idnits 2.17.1 draft-ietf-behave-turn-tcp-03.txt: Checking boilerplate required by RFC 5378 and the IETF Trust (see https://trustee.ietf.org/license-info): ---------------------------------------------------------------------------- ** The document seems to lack a License Notice according IETF Trust Provisions of 28 Dec 2009, Section 6.b.i or Provisions of 12 Sep 2009 Section 6.b -- however, there's a paragraph with a matching beginning. Boilerplate error? (You're using the IETF Trust Provisions' Section 6.b License Notice from 12 Feb 2009 rather than one of the newer Notices. See https://trustee.ietf.org/license-info/.) Checking nits according to https://www.ietf.org/id-info/1id-guidelines.txt: ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/checklist : ---------------------------------------------------------------------------- No issues found here. Miscellaneous warnings: ---------------------------------------------------------------------------- == The copyright year in the IETF Trust and authors Copyright Line does not match the current year -- The document seems to lack a disclaimer for pre-RFC5378 work, but may have content which was first submitted before 10 November 2008. If you have contacted all the original authors and they are all willing to grant the BCP78 rights to the IETF Trust, then this is fine, and you can ignore this comment. If not, you may need to add the pre-RFC5378 disclaimer. (See the Legal Provisions document at https://trustee.ietf.org/license-info for more information.) -- The document date (May 4, 2009) is 5472 days in the past. Is this intentional? Checking references for intended status: Proposed Standard ---------------------------------------------------------------------------- (See RFCs 3967 and 4897 for information about using normative references to lower-maturity documents in RFCs) ** Obsolete normative reference: RFC 5389 (Obsoleted by RFC 8489) == Outdated reference: A later version (-16) exists of draft-ietf-behave-turn-14 Summary: 2 errors (**), 0 flaws (~~), 2 warnings (==), 2 comments (--). Run idnits with the --verbose option for more detailed information about the items above. -------------------------------------------------------------------------------- 2 Behave S. Perreault, Ed. 3 Internet-Draft Viagenie 4 Intended status: Standards Track J. Rosenberg 5 Expires: November 5, 2009 Cisco Systems 6 May 4, 2009 8 Traversal Using Relays around NAT (TURN) Extensions for TCP Allocations 9 draft-ietf-behave-turn-tcp-03.txt 11 Status of this Memo 13 This Internet-Draft is submitted to IETF in full conformance with the 14 provisions of BCP 78 and BCP 79. 16 Internet-Drafts are working documents of the Internet Engineering 17 Task Force (IETF), its areas, and its working groups. Note that 18 other groups may also distribute working documents as Internet- 19 Drafts. 21 Internet-Drafts are draft documents valid for a maximum of six months 22 and may be updated, replaced, or obsoleted by other documents at any 23 time. It is inappropriate to use Internet-Drafts as reference 24 material or to cite them other than as "work in progress." 26 The list of current Internet-Drafts can be accessed at 27 http://www.ietf.org/ietf/1id-abstracts.txt. 29 The list of Internet-Draft Shadow Directories can be accessed at 30 http://www.ietf.org/shadow.html. 32 This Internet-Draft will expire on November 5, 2009. 34 Copyright Notice 36 Copyright (c) 2009 IETF Trust and the persons identified as the 37 document authors. All rights reserved. 39 This document is subject to BCP 78 and the IETF Trust's Legal 40 Provisions Relating to IETF Documents in effect on the date of 41 publication of this document (http://trustee.ietf.org/license-info). 42 Please review these documents carefully, as they describe your rights 43 and restrictions with respect to this document. 45 Abstract 47 This specification defines an extension of Traversal Using Relays 48 around NAT (TURN), a relay protocol for NAT traversal, to allows a 49 TURN client to request TCP allocations, and defines new requests and 50 indications for the TURN server to open and accept TCP connections 51 with the client's peers. TURN and this extension both purposefully 52 restrict the ways in which the relayed address can be used. In 53 particular, it prevents users from running general purpose servers 54 from ports obtained from the STUN server. 56 Table of Contents 58 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . . 3 59 2. Conventions . . . . . . . . . . . . . . . . . . . . . . . . . 3 60 3. Overview of Operation . . . . . . . . . . . . . . . . . . . . 4 61 4. Client Processing . . . . . . . . . . . . . . . . . . . . . . 6 62 4.1. Creating an Allocation . . . . . . . . . . . . . . . . . . 6 63 4.2. Refreshing an Allocation . . . . . . . . . . . . . . . . . 6 64 4.3. Initiating a Connection . . . . . . . . . . . . . . . . . 7 65 4.4. Receiving a Connection . . . . . . . . . . . . . . . . . . 7 66 4.5. Sending and Receiving Data . . . . . . . . . . . . . . . . 7 67 4.6. Data Connection Maintenance . . . . . . . . . . . . . . . 8 68 5. TURN Server Behavior . . . . . . . . . . . . . . . . . . . . . 8 69 5.1. Receiving a TCP Allocate Request . . . . . . . . . . . . . 8 70 5.2. Receiving a Connect Request . . . . . . . . . . . . . . . 9 71 5.3. Receiving a TCP Connection on an Allocated Port . . . . . 9 72 5.4. Receiving a ConnectionBind Request . . . . . . . . . . . . 10 73 5.5. Data Connection Maintenance . . . . . . . . . . . . . . . 10 74 6. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 11 75 6.1. New STUN Methods . . . . . . . . . . . . . . . . . . . . . 11 76 6.2. New STUN Attributes . . . . . . . . . . . . . . . . . . . 11 77 6.2.1. CONNECTION-ID . . . . . . . . . . . . . . . . . . . . 11 78 6.2.2. New STUN response codes . . . . . . . . . . . . . . . 11 79 6.3. Security Considerations . . . . . . . . . . . . . . . . . 11 80 6.4. Acknowledgements . . . . . . . . . . . . . . . . . . . . . 11 81 7. References . . . . . . . . . . . . . . . . . . . . . . . . . . 12 82 7.1. Normative References . . . . . . . . . . . . . . . . . . . 12 83 7.2. Informative References . . . . . . . . . . . . . . . . . . 12 84 Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . . 12 86 1. Introduction 88 Traversal Using Relays around NAT (TURN) [I-D.ietf-behave-turn] is an 89 extension to the Session Traversal Utilities for NAT [RFC5389] 90 protocol. TURN allows for clients to communicate with a TURN server, 91 and ask it to allocate ports on one of its host interfaces, and then 92 relay traffic between that port and the client itself. TURN, when 93 used in concert with STUN and Interactive Connectivity Establishment 94 (ICE) [I-D.ietf-mmusic-ice] form a solution for NAT traversal for 95 UDP-based media sessions. 97 However, TURN itself does not provide a way for a client to allocate 98 a TCP-based port on a TURN server. Such an allocation is needed for 99 cases where a TCP-based session is desired with a peer, and NATs 100 prevent a direct TCP connection. Examples include application 101 sharing between desktop softphones, or transmission of pictures 102 during a voice communications session. 104 This document defines an extension to TURN which allows a client to 105 obtain a TCP allocation. It also allows the client to initiate 106 connections from that allocation to peers, and accept connection 107 requests from peers made towards that allocation. 109 2. Conventions 111 The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", 112 "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this 113 document are to be interpreted as described in [RFC2119]. 115 3. Overview of Operation 117 +--------+ 118 | | 119 | Peer1 | 120 / | | 121 / | | 122 / +--------+ 123 / 124 / 125 / Peer Data 1 126 / 127 +--------+ Control +--------+ / 128 | | -------------- | | / 129 | Client | Client Data 1 | TURN | 130 | | -------------- | Server | \ 131 | | -------------- | | \ 132 +--------+ Client Data 2 +--------+ \ 133 \ 134 \ 135 \ +--------+ 136 \ | | 137 Peer Data 2 \ | Peer2 | 138 \ | | 139 | | 140 +--------+ 142 Figure 1: TURN TCP Model 144 The overall model for TURN-TCP is shown in Figure 1. The client will 145 have two different types of connections to its TURN server. For each 146 allocated port, it will have a single control connection. Control 147 connections are used to obtain allocations and open up new 148 connections. Furthermore, for each connection to a peer, the client 149 will have a single connection to its TURN server. These connections 150 are called data connections. Consequently, there is a data 151 connection from the client to its TURN server (the client data 152 connection) and one from the TURN server to a peer (the peer data 153 connection). Actual application data is sent on these connections. 154 Indeed, after an initial TURN message which binds the client data 155 connection to a peer data connection, only application data can be 156 sent - no TURN messaging. This is in contrast to the control 157 connection, which only allows TURN messages and not application data. 159 To obtain a TCP-based allocation, a client must have a TCP or TLS 160 connection to its TURN server. Using that connection, it sends an 161 Allocate request. That request contains a REQUESTED-TRANSPORT 162 attribute, which indicates a TCP-based allocation is desired. A 163 server which supports this extension will allocate a TCP port and 164 begin listening for connection requests on that port. It then 165 returns the allocated port to the client in the resposne to the 166 Allocate request. The connection on which the Allocate request was 167 sent is the control connection. 169 If a client wishes to establish a TCP connection to a peer from that 170 allocated address, it issues a Connect request to the TURN server 171 over the control connection. That request contains a XOR-PEER- 172 ADDRESS attribute identifying the peer IP address and port to which a 173 connection is to be made. The TURN server attempts to open the TCP 174 connection, and assuming it succeeds, then responds to the Connect 175 request with a success response. The server also creates a 176 connection identifier associated with this connection, and passes 177 that connection identifier back to the client in the success 178 response. 180 In order to actually send data on the new connection or otherwise 181 utilize it in any way, the client establishes a new TCP connection to 182 its TURN server. Once established, it issues a ConnectionBind 183 request to the server. That request echoes back the connection 184 identifier to the TURN server. The TURN server uses it to correlate 185 the two connections. As a consequence, the TCP connection to the 186 peer is associated with a TCP connection to the client 1-to-1. The 187 two connections are now data connections. At this point, if the 188 server receives data from the peer, it forwards that data towards the 189 client, without any kind of encapsulation. Any data received by the 190 TURN server from the client over the client data connection are 191 forwarded to the peer, again without encapsulation or framing of any 192 kind. Once a connection has been bound using the ConnectionBind 193 request, TURN processing is no longer permitted on the connection. 195 In a similar way, when a peer opens a TCP connection towards the 196 allocated port, the server checks if there is a permission in place 197 for that peer. If there is none, the connection is closed. 198 Permissions are created with the CreatePermission request sent over 199 the control connection, just as for UDP TURN. If there is a 200 permission in place, the TURN server sends, to the client, a 201 ConnectionAttempt Indication over the control connection. That 202 indication contains a connection identifier. Once again, the client 203 initiates a separate TCP connection to its TURN server, and over that 204 connection, issues a ConnectionBind request. Once received, the TURN 205 server will begin relaying data back and forth. The server closes 206 the peer data connection if no ConnectionBind request is received 207 after a timeout. 209 If the client closes a client data connection, the corresponding peer 210 data connection is closed. If the peer closes a peer data 211 connection, the corresponding client data connection is closed. In 212 this way, the status of the connection is directly known to the 213 client. 215 The TURN server will relay the data between the client and peer data 216 connections, utilizing an internal buffer. However, back pressure is 217 used in order to achieve end-to-end flow control. If the buffer from 218 client to peer fills up, the TURN server ceases to read off the 219 client data connection, which causes TCP backpressure through the OS 220 towards the client. 222 4. Client Processing 224 4.1. Creating an Allocation 226 To create a TCP allocation, a client MUST initiate a new TCP or TLS 227 connection to its TURN server, identical to the TCP or TLS procedures 228 defined in [I-D.ietf-behave-turn]. TCP allocations cannot be 229 obtained using a UDP association between client and server. 231 Once set up, a client MUST send a TURN Allocate request. That 232 request MUST contain a REQUESTED-TRANSPORT attribute whose value is 233 6, corresponding to TCP. 235 The request MUST NOT include a DONT-FRAGMENT, RESERVATION-TOKEN or 236 EVEN-PORT attribute. The corresponding features are specific to UDP 237 based capabilities and are not utilized by TURN-TCP. However, a 238 LIFETIME attribute MAY be included, with semantics identical to the 239 UDP case. 241 The procedures for authentication of the Allocate request and 242 processing of success and failure responses are identical to those 243 for TCP. 245 Once a success response is received, the TCP connection to the TURN 246 server is called the control connection for that allocation. 248 4.2. Refreshing an Allocation 250 The procedures for refreshing an allocation are identical to those 251 for UDP. Note that the Refresh MUST be sent on the control 252 connection. 254 4.3. Initiating a Connection 256 To initiate a TCP connection to a peer, a client MUST send a Connect 257 request over the control channel for the desired allocation. The 258 Connect request MUST include a XOR-PEER-ADDRESS attribute containing 259 the IP address and port of the peer to which a connection is desired. 261 If the connection is successfully established, the client will 262 receive a success response. That response will contain a 263 CONNECTION-ID attribute. The client MUST initiate a new TCP 264 connection to the server, utilizing the same destination IP address 265 and port to which the control connection was established. This 266 connection MUST be made using a different local IP address and/or 267 port. Once established, the client MUST send a ConnectionBind 268 request. That request MUST include the CONNECTION-ID attribute, 269 mirrored from the Connect Success response. When a response to the 270 ConnectionBind request is recevied, if it is a success, the TCP 271 connection on which it was sent is called the client data connection 272 corresponding to the peer. 274 If the result of the Connect request was a Error Response, and the 275 response code was XXX, it means that the TURN server was unable to 276 connect to the peer. The client MAY retry, but MUST wait at least 10 277 seconds. 279 4.4. Receiving a Connection 281 After an Allocate request is successfully processed by the server, 282 the client will start receiving a ConnectionAttempt indication each 283 time a peer attemps a new connection to the allocated address. This 284 indication will contain a CONNECTION-ID and a XOR-PEER-ADDRESS 285 attributes. If the client wishes to accept this connection, it MUST 286 initiate a new TCP connection to the server, utilizing the same 287 destination IP address and port to which the control connection was 288 established. This connection MUST be made using a different local IP 289 address and/or port. Once established, the client MUST send a 290 ConnectionBind request. That request MUST include the CONNECTION-ID 291 attribute, mirrorred from the ConnectionAttempt indication. When a 292 response to the ConnectionBind request is received, if it is a 293 success, the TCP connection on which it was sent is called the client 294 data connection corresponding to the peer. 296 4.5. Sending and Receiving Data 298 Once a client data connection is established, data sent on it by the 299 client will be relayed as-is to the peer by the server. Similarly, 300 data sent by the peer to the server will be relayed as-is to the 301 client over the data connection. Data on a data connection MUST NOT 302 be interpreted as STUN messages. 304 4.6. Data Connection Maintenance 306 The client MUST refresh the allocation corresponding to a data 307 connection, using the Refresh request as defined in 308 [I-D.ietf-behave-turn], for as long as it wants to keep the data 309 connection alive. 311 When the client wishes to terminate its relayed connection to the 312 peer, it closes the data connection to the server. 314 Note: No mechanism for keeping alive the NAT bindings (potentially 315 on the client data connection as well as on the peer data 316 connection) is included. This service is not provided by TURN- 317 TCP. If such a feature is deemed necessary, it can be implemented 318 higher up the stack, in the application protocol being tunneled 319 inside TURN-TCP. 321 5. TURN Server Behavior 323 5.1. Receiving a TCP Allocate Request 325 The process is similar to that defined in [I-D.ietf-behave-turn], 326 Section 6.2, with the following exceptions: 328 1. If the REQUESTED-TRANSPORT attribute is included and specifies a 329 protocol other than UDP or TCP, the server MUST reject the 330 request with a 442 (Unsupported Transport Protocol) error. (If 331 the value is UDP, the server MUST continue with the procedures of 332 [I-D.ietf-behave-turn] instead of this document.) 334 2. If the client connection transport is not TCP or TLS, the server 335 MUST reject the request with a 400 (Bad Request) error. 337 3. If the request contains the DONT-FRAGMENT, EVEN-PORT, or 338 RESERVATION-TOKEN attribute, the server MUST reject the request 339 with a 400 (Bad Request) error. 341 4. A TCP relayed transport address MUST be allocated instead of a 342 UDP one. 344 5. The RESERVATION-TOKEN attribute MUST NOT be present in the 345 success response. 347 If all checks pass, the server MUST start accepting incoming TCP 348 connections on the relayed transport address. Refer to Section 5.3 349 for details. 351 5.2. Receiving a Connect Request 353 When the server receives a Connect request, it processes as follows. 355 If the request is received on a control connection for which no 356 allocation exists, the server MUST return a 437 (Allocation Mismatch) 357 error. 359 If the server has already successfully processed a Connect request 360 for this allocation with the same XOR-PEER-ADDRESS, and the resulting 361 client and peer data connections are either pending or active, it 362 MUST return a 446 (Connection Already Exists) error. 364 If the request does not contain a XOR-PEER-ADDRESS attribute, or if 365 such attribute is invalid, the server MUST return a 400 (Bad Request) 366 error. 368 Otherwise, the server MUST initiate an outgoing TCP connection. The 369 local endpoint is the relayed transport address associated with the 370 allocation. The remote endpoint is the one indicated by the XOR- 371 PEER-ADDRESS attribute. If the connection attempt fails or times 372 out, the server MUST return a XXX (Connection Timeout or Failure) 373 error. 375 If the connection is successful, it is now called a peer data 376 connection. The server MUST buffer any data received from the peer. 377 Data MUST NOT be lost. It is up to the server to adjust its 378 advertised TCP receive window should the buffer size become a 379 limiting factor. 381 The server MUST include the CONNECTION-ID attribute in the Connect 382 success response. The attribute's value MUST uniquely identify the 383 peer data connection. 385 5.3. Receiving a TCP Connection on an Allocated Port 387 When a server receives an incoming TCP connection on a relayed 388 transport, it processes as follows. 390 The server MUST accept the connection. If it is not successful, 391 nothing is sent to the client over the control connection. 393 If the connection is successfully accepted, it is now called a peer 394 data connection. The server MUST buffer any data received from the 395 peer. Data MUST NOT be lost. It is up to the server to adjust its 396 advertised TCP receive window should the buffer size become a 397 limiting factor. 399 The server then sends a ConnectionAttempt indication to the client 400 over the control connection. The indication MUST include a XOR-PEER- 401 ADDRESS attribute containing the peer's address, as well as a 402 CONNECTION-ID attribute uniquely identifying the peer data 403 connection. 405 If no ConnectionBind request associated with this peer data 406 connection is received after 30 seconds, the peer data connection 407 MUST be closed. 409 5.4. Receiving a ConnectionBind Request 411 When a server receives a ConnectionBind request, it processes as 412 follows. 414 If the client connection transport is not TCP or TLS, the server MUST 415 return a 400 (Bad Request) error. 417 If the request does not contain the CONNECTION-ID attribute, or if 418 this attribute does not refer to an existing pending connection, the 419 server MUST return a 400 (Bad Request) error. 421 Otherwise, the client connection is now called a client data 422 connection. Data received on it MUST be sent as-is to the associated 423 peer data connection. 425 Data received on the associated peer data connection MUST be sent 426 as-is on this client data connection. This includes data that was 427 received after the associated Connect or Listen request was 428 successfully processed and before this ConnectionBind request was 429 received. 431 Data received on a client or peer data connection MUST NOT be 432 interpreted as a STUN message. 434 5.5. Data Connection Maintenance 436 If the allocation associated with a data connection expires, the data 437 connection MUST be closed. 439 When a client data connection is closed or times out, the server MUST 440 close the corresponding peer data connection. 442 When a peer data connection is closed or times out, the server MUST 443 close the corresponding client data connection. 445 6. IANA Considerations 447 This specification defines several new STUN methods, STUN attributes, 448 and STUN response codes. This section directs IANA to add these new 449 protocol elements to the IANA registry of STUN protocol elements. 451 6.1. New STUN Methods 453 This section lists the codepoints for the new STUN methods defined in 454 this specification. See elsewhere in this document for the semantics 455 of these new methods. 457 0x0007 : Connect (only request/response semantics defined) 458 0x0008 : ConnectionBind (only request/response semantics defined) 459 0x0009 : ConnectionAttempt (only indication semantics defined) 461 6.2. New STUN Attributes 463 This STUN extension defines the following new attributes: 465 0x002A : CONNECTION-ID 467 6.2.1. CONNECTION-ID 469 The CONNECTION-ID attributes uniquely identifies a peer data 470 connection. It is a 32-bit unsigned integral value. 472 6.2.2. New STUN response codes 474 446 Connection Already Exists 475 447 Connection Timeout or Failure 477 6.3. Security Considerations 479 The methods, attribute, and error response codes defined in this 480 document do not have any special security considerations beyond those 481 for other attributes and Error response codes. All the security 482 considerations applicable to STUN [RFC5389] and TURN 483 [I-D.ietf-behave-turn] are applicable to this document as well. 485 6.4. Acknowledgements 487 Thanks to Rohan Mahy and Philip Matthews for their initial work on 488 getting this document started. 490 The authors would also like to thank Marc Petit-Huguenin for his 491 comments and suggestions. 493 7. References 495 7.1. Normative References 497 [RFC5389] Rosenberg, J., Mahy, R., Matthews, P., and D. Wing, 498 "Session Traversal Utilities for NAT (STUN)", RFC 5389, 499 October 2008. 501 [I-D.ietf-behave-turn] 502 Rosenberg, J., Mahy, R., and P. Matthews, "Traversal Using 503 Relays around NAT (TURN): Relay Extensions to Session 504 Traversal Utilities for NAT (STUN)", 505 draft-ietf-behave-turn-14 (work in progress), April 2009. 507 [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate 508 Requirement Levels", BCP 14, RFC 2119, March 1997. 510 7.2. Informative References 512 [I-D.ietf-mmusic-ice] 513 Rosenberg, J., "Interactive Connectivity Establishment 514 (ICE): A Protocol for Network Address Translator (NAT) 515 Traversal for Offer/Answer Protocols", 516 draft-ietf-mmusic-ice-19 (work in progress), October 2007. 518 Authors' Addresses 520 Simon Perreault (editor) 521 Viagenie 522 2600 boul. Laurier, suite 625 523 Quebec, QC G1V 4W1 524 Canada 526 Phone: +1 418 656 9254 527 Email: simon.perreault@viagenie.ca 528 URI: http://www.viagenie.ca 529 Jonathan Rosenberg 530 Cisco Systems 531 600 Lanidex Plaza 532 Parsippany, NJ 07054 533 US 535 Phone: +1 973 952-5000 536 Email: jdrosen@cisco.com 537 URI: http://www.jdrosen.net