mountain View, CA 94041 USA Phone: +1 650-353-1925 Email: martin.thomson@gmail.com Bernard Aboba Microsoft One Microsoft Way Redmond, WA 98052 USA Email: bernard_aboba@outlook.com Alan Johnston Avaya St. Louis, MO USA Email: alan.b.johnston@gmail.com Oleg Moskalenko public project rfc5766-turn-server Walnut Creek, CA USA Email: mom040267@gmail.com URI: https://code.google.com/p/rfc5766-turn-server/ Thomson, et al. Expires January 5, 2015 [Page 9]