One document matched: draft-ietf-behave-turn-tcp-07.xml
<?xml version="1.0"?>
<!DOCTYPE rfc SYSTEM "rfc2629.dtd">
<?rfc toc="yes"?>
<?rfc compact='yes'?>
<?rfc subcompact='no'?>
<?rfc symrefs='yes'?>
<rfc category="std" ipr="trust200902" docName="draft-ietf-behave-turn-tcp-07.txt">
<front>
<title abbrev="TURN TCP">
Traversal Using Relays around NAT (TURN) Extensions for TCP Allocations </title>
<author initials="S." surname="Perreault" fullname="Simon Perreault" role="editor">
<organization>Viagénie</organization>
<address>
<postal>
<street>2600 boul. Laurier, suite 625</street>
<city>Québec</city>
<region>QC</region>
<code>G1V 4W1</code>
<country>Canada</country>
</postal>
<phone>+1 418 656 9254</phone>
<email>simon.perreault@viagenie.ca</email>
<uri>http://www.viagenie.ca</uri>
</address>
</author>
<author initials="J.R." surname="Rosenberg"
fullname="Jonathan Rosenberg">
<organization>jdrosen.net</organization>
<address>
<postal>
<city>Monmouth</city> <region>NJ</region>
<country>US</country>
</postal>
<email>jdrosen@jdrosen.net</email>
<uri>http://www.jdrosen.net</uri>
</address>
</author>
<date year="2010" />
<area>Transport</area>
<workgroup>Behave</workgroup>
<keyword>NAT</keyword>
<keyword>TURN</keyword>
<keyword>STUN</keyword>
<abstract>
<t>This specification defines an extension of Traversal
Using Relays around NAT (TURN), a relay protocol for Network Address Translation
(NAT) traversal, to allow a TURN client to request TCP allocations, and defines
new requests and indications for the TURN server to open and accept TCP
connections with the client's peers. TURN and this extension both
purposefully restrict the ways in which the relayed address can be
used. In particular, it prevents users from running general purpose
servers from ports obtained from the TURN server.
</t> </abstract> </front>
<middle>
<section title="Introduction">
<t>
Traversal Using Relays around NAT (TURN)
<xref target="RFC5766"/> is an extension to the Session
Traversal Utilities for NAT <xref target="RFC5389"/> protocol. TURN
allows for clients to communicate with a TURN server, and ask it to
allocate ports on one of its host interfaces, and then relay traffic
between that port and the client itself. TURN, when used in concert
with STUN and Interactive Connectivity Establishment (ICE)
<xref target="RFC5245"/> form a solution for NAT traversal
for UDP-based media sessions.
</t>
<t>
However, TURN itself does not provide a way for a client to allocate a
TCP-based port on a TURN server. Such an allocation is needed for
cases where a TCP-based session is desired with a peer, and NATs
prevent a direct TCP connection. Examples include application sharing
between desktop softphones, or transmission of pictures during a voice
communications session.
</t>
<t>
This document defines an extension to TURN which allows a client to
obtain a TCP allocation. It also allows the client to initiate outgoing TCP
connections from that allocation to peers, and accept incoming TCP connection
requests from peers made towards that allocation.
</t>
<t>The term "TCP allocation" means a TURN allocation where TCP is used as the
transport protocol instead of UDP. Such an allocation is uniquely identified
by its relayed transport address, which consists of an IP address and TCP port
(defined in <xref target="RFC5766"/>).</t>
</section>
<section title="Conventions">
<t>The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
"SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this
document are to be interpreted as described in <xref target="RFC2119"/>.</t>
</section>
<section title="Overview of Operation">
<figure anchor="fig-turn-tcp-mod" title="TURN TCP Model"><artwork><![CDATA[
+--------+
| |
| Peer1 |
/ | |
/ | |
/ +--------+
/
/
/ Peer Data 1
/
+--------+ Control +--------+ /
| | -------------- | | /
| Client | Client Data 1 | TURN |
| | -------------- | Server | \
| | -------------- | | \
+--------+ Client Data 2 +--------+ \
\
\
\ +--------+
\ | |
Peer Data 2 \ | Peer2 |
\ | |
| |
+--------+
]]></artwork></figure>
<t>The overall model for TURN-TCP is shown in <xref target="fig-turn-tcp-mod"/>.
The client will have two different types of connections to its TURN server.
For each allocated relayed transport address, it will have a single control
connection. Control connections are used to obtain allocations and open up
new connections. Furthermore, for each connection to a peer, the client will
have a single connection to its TURN server. These connections are called data
connections. Consequently, there is a data connection from the client to its
TURN server (the client data connection) and one from the TURN server to a
peer (the peer data connection). Actual application data is sent on these
connections. Indeed, after an initial TURN message which binds the client data
connection to a peer data connection, only application data can be sent - no
TURN messaging. This is in contrast to the control connection, which only
allows TURN messages and not application data.</t>
<t>
To obtain a TCP-based allocation, a client first opens a TCP or TLS connection
to its TURN server. The client then sends an Allocate request over that control
connection. That request contains a REQUESTED-TRANSPORT attribute, which
indicates a TCP-based allocation is desired. A server which supports this
extension will allocate a TCP relayed transport address and begin listening for connection requests
on it. It then returns the allocated relayed transport address to the client in the response
to the Allocate request. The connection on which the Allocate request was sent
is the control connection.
</t>
<t>
If a client wishes to establish a TCP connection to a peer from that relayed
transport address, it issues a Connect request to the TURN server over the
control connection. That request contains a XOR-PEER-ADDRESS attribute
identifying the peer IP address and port (i.e. its "transport address") to which
a connection is to be made. The TURN server attempts to open the TCP connection,
and assuming it succeeds, then responds to the Connect request with a success
response. The server also creates a connection identifier associated with this
connection, and passes that connection identifier back to the client in the
success response. Note that a maximum of one connection to a given peer
transport address can be established per allocation.
</t>
<t>
<list style="empty">
<t>Note: Establishing a relayed connection from the client to a peer is done
in two steps. First, the allocation is created, and second, the connection
is established. Combining the two is not desirable for NAT traversal. It
is expected that, between the first and second steps, the client will
communicate off-band with the peer (e.g. using ICE <xref
target="RFC5245"/>) and tell it the relayed transport
address that the TURN server allocated and from which it is about to
initiate a connection. The peer can then "get ready": open holes in its
firewall, try to poke holes in a NAT, attempt a TCP simultaneous open,
etc.</t>
</list>
</t>
<t>
In order to actually send data on the new connection or otherwise
utilize it in any way, the client establishes a new TCP connection to
its TURN server. Once established, it issues a ConnectionBind request to the
server over this new connection. That request echoes back the connection
identifier to the TURN server. The TURN server uses it to correlate the two
connections. As a consequence, the TCP connection to the peer is
associated with a TCP connection to the client 1-to-1. The two
connections are now data connections. At this point, if the server
receives data from the peer, it forwards that data towards the client,
without any kind of encapsulation. Any data received by the TURN
server from the client over the client data connection are forwarded
to the peer, again without encapsulation or framing of any kind. Once
a connection has been bound using the ConnectionBind request, TURN
messaging is no longer permitted on the connection.
</t>
<t>
In a similar way, when a peer opens a TCP connection towards the relayed
transport address, the server checks if there is a permission in place for that
peer. If there is none, the connection is closed. Permissions are created with
the CreatePermission request sent over the control connection, just as for UDP
TURN. If there is a permission in place, the TURN server sends, to the client, a
ConnectionAttempt Indication over the control connection. That indication
contains a connection identifier. Once again, the client initiates a separate
TCP connection to its TURN server, and over that connection, issues a
ConnectionBind request. Once received, the TURN server will begin relaying data
back and forth. The server closes the peer data connection if no ConnectionBind
request is received after a timeout.
</t>
<t>
If the client closes a client data connection, the corresponding peer
data connection is closed. If the peer closes a peer data connection, the
corresponding client data connection is closed. In this way, the status of
the connection is directly known to the client.
</t>
<t>The TURN server will relay the data between the client and peer data
connections. End-to-end flow control is maintained by the relay process: if
the relay process is no longer able to write data to the destination of the
relayed data, the relay process stops reading data from the source.</t>
</section>
<section title="Client Processing" anchor="client">
<section title="Creating an Allocation">
<t>
To create a TCP allocation, a client MUST initiate a new TCP or TLS
connection to its TURN server, identical to the TCP or TLS procedures
defined in <xref target="RFC5766"/>. TCP allocations
cannot be obtained using a UDP association between client and server.
</t>
<t>
Once set up, a client MUST send a TURN Allocate request. That request
MUST contain a REQUESTED-TRANSPORT attribute whose value is 6,
corresponding to TCP.
</t>
<t>
The request MUST NOT include a DONT-FRAGMENT, RESERVATION-TOKEN or
EVEN-PORT attribute. The corresponding features are specific to UDP
based capabilities and are not utilized by TURN-TCP. However, a
LIFETIME attribute MAY be included, with semantics identical to the
UDP case.
</t>
<t>
The procedures for authentication of the Allocate request and
processing of success and failure responses are identical to those for
UDP.
</t>
<t>
Once a success response is received, the TCP connection to the TURN
server is called the control connection for that allocation.
</t>
</section>
<section title="Refreshing an Allocation">
<t>
The procedures for refreshing an allocation are identical to those for
UDP. Note that the Refresh MUST be sent on the control connection.
</t>
</section>
<section title="Initiating a Connection">
<t>
To initiate a TCP connection to a peer, a client MUST send a Connect
request over the control connection for the desired allocation.
The Connect request MUST include a
XOR-PEER-ADDRESS attribute containing the transport address of the
peer to which a connection is desired.
</t>
<t>
If the connection is successfully established, the client will receive
a success response. That response will contain a CONNECTION-ID
attribute. The client MUST initiate a new TCP connection to the
server, utilizing the same destination transport address to which the control
connection was established. This connection MUST be made using a
different local transport address. Authentication of the client by the
server MUST use the same method and credentials as for the control connection.
Once established, the client MUST send a ConnectionBind request over the new
connection. That request MUST include the CONNECTION-ID attribute, echoed from
the Connect Success response. When a response to the ConnectionBind request is
received, if it is a success, the TCP connection on which it was sent is called
the client data connection corresponding to the peer.
</t>
<t>
If the result of the Connect request was a Error Response, and the
response code was 447 (Connection Timeout or Failure), it means that the TURN
server was unable to connect to the peer. The client MAY retry with the same
XOR-PEER-ADDRESS attribute, but MUST wait at least 10 seconds.
</t>
<t>As with any other request, multiple Connect requests MAY be sent
simultaneously. However, Connect requests with the same XOR-PEER-ADDRESS
parameter MUST NOT be sent simultaneously.</t>
</section>
<section title="Receiving a Connection">
<t>After an Allocate request is successfully processed by the server, the
client will start receiving a
ConnectionAttempt indication each time a peer for which a permission has
been installed attempts a new connection to
the relayed transport address. This indication will contain a CONNECTION-ID and a
XOR-PEER-ADDRESS attributes. If the client wishes to accept this connection,
it MUST initiate a new TCP connection to the server, utilizing the same
destination transport address to which the control connection was
established. This connection MUST be made using a different local transport
address. Authentication of the client by the server MUST use the same method
and credentials as for the control connection. Once established, the client
MUST send a ConnectionBind request over the new connection. That request
MUST include the CONNECTION-ID attribute, echoed from the ConnectionAttempt
indication. When a response to the ConnectionBind request is received, if it
is a success, the TCP connection on which it was sent is called the client
data connection corresponding to the peer.</t>
</section>
<section title="Sending and Receiving Data">
<t>Once a client data connection is established, data sent on it by the client
will be relayed as-is to the peer by the server. Similarly, data sent by the
peer to the server will be relayed as-is to the client over the data
connection.</t>
</section>
<section title="Data Connection Maintenance">
<t>The client MUST refresh the allocation corresponding to a data connection,
using the Refresh request as defined in <xref
target="RFC5766"/>, for as long as it wants to keep the data
connection alive.</t>
<t>When the client wishes to terminate its relayed connection to the peer, it
closes the data connection to the server.</t>
<t>
<list style="empty">
<t>Note: No mechanism for keeping alive the NAT bindings (potentially on
the client data connection as well as on the peer data connection) is
included. This service is not provided by TURN-TCP. If such a feature is
deemed necessary, it can be implemented higher up the stack, in the
application protocol being tunneled inside TURN-TCP. Also, TCP
keep-alives MAY be used to keep the NAT bindings on the client data
connection alive.</t>
</list>
</t>
</section>
</section>
<section title="TURN Server Behavior" anchor="server">
<section title="Receiving a TCP Allocate Request">
<t>The process is similar to that defined in <xref
target="RFC5766"/>, Section 6.2, with the following
exceptions:</t>
<t>
<list style="numbers">
<t>If the REQUESTED-TRANSPORT attribute is included and specifies a
protocol other than UDP or TCP, the server MUST reject the request with
a 442 (Unsupported Transport Protocol) error. If the value is UDP, and
if UDP transport is allowed by local policy, the server MUST continue
with the procedures of <xref target="RFC5766"/> instead of
this document. If the value is UDP, and if UDP transport is forbidden by
local policy, the server MUST reject the request with a 403 (Forbidden)
error.</t>
<t>If the client connection transport is not TCP or TLS, the server MUST
reject the request with a 400 (Bad Request) error.</t>
<t>If the request contains the DONT-FRAGMENT, EVEN-PORT, or
RESERVATION-TOKEN attribute, the server MUST reject the request with a
400 (Bad Request) error.</t>
<t>A TCP relayed transport address MUST be allocated instead of a UDP
one.</t>
<t>The RESERVATION-TOKEN attribute MUST NOT be present in the success
response.</t>
</list>
</t>
<t>If all checks pass, the server MUST start accepting incoming TCP
connections on the relayed transport address. Refer to <xref
target="accept"/> for details.</t>
</section>
<section title="Receiving a Connect Request">
<t>When the server receives a Connect request, it processes as follows.</t>
<t>If the request is received on a TCP connection for which no allocation
exists, the server MUST return a 437 (Allocation Mismatch) error.</t>
<t>If the server is currently processing a Connect request for this allocation
with the same XOR-PEER-ADDRESS, it MUST return a 446 (Connection Already
Exists) error.</t>
<t>If the server has already successfully processed a Connect request for this
allocation with the same XOR-PEER-ADDRESS, and the resulting client and peer
data connections are either pending or active, it MUST return a 446
(Connection Already Exists) error.</t>
<t>If the request does not contain a XOR-PEER-ADDRESS attribute, or if such
attribute is invalid, the server MUST return a 400 (Bad Request) error.</t>
<t>If the new connection is forbidden by local policy, the server MUST reject
the request with a 403 (Forbidden) error.</t>
<t>Otherwise, the server MUST initiate an outgoing TCP connection. The local
endpoint is the relayed transport address associated with the allocation.
The remote endpoint is the one indicated by the XOR-PEER-ADDRESS attribute.
If the connection attempt fails or times out, the server MUST return a 447
(Connection Timeout or Failure) error. The timeout value MUST be at least 30
seconds.</t>
<t>If the connection is successful, it is now called a peer data connection.
The server MUST buffer any data received from the client. The server adjusts
its advertised TCP receive window to reflect the amount of empty buffer
space.</t>
<t>The server MUST include the CONNECTION-ID attribute in the Connect success
response. The attribute's value MUST uniquely identify the peer data
connection.</t>
<t>If no ConnectionBind request associated with this peer data connection is
received after 30 seconds, the peer data connection MUST be closed.</t>
</section>
<section title="Receiving a TCP Connection on a Relayed Transport Address" anchor="accept">
<t>When a server receives an incoming TCP connection on a relayed transport
address, it processes as follows.</t>
<t>The server MUST accept the connection. If it is not successful,
nothing is sent to the client over the control connection.</t>
<t>If the connection is successfully accepted, it is now called a peer data
connection. The server MUST buffer any data received from the peer. The
server adjusts its advertised TCP receive window to reflect the amount of
empty buffer space.</t>
<t>If no permission for this peer has been installed for this allocation, the
server MUST close the connection with the peer immediately after it has been
accepted.</t>
<t>Otherwise, the server sends a ConnectionAttempt indication to the client
over the control connection. The indication MUST include a XOR-PEER-ADDRESS
attribute containing the peer's transport address, as well as a CONNECTION-ID
attribute uniquely identifying the peer data connection.</t>
<t>If no ConnectionBind request associated with this peer data connection is
received after 30 seconds, the peer data connection MUST be closed.</t>
</section>
<section title="Receiving a ConnectionBind Request">
<t>When a server receives a ConnectionBind request, it processes as
follows.</t>
<t>If the client connection transport is not TCP or TLS, the server MUST
return a 400 (Bad Request) error.</t>
<t>If the request does not contain the CONNECTION-ID attribute, or if this
attribute does not refer to an existing pending connection, the server
MUST return a 400 (Bad Request) error.</t>
<t>Otherwise, the client connection is now called a client data connection.
Data received on it MUST be sent as-is to the associated peer data
connection.</t>
<t>Data received on the associated peer data connection MUST be sent as-is on
this client data connection. This includes data that was received after the
associated Connect or request was successfully processed and before
this ConnectionBind request was received.</t>
</section>
<section title="Data Connection Maintenance">
<t>If the allocation associated with a data connection expires, the data
connection MUST be closed.</t>
<t>When a client data connection is closed, the server MUST close the
corresponding peer data connection.</t>
<t>When a peer data connection is closed, the server MUST close the
corresponding client data connection.</t>
</section>
</section>
<section title="IANA Considerations">
<t>
This specification defines several new STUN methods, STUN attributes,
and STUN error codes. This section directs IANA to add these new
protocol elements to the IANA registry of STUN protocol elements.
</t>
<section title="New STUN Methods">
<figure>
<preamble>This section lists the codepoints for the new STUN methods defined
in this specification. See <xref target="client"/> and <xref
target="server"/> for the semantics of these new methods.</preamble>
<artwork>
0x000A : Connect
0x000B : ConnectionBind
0x000C : ConnectionAttempt
</artwork></figure></section>
<section title="New STUN Attributes">
<figure>
<preamble>This STUN extension defines the following new attributes:</preamble>
<artwork>
0x002A : CONNECTION-ID
</artwork></figure>
<section title="CONNECTION-ID">
<t>The CONNECTION-ID attributes uniquely identifies a peer data connection. It
is a 32-bit unsigned integral value.</t>
</section>
</section>
<section title="New STUN Error Codes">
<figure><artwork>
446 Connection Already Exists
447 Connection Timeout or Failure
</artwork></figure>
</section>
</section>
<section title="Security Considerations">
<t>After a TCP connection is established between the server and a peer, and
before a ConnectionBind request is received from the client, the server
buffers all data received from the peer. This protocol specification lets
the server drop the connection if the buffer size is about to exceed a
limit defined by local policy. This policy should ensure that memory
resources are not exceeded. See also <xref target="RFC4732"/>, Section
2.1.3.</t>
<t>All the security considerations applicable to STUN <xref target="RFC5389"/>
and TURN <xref target="RFC5766"/> are applicable to this
document as well.</t>
</section>
<section title="Acknowledgements">
<t>Thanks to Rohan Mahy and Philip Matthews for their initial work on
getting this document started.</t>
<t>The authors would also like to thank Alfred E. Heggestad, Ari Keranen,
Marc Petit-Huguenin, Dave Thaler, and Dan Wing for their comments and
suggestions.</t>
</section>
</middle>
<back>
<references title="Normative References">
<?rfc include="reference.RFC.5389"?>
<?rfc include="reference.RFC.5766"?>
<?rfc include="reference.RFC.2119"?>
</references>
<references title="Informative References">
<?rfc include="reference.RFC.5245"?>
<?rfc include="reference.RFC.4732"?>
</references>
</back>
</rfc>
| PAFTECH AB 2003-2026 | 2026-04-24 01:10:58 |