idnits 2.17.1 draft-ietf-behave-turn-tcp-05.txt: Checking boilerplate required by RFC 5378 and the IETF Trust (see https://trustee.ietf.org/license-info): ---------------------------------------------------------------------------- ** The document seems to lack a License Notice according IETF Trust Provisions of 28 Dec 2009, Section 6.b.i or Provisions of 12 Sep 2009 Section 6.b -- however, there's a paragraph with a matching beginning. Boilerplate error? (You're using the IETF Trust Provisions' Section 6.b License Notice from 12 Feb 2009 rather than one of the newer Notices. See https://trustee.ietf.org/license-info/.) Checking nits according to https://www.ietf.org/id-info/1id-guidelines.txt: ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/checklist : ---------------------------------------------------------------------------- No issues found here. Miscellaneous warnings: ---------------------------------------------------------------------------- == The copyright year in the IETF Trust and authors Copyright Line does not match the current year -- The document seems to lack a disclaimer for pre-RFC5378 work, but may have content which was first submitted before 10 November 2008. If you have contacted all the original authors and they are all willing to grant the BCP78 rights to the IETF Trust, then this is fine, and you can ignore this comment. If not, you may need to add the pre-RFC5378 disclaimer. (See the Legal Provisions document at https://trustee.ietf.org/license-info for more information.) -- The document date (October 19, 2009) is 5301 days in the past. Is this intentional? Checking references for intended status: Proposed Standard ---------------------------------------------------------------------------- (See RFCs 3967 and 4897 for information about using normative references to lower-maturity documents in RFCs) ** Obsolete normative reference: RFC 5389 (Obsoleted by RFC 8489) == Outdated reference: A later version (-16) exists of draft-ietf-behave-turn-14 Summary: 2 errors (**), 0 flaws (~~), 2 warnings (==), 2 comments (--). Run idnits with the --verbose option for more detailed information about the items above. -------------------------------------------------------------------------------- 2 Behave S. Perreault, Ed. 3 Internet-Draft Viagenie 4 Intended status: Standards Track J. Rosenberg 5 Expires: April 22, 2010 Cisco Systems 6 October 19, 2009 8 Traversal Using Relays around NAT (TURN) Extensions for TCP Allocations 9 draft-ietf-behave-turn-tcp-05.txt 11 Status of this Memo 13 This Internet-Draft is submitted to IETF in full conformance with the 14 provisions of BCP 78 and BCP 79. 16 Internet-Drafts are working documents of the Internet Engineering 17 Task Force (IETF), its areas, and its working groups. Note that 18 other groups may also distribute working documents as Internet- 19 Drafts. 21 Internet-Drafts are draft documents valid for a maximum of six months 22 and may be updated, replaced, or obsoleted by other documents at any 23 time. It is inappropriate to use Internet-Drafts as reference 24 material or to cite them other than as "work in progress." 26 The list of current Internet-Drafts can be accessed at 27 http://www.ietf.org/ietf/1id-abstracts.txt. 29 The list of Internet-Draft Shadow Directories can be accessed at 30 http://www.ietf.org/shadow.html. 32 This Internet-Draft will expire on April 22, 2010. 34 Copyright Notice 36 Copyright (c) 2009 IETF Trust and the persons identified as the 37 document authors. All rights reserved. 39 This document is subject to BCP 78 and the IETF Trust's Legal 40 Provisions Relating to IETF Documents in effect on the date of 41 publication of this document (http://trustee.ietf.org/license-info). 42 Please review these documents carefully, as they describe your rights 43 and restrictions with respect to this document. 45 Abstract 47 This specification defines an extension of Traversal Using Relays 48 around NAT (TURN), a relay protocol for NAT traversal, to allow a 49 TURN client to request TCP allocations, and defines new requests and 50 indications for the TURN server to open and accept TCP connections 51 with the client's peers. TURN and this extension both purposefully 52 restrict the ways in which the relayed address can be used. In 53 particular, it prevents users from running general purpose servers 54 from ports obtained from the TURN server. 56 Table of Contents 58 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . . 3 59 2. Conventions . . . . . . . . . . . . . . . . . . . . . . . . . 3 60 3. Overview of Operation . . . . . . . . . . . . . . . . . . . . 4 61 4. Client Processing . . . . . . . . . . . . . . . . . . . . . . 6 62 4.1. Creating an Allocation . . . . . . . . . . . . . . . . . . 6 63 4.2. Refreshing an Allocation . . . . . . . . . . . . . . . . . 6 64 4.3. Initiating a Connection . . . . . . . . . . . . . . . . . 7 65 4.4. Receiving a Connection . . . . . . . . . . . . . . . . . . 7 66 4.5. Sending and Receiving Data . . . . . . . . . . . . . . . . 8 67 4.6. Data Connection Maintenance . . . . . . . . . . . . . . . 8 68 5. TURN Server Behavior . . . . . . . . . . . . . . . . . . . . . 8 69 5.1. Receiving a TCP Allocate Request . . . . . . . . . . . . . 8 70 5.2. Receiving a Connect Request . . . . . . . . . . . . . . . 9 71 5.3. Receiving a TCP Connection on an Allocated Port . . . . . 10 72 5.4. Receiving a ConnectionBind Request . . . . . . . . . . . . 10 73 5.5. Data Connection Maintenance . . . . . . . . . . . . . . . 11 74 6. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 11 75 6.1. New STUN Methods . . . . . . . . . . . . . . . . . . . . . 11 76 6.2. New STUN Attributes . . . . . . . . . . . . . . . . . . . 11 77 6.2.1. CONNECTION-ID . . . . . . . . . . . . . . . . . . . . 11 78 6.3. New STUN response codes . . . . . . . . . . . . . . . . . 11 79 6.4. Security Considerations . . . . . . . . . . . . . . . . . 12 80 6.5. Acknowledgements . . . . . . . . . . . . . . . . . . . . . 12 81 7. References . . . . . . . . . . . . . . . . . . . . . . . . . . 12 82 7.1. Normative References . . . . . . . . . . . . . . . . . . . 12 83 7.2. Informative References . . . . . . . . . . . . . . . . . . 12 84 Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . . 13 86 1. Introduction 88 Traversal Using Relays around NAT (TURN) [I-D.ietf-behave-turn] is an 89 extension to the Session Traversal Utilities for NAT [RFC5389] 90 protocol. TURN allows for clients to communicate with a TURN server, 91 and ask it to allocate ports on one of its host interfaces, and then 92 relay traffic between that port and the client itself. TURN, when 93 used in concert with STUN and Interactive Connectivity Establishment 94 (ICE) [I-D.ietf-mmusic-ice] form a solution for NAT traversal for 95 UDP-based media sessions. 97 However, TURN itself does not provide a way for a client to allocate 98 a TCP-based port on a TURN server. Such an allocation is needed for 99 cases where a TCP-based session is desired with a peer, and NATs 100 prevent a direct TCP connection. Examples include application 101 sharing between desktop softphones, or transmission of pictures 102 during a voice communications session. 104 This document defines an extension to TURN which allows a client to 105 obtain a TCP allocation. It also allows the client to initiate 106 outgoing TCP connections from that allocation to peers, and accept 107 incoming TCP connection requests from peers made towards that 108 allocation. 110 2. Conventions 112 The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", 113 "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this 114 document are to be interpreted as described in [RFC2119]. 116 3. Overview of Operation 118 +--------+ 119 | | 120 | Peer1 | 121 / | | 122 / | | 123 / +--------+ 124 / 125 / 126 / Peer Data 1 127 / 128 +--------+ Control +--------+ / 129 | | -------------- | | / 130 | Client | Client Data 1 | TURN | 131 | | -------------- | Server | \ 132 | | -------------- | | \ 133 +--------+ Client Data 2 +--------+ \ 134 \ 135 \ 136 \ +--------+ 137 \ | | 138 Peer Data 2 \ | Peer2 | 139 \ | | 140 | | 141 +--------+ 143 Figure 1: TURN TCP Model 145 The overall model for TURN-TCP is shown in Figure 1. The client will 146 have two different types of connections to its TURN server. For each 147 allocated port, it will have a single control connection. Control 148 connections are used to obtain allocations and open up new 149 connections. Furthermore, for each connection to a peer, the client 150 will have a single connection to its TURN server. These connections 151 are called data connections. Consequently, there is a data 152 connection from the client to its TURN server (the client data 153 connection) and one from the TURN server to a peer (the peer data 154 connection). Actual application data is sent on these connections. 155 Indeed, after an initial TURN message which binds the client data 156 connection to a peer data connection, only application data can be 157 sent - no TURN messaging. This is in contrast to the control 158 connection, which only allows TURN messages and not application data. 160 To obtain a TCP-based allocation, a client must have a TCP or TLS 161 connection to its TURN server. Using that connection, it sends an 162 Allocate request. That request contains a REQUESTED-TRANSPORT 163 attribute, which indicates a TCP-based allocation is desired. A 164 server which supports this extension will allocate a TCP port and 165 begin listening for connection requests on that port. It then 166 returns the allocated port to the client in the response to the 167 Allocate request. The connection on which the Allocate request was 168 sent is the control connection. 170 If a client wishes to establish a TCP connection to a peer from that 171 allocated address, it issues a Connect request to the TURN server 172 over the control connection. That request contains a XOR-PEER- 173 ADDRESS attribute identifying the peer IP address and port to which a 174 connection is to be made. The TURN server attempts to open the TCP 175 connection, and assuming it succeeds, then responds to the Connect 176 request with a success response. The server also creates a 177 connection identifier associated with this connection, and passes 178 that connection identifier back to the client in the success 179 response. Note that a maximum of one connection to a given peer 180 (address and port combination) can be established per allocation. 182 In order to actually send data on the new connection or otherwise 183 utilize it in any way, the client establishes a new TCP connection to 184 its TURN server. Once established, it issues a ConnectionBind 185 request to the server. That request echoes back the connection 186 identifier to the TURN server. The TURN server uses it to correlate 187 the two connections. As a consequence, the TCP connection to the 188 peer is associated with a TCP connection to the client 1-to-1. The 189 two connections are now data connections. At this point, if the 190 server receives data from the peer, it forwards that data towards the 191 client, without any kind of encapsulation. Any data received by the 192 TURN server from the client over the client data connection are 193 forwarded to the peer, again without encapsulation or framing of any 194 kind. Once a connection has been bound using the ConnectionBind 195 request, TURN messaging is no longer permitted on the connection. 197 In a similar way, when a peer opens a TCP connection towards the 198 allocated port, the server checks if there is a permission in place 199 for that peer. If there is none, the connection is closed. 200 Permissions are created with the CreatePermission request sent over 201 the control connection, just as for UDP TURN. If there is a 202 permission in place, the TURN server sends, to the client, a 203 ConnectionAttempt Indication over the control connection. That 204 indication contains a connection identifier. Once again, the client 205 initiates a separate TCP connection to its TURN server, and over that 206 connection, issues a ConnectionBind request. Once received, the TURN 207 server will begin relaying data back and forth. The server closes 208 the peer data connection if no ConnectionBind request is received 209 after a timeout. 211 If the client closes a client data connection, the corresponding peer 212 data connection is closed. If the peer closes a peer data 213 connection, the corresponding client data connection is closed. In 214 this way, the status of the connection is directly known to the 215 client. 217 The TURN server will relay the data between the client and peer data 218 connections, utilizing an internal buffer. However, back pressure is 219 used in order to achieve end-to-end flow control. If the buffer from 220 client to peer fills up, the TURN server ceases to read off the 221 client data connection, which causes TCP backpressure through the OS 222 towards the client. 224 4. Client Processing 226 4.1. Creating an Allocation 228 To create a TCP allocation, a client MUST initiate a new TCP or TLS 229 connection to its TURN server, identical to the TCP or TLS procedures 230 defined in [I-D.ietf-behave-turn]. TCP allocations cannot be 231 obtained using a UDP association between client and server. 233 Once set up, a client MUST send a TURN Allocate request. That 234 request MUST contain a REQUESTED-TRANSPORT attribute whose value is 235 6, corresponding to TCP. 237 The request MUST NOT include a DONT-FRAGMENT, RESERVATION-TOKEN or 238 EVEN-PORT attribute. The corresponding features are specific to UDP 239 based capabilities and are not utilized by TURN-TCP. However, a 240 LIFETIME attribute MAY be included, with semantics identical to the 241 UDP case. 243 The procedures for authentication of the Allocate request and 244 processing of success and failure responses are identical to those 245 for UDP. 247 Once a success response is received, the TCP connection to the TURN 248 server is called the control connection for that allocation. 250 4.2. Refreshing an Allocation 252 The procedures for refreshing an allocation are identical to those 253 for UDP. Note that the Refresh MUST be sent on the control 254 connection. 256 4.3. Initiating a Connection 258 To initiate a TCP connection to a peer, a client MUST send a Connect 259 request over the control channel for the desired allocation. The 260 Connect request MUST include a XOR-PEER-ADDRESS attribute containing 261 the IP address and port of the peer to which a connection is desired. 263 If the connection is successfully established, the client will 264 receive a success response. That response will contain a 265 CONNECTION-ID attribute. The client MUST initiate a new TCP 266 connection to the server, utilizing the same destination IP address 267 and port to which the control connection was established. This 268 connection MUST be made using a different local IP address and/or 269 port. Authentication of the client by the server MUST use the same 270 method and credentials as for the control connection. Once 271 established, the client MUST send a ConnectionBind request. That 272 request MUST include the CONNECTION-ID attribute, echoed from the 273 Connect Success response. When a response to the ConnectionBind 274 request is received, if it is a success, the TCP connection on which 275 it was sent is called the client data connection corresponding to the 276 peer. 278 If the result of the Connect request was a Error Response, and the 279 response code was 447, it means that the TURN server was unable to 280 connect to the peer. The client MAY retry with the same XOR-PEER- 281 ADDRESS attribute, but MUST wait at least 10 seconds. 283 4.4. Receiving a Connection 285 After an Allocate request is successfully processed by the server, 286 the client will start receiving a ConnectionAttempt indication each 287 time a peer for which a permission has been installed attempts a new 288 connection to the allocated address. This indication will contain a 289 CONNECTION-ID and a XOR-PEER-ADDRESS attributes. If the client 290 wishes to accept this connection, it MUST initiate a new TCP 291 connection to the server, utilizing the same destination IP address 292 and port to which the control connection was established. This 293 connection MUST be made using a different local IP address and/or 294 port. Authentication of the client by the server MUST use the same 295 method and credentials as for the control connection. Once 296 established, the client MUST send a ConnectionBind request. That 297 request MUST include the CONNECTION-ID attribute, echoed from the 298 ConnectionAttempt indication. When a response to the ConnectionBind 299 request is received, if it is a success, the TCP connection on which 300 it was sent is called the client data connection corresponding to the 301 peer. 303 4.5. Sending and Receiving Data 305 Once a client data connection is established, data sent on it by the 306 client will be relayed as-is to the peer by the server. Similarly, 307 data sent by the peer to the server will be relayed as-is to the 308 client over the data connection. 310 4.6. Data Connection Maintenance 312 The client MUST refresh the allocation corresponding to a data 313 connection, using the Refresh request as defined in 314 [I-D.ietf-behave-turn], for as long as it wants to keep the data 315 connection alive. 317 When the client wishes to terminate its relayed connection to the 318 peer, it closes the data connection to the server. 320 Note: No mechanism for keeping alive the NAT bindings (potentially 321 on the client data connection as well as on the peer data 322 connection) is included. This service is not provided by TURN- 323 TCP. If such a feature is deemed necessary, it can be implemented 324 higher up the stack, in the application protocol being tunneled 325 inside TURN-TCP. Also, TCP keep-alives MAY be used to keep the 326 NAT bindings on the client data connection alive. 328 5. TURN Server Behavior 330 5.1. Receiving a TCP Allocate Request 332 The process is similar to that defined in [I-D.ietf-behave-turn], 333 Section 6.2, with the following exceptions: 335 1. If the REQUESTED-TRANSPORT attribute is included and specifies a 336 protocol other than UDP or TCP, the server MUST reject the 337 request with a 442 (Unsupported Transport Protocol) error. (If 338 the value is UDP, the server MUST continue with the procedures of 339 [I-D.ietf-behave-turn] instead of this document.) 341 2. If the client connection transport is not TCP or TLS, the server 342 MUST reject the request with a 400 (Bad Request) error. 344 3. If the request contains the DONT-FRAGMENT, EVEN-PORT, or 345 RESERVATION-TOKEN attribute, the server MUST reject the request 346 with a 400 (Bad Request) error. 348 4. A TCP relayed transport address MUST be allocated instead of a 349 UDP one. 351 5. The RESERVATION-TOKEN attribute MUST NOT be present in the 352 success response. 354 If all checks pass, the server MUST start accepting incoming TCP 355 connections on the relayed transport address. Refer to Section 5.3 356 for details. 358 5.2. Receiving a Connect Request 360 When the server receives a Connect request, it processes as follows. 362 If the request is received on a TCP connection for which no 363 allocation exists, the server MUST return a 437 (Allocation Mismatch) 364 error. 366 If the server has already successfully processed a Connect request 367 for this allocation with the same XOR-PEER-ADDRESS, and the resulting 368 client and peer data connections are either pending or active, it 369 MUST return a 446 (Connection Already Exists) error. 371 If the request does not contain a XOR-PEER-ADDRESS attribute, or if 372 such attribute is invalid, the server MUST return a 400 (Bad Request) 373 error. 375 Otherwise, and if the new connection is permitted by local policy, 376 the server MUST initiate an outgoing TCP connection. The local 377 endpoint is the relayed transport address associated with the 378 allocation. The remote endpoint is the one indicated by the XOR- 379 PEER-ADDRESS attribute. If the connection attempt fails or times 380 out, the server MUST return a 447 (Connection Timeout or Failure) 381 error. 383 If the connection is successful, it is now called a peer data 384 connection. The server MUST buffer any data received from the peer. 385 Data MUST NOT be lost unless the buffer is about to exceed a limit 386 defined by local policy, in which case the data connection MUST be 387 closed. The server adjusts its advertised TCP receive window to 388 reflect the amount of empty buffer space. 390 The server MUST include the CONNECTION-ID attribute in the Connect 391 success response. The attribute's value MUST uniquely identify the 392 peer data connection. 394 If no ConnectionBind request associated with this peer data 395 connection is received after 30 seconds, the peer data connection 396 MUST be closed. 398 5.3. Receiving a TCP Connection on an Allocated Port 400 When a server receives an incoming TCP connection on a relayed 401 transport, it processes as follows. 403 The server MUST accept the connection. If it is not successful, 404 nothing is sent to the client over the control connection. 406 If the connection is successfully accepted, it is now called a peer 407 data connection. The server MUST buffer any data received from the 408 peer. Data MUST NOT be lost unless the buffer is about to exceed a 409 limit defined by local policy, in which case the data connection MUST 410 be closed. The server adjusts its advertised TCP receive window to 411 reflect the amount of empty buffer space. 413 The server then sends a ConnectionAttempt indication to the client 414 over the control connection. The indication MUST include a XOR-PEER- 415 ADDRESS attribute containing the peer's address, as well as a 416 CONNECTION-ID attribute uniquely identifying the peer data 417 connection. 419 If no ConnectionBind request associated with this peer data 420 connection is received after 30 seconds, the peer data connection 421 MUST be closed. 423 5.4. Receiving a ConnectionBind Request 425 When a server receives a ConnectionBind request, it processes as 426 follows. 428 If the client connection transport is not TCP or TLS, the server MUST 429 return a 400 (Bad Request) error. 431 If the request does not contain the CONNECTION-ID attribute, or if 432 this attribute does not refer to an existing pending connection, the 433 server MUST return a 400 (Bad Request) error. 435 Otherwise, the client connection is now called a client data 436 connection. Data received on it MUST be sent as-is to the associated 437 peer data connection. 439 Data received on the associated peer data connection MUST be sent 440 as-is on this client data connection. This includes data that was 441 received after the associated Connect or request was successfully 442 processed and before this ConnectionBind request was received. 444 5.5. Data Connection Maintenance 446 If the allocation associated with a data connection expires, the data 447 connection MUST be closed. 449 When a client data connection is closed or times out, the server MUST 450 close the corresponding peer data connection. 452 When a peer data connection is closed or times out, the server MUST 453 close the corresponding client data connection. 455 6. IANA Considerations 457 This specification defines several new STUN methods, STUN attributes, 458 and STUN error codes. This section directs IANA to add these new 459 protocol elements to the IANA registry of STUN protocol elements. 461 6.1. New STUN Methods 463 This section lists the codepoints for the new STUN methods defined in 464 this specification. See Section 4 and Section 5 for the semantics of 465 these new methods. 467 0x000A : Connect 468 0x000B : ConnectionBind 469 0x000C : ConnectionAttempt 471 6.2. New STUN Attributes 473 This STUN extension defines the following new attributes: 475 0x002A : CONNECTION-ID 477 6.2.1. CONNECTION-ID 479 The CONNECTION-ID attributes uniquely identifies a peer data 480 connection. It is a 32-bit unsigned integral value. 482 6.3. New STUN response codes 484 446 Connection Already Exists 485 447 Connection Timeout or Failure 487 6.4. Security Considerations 489 After a TCP connection is established between the server and a peer, 490 and before a ConnectionBind request is received from the client, the 491 server buffers all data received from the peer. This protocol 492 specification lets the server drop the connection if the buffer size 493 is about to exceed a limit defined by local policy. This policy 494 should ensure that memory resources are not exceeded. See also 495 [RFC4732], Section 2.1.3. 497 All the security considerations applicable to STUN [RFC5389] and TURN 498 [I-D.ietf-behave-turn] are applicable to this document as well. 500 6.5. Acknowledgements 502 Thanks to Rohan Mahy and Philip Matthews for their initial work on 503 getting this document started. 505 The authors would also like to thank Alfred E. Heggestad, Ari 506 Keranen, Marc Petit-Huguenin, Dave Thaler, and Dan Wing for their 507 comments and suggestions. 509 7. References 511 7.1. Normative References 513 [RFC5389] Rosenberg, J., Mahy, R., Matthews, P., and D. Wing, 514 "Session Traversal Utilities for NAT (STUN)", RFC 5389, 515 October 2008. 517 [I-D.ietf-behave-turn] 518 Rosenberg, J., Mahy, R., and P. Matthews, "Traversal Using 519 Relays around NAT (TURN): Relay Extensions to Session 520 Traversal Utilities for NAT (STUN)", 521 draft-ietf-behave-turn-14 (work in progress), April 2009. 523 [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate 524 Requirement Levels", BCP 14, RFC 2119, March 1997. 526 7.2. Informative References 528 [I-D.ietf-mmusic-ice] 529 Rosenberg, J., "Interactive Connectivity Establishment 530 (ICE): A Protocol for Network Address Translator (NAT) 531 Traversal for Offer/Answer Protocols", 532 draft-ietf-mmusic-ice-19 (work in progress), October 2007. 534 [RFC4732] Handley, M., Rescorla, E., and IAB, "Internet Denial-of- 535 Service Considerations", RFC 4732, December 2006. 537 Authors' Addresses 539 Simon Perreault (editor) 540 Viagenie 541 2600 boul. Laurier, suite 625 542 Quebec, QC G1V 4W1 543 Canada 545 Phone: +1 418 656 9254 546 Email: simon.perreault@viagenie.ca 547 URI: http://www.viagenie.ca 549 Jonathan Rosenberg 550 Cisco Systems 551 600 Lanidex Plaza 552 Parsippany, NJ 07054 553 US 555 Phone: +1 973 952-5000 556 Email: jdrosen@cisco.com 557 URI: http://www.jdrosen.net