idnits 2.17.1 draft-ietf-behave-turn-tcp-02.txt: Checking boilerplate required by RFC 5378 and the IETF Trust (see https://trustee.ietf.org/license-info): ---------------------------------------------------------------------------- ** The document seems to lack a License Notice according IETF Trust Provisions of 28 Dec 2009, Section 6.b.i or Provisions of 12 Sep 2009 Section 6.b -- however, there's a paragraph with a matching beginning. Boilerplate error? (You're using the IETF Trust Provisions' Section 6.b License Notice from 12 Feb 2009 rather than one of the newer Notices. See https://trustee.ietf.org/license-info/.) Checking nits according to https://www.ietf.org/id-info/1id-guidelines.txt: ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/checklist : ---------------------------------------------------------------------------- No issues found here. Miscellaneous warnings: ---------------------------------------------------------------------------- == The copyright year in the IETF Trust and authors Copyright Line does not match the current year -- The document seems to lack a disclaimer for pre-RFC5378 work, but may have content which was first submitted before 10 November 2008. If you have contacted all the original authors and they are all willing to grant the BCP78 rights to the IETF Trust, then this is fine, and you can ignore this comment. If not, you may need to add the pre-RFC5378 disclaimer. (See the Legal Provisions document at https://trustee.ietf.org/license-info for more information.) -- The document date (March 4, 2009) is 5531 days in the past. Is this intentional? Checking references for intended status: Proposed Standard ---------------------------------------------------------------------------- (See RFCs 3967 and 4897 for information about using normative references to lower-maturity documents in RFCs) ** Obsolete normative reference: RFC 5389 (Obsoleted by RFC 8489) == Outdated reference: A later version (-16) exists of draft-ietf-behave-turn-12 Summary: 2 errors (**), 0 flaws (~~), 2 warnings (==), 2 comments (--). Run idnits with the --verbose option for more detailed information about the items above. -------------------------------------------------------------------------------- 2 Behave S. Perreault, Ed. 3 Internet-Draft Viagenie 4 Intended status: Standards Track J. Rosenberg 5 Expires: September 5, 2009 Cisco Systems 6 March 4, 2009 8 Traversal Using Relays around NAT (TURN) Extensions for TCP Allocations 9 draft-ietf-behave-turn-tcp-02.txt 11 Status of this Memo 13 This Internet-Draft is submitted to IETF in full conformance with the 14 provisions of BCP 78 and BCP 79. 16 Internet-Drafts are working documents of the Internet Engineering 17 Task Force (IETF), its areas, and its working groups. Note that 18 other groups may also distribute working documents as Internet- 19 Drafts. 21 Internet-Drafts are draft documents valid for a maximum of six months 22 and may be updated, replaced, or obsoleted by other documents at any 23 time. It is inappropriate to use Internet-Drafts as reference 24 material or to cite them other than as "work in progress." 26 The list of current Internet-Drafts can be accessed at 27 http://www.ietf.org/ietf/1id-abstracts.txt. 29 The list of Internet-Draft Shadow Directories can be accessed at 30 http://www.ietf.org/shadow.html. 32 This Internet-Draft will expire on September 5, 2009. 34 Copyright Notice 36 Copyright (c) 2009 IETF Trust and the persons identified as the 37 document authors. All rights reserved. 39 This document is subject to BCP 78 and the IETF Trust's Legal 40 Provisions Relating to IETF Documents in effect on the date of 41 publication of this document (http://trustee.ietf.org/license-info). 42 Please review these documents carefully, as they describe your rights 43 and restrictions with respect to this document. 45 Abstract 47 This specification defines an extension of Traversal Using Relays 48 around NAT (TURN), a relay protocol for NAT traversal, to allows a 49 TURN client to request TCP allocations, and defines new requests and 50 indications for the TURN server to open and accept TCP connections 51 with the client's peers. TURN and this extension both purposefully 52 restrict the ways in which the relayed address can be used. In 53 particular, it prevents users from running general purpose servers 54 from ports obtained from the STUN server. 56 Table of Contents 58 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . . 3 59 2. Conventions . . . . . . . . . . . . . . . . . . . . . . . . . 3 60 3. Overview of Operation . . . . . . . . . . . . . . . . . . . . 4 61 4. Client Processing . . . . . . . . . . . . . . . . . . . . . . 6 62 4.1. Creating an Allocation . . . . . . . . . . . . . . . . . . 6 63 4.2. Refreshing an Allocation . . . . . . . . . . . . . . . . . 6 64 4.3. Initiating a Connection . . . . . . . . . . . . . . . . . 7 65 4.4. Receiving a Connection . . . . . . . . . . . . . . . . . . 7 66 4.5. Sending and Receiving Data . . . . . . . . . . . . . . . . 8 67 4.6. Data Connection Maintenance . . . . . . . . . . . . . . . 8 68 5. TURN Server Behavior . . . . . . . . . . . . . . . . . . . . . 8 69 5.1. Receiving a TCP Allocate Request . . . . . . . . . . . . . 8 70 5.2. Receiving a Connect Request . . . . . . . . . . . . . . . 9 71 5.3. Receiving a Listen Request . . . . . . . . . . . . . . . . 10 72 5.4. Receiving a TCP Connection on an Allocated Port . . . . . 10 73 5.5. Receiving a ConnectionBind Request . . . . . . . . . . . . 11 74 5.6. Data Connection Maintenance . . . . . . . . . . . . . . . 11 75 6. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 11 76 6.1. New STUN Methods . . . . . . . . . . . . . . . . . . . . . 12 77 6.2. New STUN Attributes . . . . . . . . . . . . . . . . . . . 12 78 6.2.1. CONNECTION-ID . . . . . . . . . . . . . . . . . . . . 12 79 6.2.2. New STUN response codes . . . . . . . . . . . . . . . 12 80 6.3. Security Considerations . . . . . . . . . . . . . . . . . 12 81 6.4. IANA Considerations . . . . . . . . . . . . . . . . . . . 12 82 6.5. IAB Considerations . . . . . . . . . . . . . . . . . . . . 12 83 6.6. Acknowledgements . . . . . . . . . . . . . . . . . . . . . 12 84 7. References . . . . . . . . . . . . . . . . . . . . . . . . . . 13 85 7.1. Normative References . . . . . . . . . . . . . . . . . . . 13 86 7.2. Informative References . . . . . . . . . . . . . . . . . . 13 87 Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . . 13 89 1. Introduction 91 Traversal Using Relays around NAT (TURN) [I-D.ietf-behave-turn] is an 92 extension to the Session Traversal Utilities for NAT [RFC5389] 93 protocol. TURN allows for clients to communicate with a TURN server, 94 and ask it to allocate ports on one of its host interfaces, and then 95 relay traffic between that port and the client itself. TURN, when 96 used in concert with STUN and Interactive Connectivity Establishment 97 (ICE) [I-D.ietf-mmusic-ice] form a solution for NAT traversal for 98 UDP-based media sessions. 100 However, TURN itself does not provide a way for a client to allocate 101 a TCP-based port on a TURN server. Such an allocation is needed for 102 cases where a TCP-based session is desired with a peer, and NATs 103 prevent a direct TCP connection. Examples include application 104 sharing between desktop softphones, or transmission of pictures 105 during a voice communications session. 107 This document defines an extension to TURN which allows a client to 108 obtain a TCP allocation. It also allows the client to initiate 109 connections from that allocation to peers, and accept connection 110 requests from peers made towards that allocation. 112 2. Conventions 114 The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", 115 "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this 116 document are to be interpreted as described in [RFC2119]. 118 3. Overview of Operation 120 +--------+ 121 | | 122 | Peer1 | 123 / | | 124 / | | 125 / +--------+ 126 / 127 / 128 / Peer Data 1 129 / 130 +--------+ Control +--------+ / 131 | | -------------- | | / 132 | Client | Client Data 1 | TURN | 133 | | -------------- | Server | \ 134 | | -------------- | | \ 135 +--------+ Client Data 2 +--------+ \ 136 \ 137 \ 138 \ +--------+ 139 \ | | 140 Peer Data 2 \ | Peer2 | 141 \ | | 142 | | 143 +--------+ 145 Figure 1: TURN TCP Model 147 The overall model for TURN-TCP is shown in Figure 1. The client will 148 have two different types of connections to its TURN server. For each 149 allocated port, it will have a single control connection. Control 150 connections are used to obtain allocations and open up new 151 connections. Furthermore, for each connection to a peer, the client 152 will have a single connection to its TURN server. These connections 153 are called data connections. Consequently, there is a data 154 connection from the client to its TURN server (the client data 155 connection) and one from the TURN server to a peer (the peer data 156 connection). Actual application data is sent on these connections. 157 Indeed, after an initial TURN message which binds the client data 158 connection to a peer data connection, only application data can be 159 sent - no TURN messaging. This is in contrast to the control 160 connection, which only allows TURN messages and not application data. 162 To obtain a TCP-based allocation, a client must have a TCP or TLS 163 connection to its TURN server. Using that connection, it sends an 164 Allocate request. That request contains a REQUESTED-TRANSPORT 165 attribute, which indicates a TCP-based allocation is desired. A 166 server which supports this extension will allocate a TCP port and 167 begin listening for connection requests on that port. It then 168 returns the allocated port to the client in the resposne to the 169 Allocate request. The connection on which the Allocate request was 170 sent is the control connection. 172 If a client wishes to establish a TCP connection to a peer from that 173 allocated address, it issues a Connect request to the TURN server 174 over the control connection. That request contains a XOR-PEER- 175 ADDRESS attribute identifying the peer IP address and port to which a 176 connection is to be made. The TURN server attempts to open the TCP 177 connection, and assuming it succeeds, then responds to the Connect 178 request with a success response. The server also creates a 179 connection identifier associated with this connection, and passes 180 that connection identifier back to the client in the success 181 response. 183 In order to actually send data on the new connection or otherwise 184 utilize it in any way, the client establishes a new TCP connection to 185 its TURN server. Once established, it issues a ConnectionBind 186 request to the server. That request echoes back the connection 187 identifier to the TURN server. The TURN server uses it to correlate 188 the two connections. As a consequence, the TCP connection to the 189 peer is associated with a TCP connection to the client 1-to-1. The 190 two connections are now data connections. At this point, if the 191 server receives data from the peer, it forwards that data towards the 192 client, without any kind of encapsulation. Any data received by the 193 TURN server from the client over the client data connection are 194 forwarded to the peer, again without encapsulation or framing of any 195 kind. Once a connection has been bound using the ConnectionBind 196 request, TURN processing is no longer permitted on the connection. 198 In a similar way, if a client wishes to receive TCP connections to 199 the allocated address, it issues a Listen request to the TURN server 200 over the control connection. The server then starts listening and 201 accepting incoming connections. 203 Once a new connection is accepted, the server checks if there is a 204 permission in place for that peer. If there is none, the connection 205 is closed. Permissions are created with the CreatePermission request 206 sent over the control connection, just as for UDP TURN. If there is 207 a permission in place, the TURN server sends, to the client, a 208 ConnectionAttempt Indication over the control connection. That 209 indication contains a connection identifier. Once again, the client 210 initiates a separate TCP connection to its TURN server, and over that 211 connection, issues a ConnectionBind request. Once received, the TURN 212 server will begin relaying data back and forth. The server closes 213 the peer data connection if no ConnectionBind request is received 214 after a timeout. 216 If the client closes a client data connection, the corresponding peer 217 data connection is closed. If the peer closes a peer data 218 connection, the corresponding client data connection is closed. In 219 this way, the status of the connection is directly known to the 220 client. 222 The TURN server will relay the data between the client and peer data 223 connections, utilizing an internal buffer. However, back pressure is 224 used in order to achieve end-to-end flow control. If the buffer from 225 client to peer fills up, the TURN server ceases to read off the 226 client data connection, which causes TCP backpressure through the OS 227 towards the client. 229 4. Client Processing 231 4.1. Creating an Allocation 233 To create a TCP allocation, a client MUST initiate a new TCP or TLS 234 connection to its TURN server, identical to the TCP or TLS procedures 235 defined in [I-D.ietf-behave-turn]. TCP allocations cannot be 236 obtained using a UDP association between client and server. 238 Once set up, a client MUST send a TURN Allocate request. That 239 request MUST contain a REQUESTED-TRANSPORT attribute whose value is 240 6, corresponding to TCP. 242 The request MUST NOT include a DONT-FRAGMENT, RESERVATION-TOKEN or 243 EVEN-PORT attribute. The corresponding features are specific to UDP 244 based capabilities and are not utilized by TURN-TCP. However, a 245 LIFETIME attribute MAY be included, with semantics identical to the 246 UDP case. 248 The procedures for authentication of the Allocate request and 249 processing of success and failure responses are identical to those 250 for TCP. 252 Once a success response is received, the TCP connection to the TURN 253 server is called the control connection for that allocation. 255 4.2. Refreshing an Allocation 257 The procedures for refreshing an allocation are identical to those 258 for UDP. Note that the Refresh MUST be sent on the control 259 connection. 261 4.3. Initiating a Connection 263 To initiate a TCP connection to a peer, a client MUST send a Connect 264 request over the control channel for the desired allocation. This 265 request MUST NOT be sent until an Allocate request has been completed 266 successfully over that connection. The Connect request MUST include 267 a XOR-PEER-ADDRESS attribute containing the IP address and port of 268 the peer to which a connection is desired. 270 If the connection is successfully established, the client will 271 receive a success response. That response will contain a 272 CONNECTION-ID attribute. The client MUST initiate a new TCP 273 connection to the server, utilizing the same destination IP address 274 and port on which the control connection was established to. This 275 connection MUST be made using a different local IP address and port. 276 Once established, the client MUST send a ConnectionBind request. 277 That request MUST include the CONNECTION-ID attribute, mirrored from 278 the Connect Success response. When a response to the ConnectionBind 279 request is recevied, if it is a success, the TCP connection on which 280 it was sent is called the client data connection corresponding to the 281 peer. 283 If the result of the Connect request was a Error Response, and the 284 response code was XXX, it means that the TURN server was unable to 285 connect to the peer. The client MAY retry, but MUST wait at least 10 286 seconds. 288 Once a Connect success response has been received, further Connect or 289 Listen requests for the same allocation MUST NOT be sent. 291 4.4. Receiving a Connection 293 To indicate its willingness to receive incoming TCP connections from 294 peers, a client MUST send a Listen request over the control channel 295 for the desired allocation. This request MUST NOT be sent until an 296 Allocate request has been completed successfully over that 297 connection. 299 If a success response is received, the client will start receiving a 300 ConnectionAttempt indication each time a peer attemps a new 301 connection to the allocated address. This indication will contain a 302 CONNECTION-ID and a XOR-PEER-ADDRESS attributes. If the client 303 wishes to accept this connection, it MUST initiate a new TCP 304 connection to the server, utilizing the same destination IP address 305 and port on which the control connection was established to. This 306 connection MUST be made using a different local IP address and port. 307 Once established, the client MUST send a ConnectionBind request. 308 That request MUST include the CONNECTION-ID attribute, mirrorred from 309 the ConnectionAttempt indication. When a response to the 310 ConnectionBind request is received, if it is a success, the TCP 311 connection on which it was sent is called the client data connection 312 corresponding to the peer. 314 Once a Listen success response has been received, further Connect or 315 Listen requests for the same allocation MUST NOT be sent. 317 4.5. Sending and Receiving Data 319 Once a client data connection is established, data sent on it by the 320 client will be relayed as-is to the peer by the server. Similarly, 321 data sent by the peer to the server will be relayed as-is to the 322 client over the data connection. Data on a data connection MUST NOT 323 be interpreted as STUN messages. 325 4.6. Data Connection Maintenance 327 The client MUST refresh the allocation corresponding to a data 328 connection, using the Refresh request as defined in 329 [I-D.ietf-behave-turn], for as long as it wants to keep the data 330 connection alive. 332 When the client wishes to terminate its relayed connection to the 333 peer, it MUST close the data connection to the server. If the data 334 connection was created as a result of a Connect request, the 335 allocation cannot be used for any other purposes and the client 336 SHOULD explicitly delete it by sending a Refresh request with a 337 LIFETIME attribute of value 0, as indicated in 338 [I-D.ietf-behave-turn]. If the data connection was created as a 339 result of a Listen request, the allocation is still valid and further 340 ConnectionAttempt indications may be received. 342 5. TURN Server Behavior 344 5.1. Receiving a TCP Allocate Request 346 The process is similar to that defined in [I-D.ietf-behave-turn], 347 Section 6.2, with the following exceptions: 349 1. If the REQUESTED-TRANSPORT attribute is included and specifies a 350 protocol other than UDP or TCP, the server MUST reject the 351 request with a 442 (Unsupported Transport Protocol) error. (If 352 the value is UDP, the server MUST continue with the procedures of 353 [I-D.ietf-behave-turn] instead of this document.) 355 2. If the client connection transport is not TCP or TLS, the server 356 MUST reject the request with a 400 (Bad Request) error. 358 3. If the request contains the DONT-FRAGMENT, EVEN-PORT, or 359 RESERVATION-TOKEN attribute, the server MUST reject the request 360 with a 400 (Bad Request) error. 362 4. A TCP relayed transport address MUST be allocated instead of a 363 UDP one. 365 5. The RESERVATION-TOKEN attribute MUST NOT be present in the 366 success response. 368 Until a Listen request for this allocation is successfully processed, 369 the server MUST deny any connection attempts received on the relayed 370 transport address. 372 5.2. Receiving a Connect Request 374 When the server receives a Connect request, it processes as follows. 376 If the request is received on a control connection for which no 377 allocation exists, the server MUST return a 437 (Allocation Mismatch) 378 error. 380 If the server has already successfully processed a Connect or Listen 381 request for this allocation, it MUST return a 446 (Connection Already 382 Exists) error. 384 If the request does not contain a XOR-PEER-ADDRESS attribute, or if 385 such attribute is invalid, the server MUST return a 400 (Bad Request) 386 error. 388 Otherwise, the server MUST initiate an outgoing TCP connection. The 389 local endpoint is the relayed transport address associated with the 390 allocation. The remote endpoint is the one indicated by the XOR- 391 PEER-ADDRESS attribute. If the connection attempt fails or times 392 out, the server MUST return a XXX (Connection Timeout or Failure) 393 error. 395 If the connection is successful, it is now called a peer data 396 connection. The server MUST buffer any data received from the peer. 397 Data MUST NOT be lost. It is up to the server to adjust its 398 advertised TCP receive window should the buffer size become a 399 limiting factor. 401 The server MUST include the CONNECTION-ID attribute in the Connect 402 success response. The attribute's value MUST uniquely identify the 403 peer data connection. 405 5.3. Receiving a Listen Request 407 When a server receives a Listen request, it processes as follows. 409 If the request is received on a control connection for which no 410 allocation exists, the server MUST return a 437 (Allocation Mismatch) 411 error. 413 If the server has already successfully processed a Connect or Listen 414 request for this allocation, it MUST return a 446 (Connection Already 415 Exists) error. 417 Otherwise, the server MUST start accepting incoming TCP connections 418 on the relayed transport address. Refer to Section 5.4 for details. 420 The server replies with a Listen success or failure response 421 depending on the success of this. 423 5.4. Receiving a TCP Connection on an Allocated Port 425 When a server receives an incoming TCP connection on a relayed 426 transport, it processes as follows. 428 If no Listen request has been successfully processed for this 429 allocation, the server MUST reject the connection. The means 430 (silently ignoring it, replying with a TCP reset, etc.) are not 431 specified. 433 Otherwise, the server MUST accept the connection. If it is not 434 successful, nothing is sent to the client over the control 435 connection. 437 If the connection is successfully accepted, it is now called a peer 438 data connection. The server MUST buffer any data received from the 439 peer. Data MUST NOT be lost. It is up to the server to adjust its 440 advertised TCP receive window should the buffer size become a 441 limiting factor. 443 The server then sends a ConnectionAttempt indication to the client 444 over the control connection. The indication MUST include a XOR-PEER- 445 ADDRESS attribute containing the peer's address, as well as a 446 CONNECTION-ID attribute uniquely identifying the peer data 447 connection. 449 If no ConnectionBind request associated with this peer data 450 connection is received after 30 seconds, the peer data connection 451 MUST be closed. 453 5.5. Receiving a ConnectionBind Request 455 When a server receives a ConnectionBind request, it processes as 456 follows. 458 If the client connection transport is not TCP or TLS, the server MUST 459 return a 400 (Bad Request) error. 461 If the request does not contain the CONNECTION-ID attribute, the 462 server MUST return a 400 (Bad Request) error. 464 Otherwise, the client connection is now called a client data 465 connection. Data received on it MUST be sent as-is to the associated 466 peer data connection. 468 Data received on the associated peer data connection MUST be sent 469 as-is on this client data connection. This includes data that was 470 received after the associated Connect or Listen request was 471 successfully processed and before this ConnectionBind request was 472 received. 474 Data received on a client or peer data connection MUST NOT be 475 interpreted as a STUN message. 477 5.6. Data Connection Maintenance 479 If the allocation associated with a data connection expires, the data 480 connection MUST be closed. 482 When a client (resp. peer) data connection is closed or times out, 483 the server MUST close the corresponding peer (resp. client) data 484 connection. 486 6. IANA Considerations 488 This specification defines several new STUN methods, STUN attributes, 489 and STUN response codes. This section directs IANA to add these new 490 protocol elements to the IANA registry of STUN protocol elements. 492 6.1. New STUN Methods 494 This section lists the codepoints for the new STUN methods defined in 495 this specification. See elsewhere in this document for the semantics 496 of these new methods. 498 0x007 : Connect (only request/response semantics defined) 499 0x008 : Listen (only request/response semantics defined) 500 0x009 : ConnectionBind (only request/response semantics defined) 501 0x010 : ConnectionAttempt (only indication semantics defined) 503 6.2. New STUN Attributes 505 This STUN extension defines the following new attributes: 507 0xTBD : CONNECTION-ID 509 6.2.1. CONNECTION-ID 511 The CONNECTION-ID attributes uniquely identifies a peer data 512 connection. It is a 32-bit unsigned integral value. 514 6.2.2. New STUN response codes 516 446 Connection Already Exists 517 XXX Connection Timeout or Failure 519 6.3. Security Considerations 521 TBD 523 6.4. IANA Considerations 525 TBD 527 6.5. IAB Considerations 529 TBD. 531 6.6. Acknowledgements 533 Thanks to Rohan Mahy and Philip Matthews for their initial work on 534 getting this document started. 536 The authors would also like to thank Marc Petit-Huguenin for his 537 comments and suggestions. 539 7. References 541 7.1. Normative References 543 [RFC5389] Rosenberg, J., Mahy, R., Matthews, P., and D. Wing, 544 "Session Traversal Utilities for NAT (STUN)", RFC 5389, 545 October 2008. 547 [I-D.ietf-behave-turn] 548 Rosenberg, J., Mahy, R., and P. Matthews, "Traversal Using 549 Relays around NAT (TURN): Relay Extensions to Session 550 Traversal Utilities for NAT (STUN)", 551 draft-ietf-behave-turn-12 (work in progress), 552 November 2008. 554 [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate 555 Requirement Levels", BCP 14, RFC 2119, March 1997. 557 7.2. Informative References 559 [I-D.ietf-mmusic-ice] 560 Rosenberg, J., "Interactive Connectivity Establishment 561 (ICE): A Protocol for Network Address Translator (NAT) 562 Traversal for Offer/Answer Protocols", 563 draft-ietf-mmusic-ice-19 (work in progress), October 2007. 565 Authors' Addresses 567 Simon Perreault (editor) 568 Viagenie 569 2600 boul. Laurier, suite 625 570 Quebec, QC G1V 4W1 571 Canada 573 Phone: +1 418 656 9254 574 Email: simon.perreault@viagenie.ca 575 URI: http://www.viagenie.ca 576 Jonathan Rosenberg 577 Cisco Systems 578 600 Lanidex Plaza 579 Parsippany, NJ 07054 580 US 582 Phone: +1 973 952-5000 583 Email: jdrosen@cisco.com 584 URI: http://www.jdrosen.net