One document matched: draft-ietf-tram-alpn-01.xml
<?xml version="1.0" encoding="US-ASCII"?>
<!DOCTYPE rfc SYSTEM "rfc2629.dtd">
<?rfc toc="yes"?>
<?rfc tocompact="yes"?>
<?rfc tocdepth="3"?>
<?rfc tocindent="yes"?>
<?rfc symrefs="yes"?>
<?rfc sortrefs="yes"?>
<?rfc comments="yes"?>
<?rfc inline="yes"?>
<?rfc compact="yes"?>
<?rfc subcompact="no"?>
<rfc category="std" docName="draft-ietf-tram-alpn-01" ipr="trust200902">
<front>
<title abbrev="ALPN for STUN/TURN">Application Layer Protocol Negotiation
(ALPN) for Session Traversal Utilities for NAT (STUN) and Traversal Using
Relays around NAT (TURN)</title>
<author fullname="Prashanth Patil" initials="P." surname="Patil">
<organization abbrev="Cisco">Cisco Systems, Inc.</organization>
<address>
<postal>
<street/>
<street/>
<city>Bangalore</city>
<country>India</country>
</postal>
<email>praspati@cisco.com</email>
</address>
</author>
<author fullname="Tirumaleswar Reddy" initials="T." surname="Reddy">
<organization abbrev="Cisco">Cisco Systems, Inc.</organization>
<address>
<postal>
<street>Cessna Business Park, Varthur Hobli</street>
<street>Sarjapur Marathalli Outer Ring Road</street>
<city>Bangalore</city>
<region>Karnataka</region>
<code>560103</code>
<country>India</country>
</postal>
<email>tireddy@cisco.com</email>
</address>
</author>
<author fullname="Gonzalo Salgueiro" initials="G." surname="Salgueiro">
<organization abbrev="Cisco">Cisco Systems, Inc.</organization>
<address>
<postal>
<street>7200-12 Kit Creek Road</street>
<city>Research Triangle Park</city>
<region>NC</region>
<code>27709</code>
<country>US</country>
</postal>
<email>gsalguei@cisco.com</email>
</address>
</author>
<author fullname="Marc Petit-Huguenin" initials="M."
surname="Petit-Huguenin">
<organization>Impedance Mismatch</organization>
<address>
<postal>
<street/>
<city/>
<region/>
<code/>
<country>USA</country>
</postal>
<email>marc@petit-huguenin.org</email>
</address>
</author>
<date year="2014"/>
<workgroup>TRAM</workgroup>
<abstract>
<t>Application Layer Protocol Negotiation (ALPN) labels for the Session
Traversal Utilities for NAT (STUN) and Traversal Using Relays around NAT
(TURN) are defined in this document to allow the application layer to
negotiate STUN, TURN within the Transport Layer Security (TLS)
connection. The STUN ALPN protocol identifier and TURN ALPN identifier
applies to both TLS and Datagram Transport Layer Security (DTLS).</t>
</abstract>
</front>
<middle>
<section anchor="introduction" title="Introduction">
<t>STUN can be securely transported using TLS-over-TCP (referred to as
TLS <xref target="RFC5246"/>), as specified in <xref target="RFC5389"/>,
or TLS-over-UDP (referred to as DTLS <xref target="RFC6347"/>), as
specified in <xref target="I-D.ietf-tram-stun-dtls"/>.</t>
<t>ALPN <xref target="RFC7301"/> enables an endpoint to positively
identify STUN protocol and TURN in TLS/DTLS and distinguish them from
other TLS/DTLS protocols. With ALPN, the client sends the list of
supported application protocols as part of the TLS/DTLS ClientHello
message. The server chooses a protocol and sends the selected protocol
as part of the TLS/DTLS ServerHello message. The application protocol
negotiation can thus be accomplished within the TLS/DTLS handshake,
without adding network round-trips, and allows the server to associate a
different certificate with each application protocol, if desired.</t>
<t>TURN ALPN is useful in the following scenarios:</t>
<t><list style="numbers">
<t>Consider an Enterprise network that deploys a TURN server in a
DeMilitarized Zone (DMZ) to audit all media sessions from inside the
Enterprise premises to any external peer. In this deployment, an
Enterprise firewall could use the TURN ALPN identifer to detect, and
act accordingly, the use of a TURN server outisde the Enterprise
domain (i.e., a TURN server provided by an application server,
access network etc).</t>
<t>If a firewall is configured to block all outgoing traffic except
for TCP traffic to specific ports (e.g., 443 for HTTPS), a TURN
server listening on its default ports (3478 for TCP/UDP, 5349 for
TLS) would not be reachable. However, despite the restrictions
imposed by the firewall, the TURN server can still be reached on the
allowed HTTPS port if the TURN ALPN identifier is used to establish
usage of TURN as part of the TLS handshake. In this case, the TURN
ALPN identifier sent by the client will be used by the server to
identify that the client intends to make a TURN request and it must
act as a TURN server to relay the traffic to and from the remote
peer.</t>
<t>If a TURN server is in a resource exhausted state then it could
use the TURN ALPN identifier sent by the client to identify that the
connection will be used to allocate resouces, which the server
cannot accommodate, and hence reject the (D)TLS handshake with a
fatal error.</t>
</list></t>
<t>This document defines entries ("stun") and ("turn") in the
"Application Layer Protocol Negotiation (ALPN) Protocol IDs" registry
established by <xref target="RFC7301"/> to identify the STUN protocol
and usage of TURN.</t>
</section>
<section anchor="term" title="Terminology">
<t>The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
"SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this
document are to be interpreted as described in <xref
target="RFC2119"/>.</t>
</section>
<section anchor="iana" title="IANA Considerations">
<t>The following entry is to be added to the "Application Layer Protocol
Negotiation (ALPN) Protocol IDs" registry established by <xref
target="RFC7301"/>.</t>
<t>The "stun" label identifies STUN over TLS/DTLS:</t>
<t><list style="empty">
<t>Protocol: Session Traversal Utilities for NAT (STUN)</t>
<t>Identification Sequence: 0x73 0x74 0x75 0x6E ("stun")</t>
<t>Specification: This document (RFCXXXX)</t>
</list></t>
<t>The "turn" label identifies TURN over TLS/DTLS:</t>
<t><list style="empty">
<t>Protocol: Traversal Using Relays around NAT (TURN)</t>
<t>Identification Sequence: 0x74 0x75 0x72 0x6E ("turn")</t>
<t>Specification: This document (RFCXXXX)</t>
</list></t>
</section>
<section anchor="security" title="Security Considerations">
<t>The ALPN STUN protocol identifier does not introduce any specific
security considerations beyond those detailed in the TLS ALPN Extension
specification <xref target="RFC7301"/>. It also does not impact security
of TLS/DTLS session establishment nor application data exchange.</t>
</section>
<section anchor="ack" title="Acknowledgements">
<t>This work benefited from the discussions and invaluable input by the
various members of the TRAM working group. These include Simon Perrault,
Paul Kyzivat, Brandon Williams and Andrew Hutton. Special thanks to
Martin Thomson and Oleg Moskalenko for their constructive comments,
suggestions, and early reviews that were critical to the formulation and
refinement of this document.</t>
</section>
</middle>
<back>
<references title="Normative References">
<?rfc include="reference.RFC.2119"?>
<?rfc include="reference.RFC.5246"?>
<?rfc include="reference.RFC.5389"?>
<?rfc include="reference.RFC.6347"?>
<?rfc include="reference.RFC.7301"?>
<?rfc include="reference.I-D.ietf-tram-stun-dtls"
?>
<?rfc include="reference.I-D.mbelshe-httpbis-spdy"?>
</references>
<references title="Informative References">
<?rfc include='reference.RFC.5766'
?>
<!---->
</references>
</back>
</rfc>
| PAFTECH AB 2003-2026 | 2026-04-24 02:58:31 |