One document matched: draft-ietf-tram-stun-dtls-01.xml
<?xml version="1.0" encoding="US-ASCII"?>
<!DOCTYPE rfc SYSTEM "rfc2629.dtd">
<?rfc toc="yes"?>
<?rfc symrefs="yes"?>
<?rfc autobreaks="yes"?>
<?rfc tocindent="yes"?>
<?rfc compact="yes"?>
<?rfc subcompact="no"?>
<rfc category="std" docName="draft-ietf-tram-stun-dtls-01"
ipr="trust200902" obsoletes="" submissionType="IETF" updates=""
xml:lang="en">
<front>
<title abbrev="TURN over DTLS">Datagram Transport Layer Security
(DTLS) as Transport for Session Traversal Utilities for NAT
(STUN)</title>
<author fullname="Marc Petit-Huguenin" initials="M."
surname="Petit-Huguenin">
<organization>Jive Communications</organization>
<address>
<postal>
<street>1275 West 1600 North, Suite 100</street>
<city>Orem</city>
<region>UT</region>
<code>84057</code>
<country>USA</country>
</postal>
<email>marcph@getjive.com</email>
</address>
</author>
<author fullname="Gonzalo Salgueiro" initials="G."
surname="Salgueiro">
<organization>Cisco Systems</organization>
<address>
<postal>
<street>7200-12 Kit Creek Road</street>
<city>Research Triangle Park</city>
<region>NC</region>
<code>27709</code>
<country>US</country>
</postal>
<email>gsalguei@cisco.com</email>
</address>
</author>
<date day="24" month="March" year="2014"/>
<area>TSV</area>
<workgroup>TRAM</workgroup>
<abstract>
<t>This document specifies the usage of Datagram Transport Layer
Security (DTLS) as a transport protocol for Session Traversal
Utilities for NAT (STUN). It provides guidances on when and how
to use DTLS with the currently standardized STUN Usages. It also
specifies modifications to the STUN URIs and TURN URIs and to
the TURN resolution mechanism to facilitate the resolution of
STUN URIs and TURN URIs into the IP address and port of STUN and
TURN servers supporting DTLS as a transport protocol.</t>
</abstract>
</front>
<middle>
<section anchor="section.intro" title="Introduction" toc="default">
<t><xref format="default" pageno="false"
target="RFC5389">STUN</xref> defines Transport Layer Security
(TLS) over TCP (simply referred to as <xref format="default"
pageno="false" target="RFC5246">TLS</xref>) as the transport for
STUN due to additional security advantages it offers over plain
UDP or TCP transport. But TLS-over-TCP is not an optimal
transport when STUN is used for its originally intended purpose,
which is to support multimedia sessions. This sub-optimality
primarily stems from the added latency incurred by the TCP-based
head-of-line (HOL) blocking problem coupled with additional TLS
buffering (for integrity checks). This is a well documented and
understood transport limitation for secure real-time
communications.</t>
<t>TLS-over-UDP (referred to as <xref format="default"
pageno="false" target="RFC6347">DTLS</xref>) offers the same
security advantages as TLS-over-TCP, but without the undesirable
latency concerns.</t>
</section>
<section anchor="section.terminology" title="Terminology"
toc="default">
<t>The key words "MUST", "MUST NOT", "REQUIRED", "MAY", and
"OPTIONAL" in this document are to be interpreted as described
in <xref format="default" pageno="false" target="RFC2119"/> when
they appear in ALL CAPS. When these words are not in ALL CAPS
(such as "must" or "Must"), they have their usual English
meanings, and are not to be interpreted as RFC 2119 key
words.</t>
</section>
<section anchor="section.transport"
title="DTLS as Transport for STUN" toc="default">
<t><xref format="default" pageno="false"
target="RFC5389">STUN</xref> defines three transports: UDP, TCP,
and TLS. This document adds DTLS as a valid transport for
STUN.</t>
<t>STUN over DTLS MUST use the same retransmission rules as STUN
over UDP (as described in Section 7.2.1 of <xref
format="default" pageno="false" target="RFC5389"/>). It MUST
also use the same rules that are described in Section 7.2.2 of
<xref format="default" pageno="false" target="RFC5389"/> to
verify the server identity. STUN over DTLS MUST, at a minimum,
support TLS_DHE_RSA_WITH_AES_128_GCM_SHA256 and MUST support
TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256. [[TODO: Do we want to
specify that implementations MUST favor cipher suites which
support PFS over non-PFS cipher suites]]. The same rules
established in Section 7.2.2 of <xref format="default"
pageno="false" target="RFC5389"/> for keeping open and closing
TCP/TLS connections MUST be used as well for DTLS
associations.</t>
<t>In addition to the path MTU rules described in Section 7.1 of
<xref format="default" pageno="false" target="RFC5389"/>, if the
path MTU is unknown, the actual STUN message needs to be
adjusted to take into account the size of the (13-byte) DTLS
Record header, the MAC size, the padding size and the eventual
compression applied to the payload.</t>
<t>By default, STUN over DTLS MUST use port 5349, the same port
as STUN over TLS. However, the SRV procedures can be implemented
to use a different port (as described in Section 9 of <xref
format="default" pageno="false" target="RFC5389"/>). When using
SRV records, the service name MUST be set to "stuns" and the
application name to "udp".</t>
<t><xref format="default" pageno="false"
target="RFC3489">Classic STUN</xref> defines only UDP as a
transport and DTLS MUST NOT be used. Any STUN request or
indication without the magic cookie over DTLS MUST always result
in an error.</t>
</section>
<section anchor="section.usages" title="STUN Usages" toc="default">
<t><xref format="default" pageno="false" target="RFC5389"/>
Section 7.2 states that STUN usages must specify which transport
protocol is used. The following sections discuss if and how the
existing STUN usages are used with DTLS as the transport. Future
STUN usages MUST take into account DTLS as a transport and
discuss its applicability.</t>
<section anchor="section.usages.nat-discovery"
title="NAT Discovery Usage" toc="default">
<t>As stated by Section 13 of <xref format="default"
pageno="false" target="RFC5389"/>, "...TLS provides minimal
security benefits..." for this particular STUN usage. DTLS
will also similarly offer only limited benefit. This is
because the only mandatory attribute that is TLS/DTLS
protected is the XOR-MAPPED-ADDRESS, which is already known by
an on-path attacker, since it is the same as the source
address and port of the STUN request. On the other hand, using
TLS/DTLS will prevent an active attacker to inject
XOR-MAPPED-ADDRESS in responses. The TLS/DTLS transport will
also protect the SOFTWARE attribute, which can be used to find
vulnerabilities in STUN implementations.</t>
<t>Regardless, this usage is rarely used by itself, since
<xref format="default" pageno="false"
target="RFC5766">TURN</xref> is generally mandatory to use
with <xref format="default" pageno="false"
target="RFC5245">ICE</xref>, and TURN provides the same NAT
Discovery feature as part of an Allocation creation. In fact,
with ICE, the NAT Discovery usage is only used when there is
no longer any resource available for new Allocations in the
TURN server.</t>
<section anchor="section.usages.nat-discovery.uris"
title="DTLS Support in STUN URIs" toc="default">
<t>This document does not make any changes to the syntax of
a <xref format="default" pageno="false"
target="RFC7064">STUN URI</xref>. As indicated in Section
3.2 of <xref format="default" pageno="false"
target="RFC7064"/>, secure transports like STUN over TLS,
and now STUN over DTLS, MUST use the "stuns" URI scheme.</t>
<t>The <host> value MUST be used when using the rules
in Section 7.2.2 of <xref format="default" pageno="false"
target="RFC5389"/> to verify the server identity. [[TODO:
What happens if an IP address is used in the URI? Should we
forbid that?]]</t>
</section>
</section>
<section anchor="section.usages.rfc5245.7"
title="Connectivity Check Usage" toc="default">
<t>Using DTLS would hide the USERNAME, PRIORITY,
USE-CANDIDATE, ICE-CONTROLLED and ICE-CONTROLLING attributes.
But because MESSAGE-INTEGRITY protects the entire STUN
response using a password that is known only by looking at the
SDP exchanged, it is not possible for an attacker to inject an
incorrect XOR-MAPPED-ADDRESS, which would subsequently be used
as a peer reflexive candidate.</t>
<t>Adding DTLS on top of the connectivity check would delay,
and consequently impair, the ICE process. There is, in fact, a
proposal (<xref format="default" pageno="false"
target="I-D.thomson-rtcweb-ice-dtls"/>) to use the DTLS
handshake used by the WebRTC SRTP streams as a replacement for
the connectivity checks, proving that adding additional
round-trips to ICE is undesirable.</t>
<t>This usage MUST NOT be used with a STUN URI.</t>
</section>
<section anchor="section.usages.rfc5245.20"
title="Media Keep-Alive Usage" toc="default">
<t>The media keep-alive (described in Section 20 of <xref
format="default" pageno="false" target="RFC5245"/>) runs
inside an RTP or RTCP session, so it is already protected if
the RTP or RTCP session is also protected (i.e., SRTP/SRTCP).
Adding DTLS inside the SRTP/SRTCP session would add overhead,
with minimal security benefit.</t>
<t>This usage MUST NOT be used with a STUN URI.</t>
</section>
<section anchor="section.usages.rfc5626"
title="SIP Keep-Alive Usage" toc="default">
<t>The SIP keep-alive (described in <xref format="default"
pageno="false" target="RFC5626"/>) runs inside a SIP flow.
This flow would be protected if a SIP over DTLS transport
mechanism is implemented (such as described in <xref
format="default" pageno="false"
target="I-D.jennings-sip-dtls"/>).</t>
<t>This usage MUST NOT be used with a STUN URI.</t>
</section>
<section anchor="section.usages.rfc5780"
title="NAT Behavior Discovery Usage" toc="default">
<t>The NAT Behavior Discovery usage is Experimental and to
date has never being effectively deployed. Despite this, using
DTLS would add the same security properties as for the <xref
format="default" pageno="false"
target="section.usages.nat-discovery">NAT Discovery
Usage</xref>.</t>
<t>The STUN URI can be used to access the NAT Discovery
feature of a NAT Behavior Discovery server, but accessing the
full features would require definition of a "stun-behaviors:"
URI, which is out of scope for this document.</t>
</section>
<section anchor="section.usages.rfc5766" title="TURN Usage"
toc="default">
<t><xref format="default" pageno="false"
target="RFC5766">TURN</xref> defines three combinations of
transports/allocations: UDP/UDP, TCP/UDP and TLS/UDP. This
document adds DTLS/UDP as a valid combination. A TURN server
using DTLS MUST implement the denial-of-service
counter-measure described in Section 4.2.1 of <xref
format="default" pageno="false" target="RFC6347"/>.</t>
<t><xref format="default" pageno="false" target="RFC6062"/>
states that TCP allocations cannot be obtained using a UDP
association between client and server. The fact that DTLS uses
UDP implies that TCP allocations MUST NOT be obtained using a
DTLS association between client and server.</t>
<t>By default, TURN over DTLS uses port 5349, the same port as
TURN over TLS. However, the SRV procedures can be implemented
to use a different port (as described in Section 6 of <xref
format="default" pageno="false" target="RFC5766"/>. When using
SRV records, the service name MUST be set to "turns" and the
application name to "udp".</t>
<section anchor="section.uris"
title="DTLS Support in TURN URIs" toc="default">
<t>This document does not make any changes to the syntax of
a <xref format="default" pageno="false"
target="RFC7065">TURN URI</xref>. As indicated in Section 3
of <xref format="default" pageno="false" target="RFC7065"/>,
secure transports like TURN over TLS, and now TURN over
DTLS, MUST use the "turns" URI scheme. When using the
"turns" URI scheme to designate TURN over DTLS, the
transport value of the TURN URI, if set, MUST be "udp".</t>
</section>
<section anchor="section.resolution"
title="Resolution Mechanism for TURN over DTLS"
toc="default">
<t>This document defines a new Straightforward Naming
Authority Pointer (S-NAPTR) application protocol tag:
"turn.dtls".</t>
<t>The <transport> component, as provisioned or
resulting from the parsing of a TURN URI, is passed without
modification to the TURN resolution mechanism defined in
Section 3 of <xref format="default" pageno="false"
target="RFC5928"/>, but with the following alterations to
that algorithm:</t>
<t><list style="symbols">
<t>The acceptable values for transport name are extended
with the addition of "dtls".</t>
<t>The acceptable values in the ordered list of
supported TURN transports is extended with the addition
of "Datagram Transport Layer Security (DTLS)".</t>
<t>The resolution algorithm ckeck rules list is extended
with the addition of the following step: <list
style="empty">
<t>If <secure> is true and <transport>
is defined as "udp" but the list of TURN transports
supported by the application does not contain DTLS,
then the resolution MUST stop with an error.</t>
</list></t>
<t>The 5th rule of the resolution algorithm check rules
list is modified to read like this: <list style="none">
<t>If <secure> is true and <transport>
is not defined but the list of TURN transports
supported by the application does not contain TLS or
DTLS, then the resolution MUST stop with an
error.</t>
</list></t>
<t>Table 1 is modified to add the following line:</t>
</list></t>
<texttable align="center" style="full"
suppress-title="false" title="">
<ttcol align="left"><secure></ttcol>
<ttcol align="left"><transport></ttcol>
<ttcol align="left">TURN Transport</ttcol>
<c>true</c>
<c>"udp"</c>
<c>DTLS</c>
</texttable>
<t><list style="symbols">
<t>In step 1 of the resolution algorithm the default
port for DTLS is 5349.</t>
<t>In step 4 of the resolution algorithm the following
is added to the list of conversions between the filtered
list of TURN transports supported by the application and
application protocol tags: <list style="empty">
<t>"turn.dtls" is used if the TURN transport is
DTLS.</t>
</list></t>
</list></t>
<t>Note that using the <xref format="default" pageno="false"
target="RFC5928"/> resolution mechanism does not imply that
additional round trips to the DNS server will be needed
(e.g., the TURN client will start immediately if the TURN
URI contains an IP address).</t>
</section>
</section>
</section>
<section anchor="section.ref-impl" title="Implementation Status"
toc="default">
<t>[[Note to RFC Editor: Please remove this section and the
reference to <xref format="default" pageno="false"
target="RFC6982"/> before publication.]]</t>
<t>This section records the status of known implementations of
the protocol defined by this specification at the time of
posting of this Internet-Draft, and is based on a proposal
described in <xref format="default" pageno="false"
target="RFC6982"/>. The description of implementations in this
section is intended to assist the IETF in its decision processes
in progressing drafts to RFCs. Please note that the listing of
any individual implementation here does not imply endorsement by
the IETF. Furthermore, no effort has been spent to verify the
information presented here that was supplied by IETF
contributors. This is not intended as, and must not be construed
to be, a catalog of available implementations or their features.
Readers are advised to note that other implementations may
exist.</t>
<t>According to <xref format="default" pageno="false"
target="RFC6982"/>, "this will allow reviewers and working
groups to assign due consideration to documents that have the
benefit of running code, which may serve as evidence of valuable
experimentation and feedback that have made the implemented
protocols more mature. It is up to the individual working groups
to use this information as they see fit".</t>
<section anchor="section.impl-status.turnuri" title="turnuri"
toc="default">
<t><list style="hanging">
<t hangText="Organization: ">Impedance Mismatch</t>
<t hangText="Name: ">turnuri 0.5.0
http://debian.implementers.org/stable/source/turnuri.tar.gz</t>
<t hangText="Description: ">A reference implementation of
the URI and resolution mechanism defined in this document,
<xref format="default" pageno="false" target="RFC7065">RFC
7065</xref> and <xref format="default" pageno="false"
target="RFC5928">RFC 5928</xref>.</t>
<t hangText="Level of maturity: ">Beta.</t>
<t hangText="Coverage: ">Fully implements the URIs and
resolution mechanism defined in this specification, in RFC
7065 and in RFC 5928.</t>
<t hangText="Licensing: ">AGPL3</t>
<t hangText="Implementation experience: ">TBD</t>
<t hangText="Contact: ">Marc Petit-Huguenin
<marc@petit-huguenin.org>.</t>
</list></t>
</section>
<section anchor="section.impl-status.rfc5766-turn-server"
title="rfc5766-turn-server" toc="default">
<t><list style="hanging">
<t hangText="Organization: ">This is a public project, the
full list of authors and contributors here:
http://turnserver.open-sys.org/downloads/AUTHORS.</t>
<t
hangText="Name: ">http://code.google.com/p/rfc5766-turn-server/</t>
<t hangText="Description: ">A mature open-source TURN
server specs implementation (RFC 5766, RFC 6062, RFC 6156,
etc) designed for high-performance applications,
especially geared for WebRTC.</t>
<t hangText="Level of maturity: ">Production level.</t>
<t hangText="Coverage: ">Fully implements DTLS with TURN
protocol.</t>
<t hangText="Licensing: ">BSD:
http://turnserver.open-sys.org/downloads/LICENSE</t>
<t hangText="Implementation experience: ">DTLS is
recommended for secure media applications. It has benefits
of both UDP and TLS.</t>
<t hangText="Contact: ">Oleg Moskalenko
<mom040267@gmail.com></t>
</list></t>
</section>
</section>
<section anchor="section.security" title="Security Considerations"
toc="default">
<t>STUN over DTLS as a STUN transport does not introduce any
specific security considerations beyond those for STUN over TLS
detailed in <xref format="default" pageno="false"
target="RFC5389"/>.</t>
<t>The usage of "udp" as a transport parameter with the "stuns"
URI scheme does not introduce any specific security issues
beyond those discussed in <xref format="default" pageno="false"
target="RFC7064"/>.</t>
<t>TURN over DTLS as a TURN transport does not introduce any
specific security considerations beyond those for TURN over TLS
detailed in <xref format="default" pageno="false"
target="RFC5766"/>.</t>
<t>The usage of "udp" as a transport parameter with the "turns"
URI scheme does not introduce any specific security issues
beyond those discussed in <xref format="default" pageno="false"
target="RFC7065"/>.</t>
<t>The new S-NAPTR application protocol tag defined in this
document as well as the modifications this document makes to the
TURN resolution mechanism described in <xref format="default"
pageno="false" target="RFC5928"/> do not introduce any
additional security considerations beyond those outlined in
<xref format="default" pageno="false" target="RFC5928"/>.</t>
</section>
<section anchor="section.iana" title="IANA Considerations"
toc="default">
<section anchor="section.iana.tag"
title="S-NAPTR application protocol tag" toc="default">
<t>This specification contains the registration information
for one S-NAPTR application protocol tag (in accordance with
<xref format="default" pageno="false" target="RFC3958"/>).</t>
<t><list style="hanging">
<t hangText="Application Protocol Tag: ">turn.dtls</t>
<t hangText="Intended Usage: ">See <xref format="default"
pageno="false" target="section.resolution"/></t>
<t hangText="Interoperability considerations: ">N/A</t>
<t hangText="Security considerations: ">See <xref
format="default" pageno="false"
target="section.security"/></t>
<t hangText="Relevant publications: ">This document</t>
<t hangText="Contact information: ">Marc
Petit-Huguenin</t>
<t hangText="Author/Change controller: ">The IESG</t>
</list></t>
</section>
<section anchor="section.iana.port-number"
title="Service Name and Transport Protocol Port Number"
toc="default">
<t>This specification contains the registration information
for two Service Name and Transport Protocol Port Numbers (in
accordance with <xref format="default" pageno="false"
target="RFC6335"/>).</t>
<section anchor="section.iana.port-number.stuns"
title="The stuns Service Name" toc="default">
<t><list style="hanging">
<t hangText="Service Name: ">stuns</t>
<t hangText="Transport Protocol(s): ">UDP</t>
<t hangText="Assignee: ">IESG</t>
<t hangText="Contact: ">Marc Petit-Huguenin</t>
<t hangText="Description: ">STUN over DTLS</t>
<t hangText="Reference: ">This document</t>
<t hangText="Port Number: ">5349</t>
</list></t>
</section>
<section anchor="section.iana.port-number.turns"
title="The turns Service Name" toc="default">
<t><list style="hanging">
<t hangText="Service Name: ">turns</t>
<t hangText="Transport Protocol(s): ">UDP</t>
<t hangText="Assignee: ">IESG</t>
<t hangText="Contact: ">Marc Petit-Huguenin</t>
<t hangText="Description: ">TURN over DTLS</t>
<t hangText="Reference: ">This document</t>
<t hangText="Port Number: ">5349</t>
</list></t>
</section>
</section>
</section>
<section anchor="section.acknowledgements"
title="Acknowledgements" toc="default">
<t>Thanks to Alan Johnston, Oleg Moskalenko, and Simon Perreault
for the comments, suggestions, and questions that helped improve
this document.</t>
</section>
</middle>
<back>
<references title="Normative References">
<reference anchor="RFC2119">
<front>
<title abbrev="RFC Key Words">Key words for use in RFCs to
Indicate Requirement Levels</title>
<author fullname="Scott Bradner" initials="S."
surname="Bradner">
<organization>Harvard University</organization>
<address>
<postal>
<street>1350 Mass. Ave.</street>
<street>Cambridge</street>
<street>MA 02138</street>
</postal>
<phone>- +1 617 495 3864</phone>
<email>sob@harvard.edu</email>
</address>
</author>
<date month="March" year="1997"/>
<area>General</area>
<keyword>keyword</keyword>
<abstract>
<t>In many standards track documents several words are
used to signify the requirements in the specification.
These words are often capitalized. This document defines
these words as they should be interpreted in IETF
documents. Authors who follow these guidelines should
incorporate this phrase near the beginning of their
document: <list>
<t>The key words "MUST", "MUST NOT", "REQUIRED",
"SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT",
"RECOMMENDED", "MAY", and "OPTIONAL" in this document
are to be interpreted as described in RFC 2119.</t>
</list></t>
<t>Note that the force of these words is modified by the
requirement level of the document in which they are
used.</t>
</abstract>
</front>
<seriesInfo name="BCP" value="14"/>
<seriesInfo name="RFC" value="2119"/>
<format octets="4723"
target="http://www.rfc-editor.org/rfc/rfc2119.txt"
type="TXT"/>
<format octets="17970"
target="http://xml.resource.org/public/rfc/html/rfc2119.html"
type="HTML"/>
<format octets="5777"
target="http://xml.resource.org/public/rfc/xml/rfc2119.xml"
type="XML"/>
</reference>
<reference anchor="RFC3489">
<front>
<title>STUN - Simple Traversal of User Datagram Protocol
(UDP) Through Network Address Translators (NATs)</title>
<author fullname="J. Rosenberg" initials="J."
surname="Rosenberg">
<organization/>
</author>
<author fullname="J. Weinberger" initials="J."
surname="Weinberger">
<organization/>
</author>
<author fullname="C. Huitema" initials="C."
surname="Huitema">
<organization/>
</author>
<author fullname="R. Mahy" initials="R." surname="Mahy">
<organization/>
</author>
<date month="March" year="2003"/>
<abstract>
<t>Simple Traversal of User Datagram Protocol (UDP)
Through Network Address Translators (NATs) (STUN) is a
lightweight protocol that allows applications to discover
the presence and types of NATs and firewalls between them
and the public Internet. It also provides the ability for
applications to determine the public Internet Protocol
(IP) addresses allocated to them by the NAT. STUN works
with many existing NATs, and does not require any special
behavior from them. As a result, it allows a wide variety
of applications to work through existing NAT
infrastructure. [STANDARDS-TRACK]</t>
</abstract>
</front>
<seriesInfo name="RFC" value="3489"/>
<format octets="117562"
target="http://www.rfc-editor.org/rfc/rfc3489.txt"
type="TXT"/>
</reference>
<reference anchor="RFC3958">
<front>
<title>Domain-Based Application Service Location Using SRV
RRs and the Dynamic Delegation Discovery Service
(DDDS)</title>
<author fullname="L. Daigle" initials="L." surname="Daigle">
<organization/>
</author>
<author fullname="A. Newton" initials="A." surname="Newton">
<organization/>
</author>
<date month="January" year="2005"/>
<abstract>
<t>This memo defines a generalized mechanism for
application service naming that allows service location
without relying on rigid domain naming conventions
(so-called name hacks). The proposal defines a Dynamic
Delegation Discovery System (DDDS) Application to map
domain name, application service name, and application
protocol dynamically to target server and port.
[STANDARDS-TRACK]</t>
</abstract>
</front>
<seriesInfo name="RFC" value="3958"/>
<format octets="54568"
target="http://www.rfc-editor.org/rfc/rfc3958.txt"
type="TXT"/>
</reference>
<reference anchor="RFC5245">
<front>
<title>Interactive Connectivity Establishment (ICE): A
Protocol for Network Address Translator (NAT) Traversal for
Offer/Answer Protocols</title>
<author fullname="J. Rosenberg" initials="J."
surname="Rosenberg">
<organization/>
</author>
<date month="April" year="2010"/>
<abstract>
<t>This document describes a protocol for Network Address
Translator (NAT) traversal for UDP-based multimedia
sessions established with the offer/answer model. This
protocol is called Interactive Connectivity Establishment
(ICE). ICE makes use of the Session Traversal Utilities
for NAT (STUN) protocol and its extension, Traversal Using
Relay NAT (TURN). ICE can be used by any protocol
utilizing the offer/answer model, such as the Session
Initiation Protocol (SIP). [STANDARDS-TRACK]</t>
</abstract>
</front>
<seriesInfo name="RFC" value="5245"/>
<format octets="285120"
target="http://www.rfc-editor.org/rfc/rfc5245.txt"
type="TXT"/>
</reference>
<reference anchor="RFC5246">
<front>
<title>The Transport Layer Security (TLS) Protocol Version
1.2</title>
<author fullname="T. Dierks" initials="T." surname="Dierks">
<organization/>
</author>
<author fullname="E. Rescorla" initials="E."
surname="Rescorla">
<organization/>
</author>
<date month="August" year="2008"/>
<abstract>
<t>This document specifies Version 1.2 of the Transport
Layer Security (TLS) protocol. The TLS protocol provides
communications security over the Internet. The protocol
allows client/server applications to communicate in a way
that is designed to prevent eavesdropping, tampering, or
message forgery. [STANDARDS-TRACK]</t>
</abstract>
</front>
<seriesInfo name="RFC" value="5246"/>
<format octets="222395"
target="http://www.rfc-editor.org/rfc/rfc5246.txt"
type="TXT"/>
</reference>
<reference anchor="RFC5389">
<front>
<title>Session Traversal Utilities for NAT (STUN)</title>
<author fullname="J. Rosenberg" initials="J."
surname="Rosenberg">
<organization/>
</author>
<author fullname="R. Mahy" initials="R." surname="Mahy">
<organization/>
</author>
<author fullname="P. Matthews" initials="P."
surname="Matthews">
<organization/>
</author>
<author fullname="D. Wing" initials="D." surname="Wing">
<organization/>
</author>
<date month="October" year="2008"/>
<abstract>
<t>Session Traversal Utilities for NAT (STUN) is a
protocol that serves as a tool for other protocols in
dealing with Network Address Translator (NAT) traversal.
It can be used by an endpoint to determine the IP address
and port allocated to it by a NAT. It can also be used to
check connectivity between two endpoints, and as a
keep-alive protocol to maintain NAT bindings. STUN works
with many existing NATs, and does not require any special
behavior from them.</t><t> STUN is not a NAT
traversal solution by itself. Rather, it is a tool to be
used in the context of a NAT traversal solution. This is
an important change from the previous version of this
specification (RFC 3489), which presented STUN as a
complete solution.</t><t> This document
obsoletes RFC 3489. [STANDARDS-TRACK]</t>
</abstract>
</front>
<seriesInfo name="RFC" value="5389"/>
<format octets="125650"
target="http://www.rfc-editor.org/rfc/rfc5389.txt"
type="TXT"/>
</reference>
<reference anchor="RFC5626">
<front>
<title>Managing Client-Initiated Connections in the Session
Initiation Protocol (SIP)</title>
<author fullname="C. Jennings" initials="C."
surname="Jennings">
<organization/>
</author>
<author fullname="R. Mahy" initials="R." surname="Mahy">
<organization/>
</author>
<author fullname="F. Audet" initials="F." surname="Audet">
<organization/>
</author>
<date month="October" year="2009"/>
<abstract>
<t>The Session Initiation Protocol (SIP) allows proxy
servers to initiate TCP connections or to send
asynchronous UDP datagrams to User Agents in order to
deliver requests. However, in a large number of real
deployments, many practical considerations, such as the
existence of firewalls and Network Address Translators
(NATs) or the use of TLS with server-provided
certificates, prevent servers from connecting to User
Agents in this way. This specification defines behaviors
for User Agents, registrars, and proxy servers that allow
requests to be delivered on existing connections
established by the User Agent. It also defines keep-alive
behaviors needed to keep NAT bindings open and specifies
the usage of multiple connections from the User Agent to
its registrar. [STANDARDS-TRACK]</t>
</abstract>
</front>
<seriesInfo name="RFC" value="5626"/>
<format octets="116344"
target="http://www.rfc-editor.org/rfc/rfc5626.txt"
type="TXT"/>
</reference>
<reference anchor="RFC5766">
<front>
<title>Traversal Using Relays around NAT (TURN): Relay
Extensions to Session Traversal Utilities for NAT
(STUN)</title>
<author fullname="R. Mahy" initials="R." surname="Mahy">
<organization/>
</author>
<author fullname="P. Matthews" initials="P."
surname="Matthews">
<organization/>
</author>
<author fullname="J. Rosenberg" initials="J."
surname="Rosenberg">
<organization/>
</author>
<date month="April" year="2010"/>
<abstract>
<t>If a host is located behind a NAT, then in certain
situations it can be impossible for that host to
communicate directly with other hosts (peers). In these
situations, it is necessary for the host to use the
services of an intermediate node that acts as a
communication relay. This specification defines a
protocol, called TURN (Traversal Using Relays around NAT),
that allows the host to control the operation of the relay
and to exchange packets with its peers using the relay.
TURN differs from some other relay control protocols in
that it allows a client to communicate with multiple peers
using a single relay address. [STANDARDS-TRACK]</t>
</abstract>
</front>
<seriesInfo name="RFC" value="5766"/>
<format octets="172112"
target="http://www.rfc-editor.org/rfc/rfc5766.txt"
type="TXT"/>
</reference>
<reference anchor="RFC5928">
<front>
<title>Traversal Using Relays around NAT (TURN) Resolution
Mechanism</title>
<author fullname="M. Petit-Huguenin" initials="M."
surname="Petit-Huguenin">
<organization/>
</author>
<date month="August" year="2010"/>
<abstract>
<t>This document defines a resolution mechanism to
generate a list of server transport addresses that can be
tried to create a Traversal Using Relays around NAT (TURN)
allocation. [STANDARDS-TRACK]</t>
</abstract>
</front>
<seriesInfo name="RFC" value="5928"/>
<format octets="23993"
target="http://www.rfc-editor.org/rfc/rfc5928.txt"
type="TXT"/>
</reference>
<reference anchor="RFC6062">
<front>
<title>Traversal Using Relays around NAT (TURN) Extensions
for TCP Allocations</title>
<author fullname="S. Perreault" initials="S."
surname="Perreault">
<organization/>
</author>
<author fullname="J. Rosenberg" initials="J."
surname="Rosenberg">
<organization/>
</author>
<date month="November" year="2010"/>
<abstract>
<t>This specification defines an extension of Traversal
Using Relays around NAT (TURN), a relay protocol for
Network Address Translator (NAT) traversal. This extension
allows a TURN client to request TCP allocations, and
defines new requests and indications for the TURN server
to open and accept TCP connections with the client\'s
peers. TURN and this extension both purposefully restrict
the ways in which the relayed address can be used. In
particular, it prevents users from running general-purpose
servers from ports obtained from the TURN server.
[STANDARDS-TRACK]</t>
</abstract>
</front>
<seriesInfo name="RFC" value="6062"/>
<format octets="28978"
target="http://www.rfc-editor.org/rfc/rfc6062.txt"
type="TXT"/>
</reference>
<reference anchor="RFC6335">
<front>
<title>Internet Assigned Numbers Authority (IANA) Procedures
for the Management of the Service Name and Transport
Protocol Port Number Registry</title>
<author fullname="M. Cotton" initials="M." surname="Cotton">
<organization/>
</author>
<author fullname="L. Eggert" initials="L." surname="Eggert">
<organization/>
</author>
<author fullname="J. Touch" initials="J." surname="Touch">
<organization/>
</author>
<author fullname="M. Westerlund" initials="M."
surname="Westerlund">
<organization/>
</author>
<author fullname="S. Cheshire" initials="S."
surname="Cheshire">
<organization/>
</author>
<date month="August" year="2011"/>
<abstract>
<t>This document defines the procedures that the Internet
Assigned Numbers Authority (IANA) uses when handling
assignment and other requests related to the Service Name
and Transport Protocol Port Number registry. It also
discusses the rationale and principles behind these
procedures and how they facilitate the long-term
sustainability of the registry.</t><t> This
document updates IANA's procedures by obsoleting the
previous UDP and TCP port assignment procedures defined in
Sections 8 and 9.1 of the IANA Allocation Guidelines, and
it updates the IANA service name and port assignment
procedures for UDP-Lite, the Datagram Congestion Control
Protocol (DCCP), and the Stream Control Transmission
Protocol (SCTP). It also updates the DNS SRV specification
to clarify what a service name is and how it is
registered. This memo documents an Internet Best Current
Practice.</t>
</abstract>
</front>
<seriesInfo name="BCP" value="165"/>
<seriesInfo name="RFC" value="6335"/>
<format octets="79088"
target="http://www.rfc-editor.org/rfc/rfc6335.txt"
type="TXT"/>
</reference>
<reference anchor="RFC6347">
<front>
<title>Datagram Transport Layer Security Version 1.2</title>
<author fullname="E. Rescorla" initials="E."
surname="Rescorla">
<organization/>
</author>
<author fullname="N. Modadugu" initials="N."
surname="Modadugu">
<organization/>
</author>
<date month="January" year="2012"/>
<abstract>
<t>This document specifies version 1.2 of the Datagram
Transport Layer Security (DTLS) protocol. The DTLS
protocol provides communications privacy for datagram
protocols. The protocol allows client/server applications
to communicate in a way that is designed to prevent
eavesdropping, tampering, or message forgery. The DTLS
protocol is based on the Transport Layer Security (TLS)
protocol and provides equivalent security guarantees.
Datagram semantics of the underlying transport are
preserved by the DTLS protocol. This document updates DTLS
1.0 to work with TLS version 1.2. [STANDARDS-TRACK]</t>
</abstract>
</front>
<seriesInfo name="RFC" value="6347"/>
<format octets="73546"
target="http://www.rfc-editor.org/rfc/rfc6347.txt"
type="TXT"/>
</reference>
<reference anchor="RFC7064">
<front>
<title>URI Scheme for the Session Traversal Utilities for
NAT (STUN) Protocol</title>
<author fullname="S. Nandakumar" initials="S."
surname="Nandakumar">
<organization/>
</author>
<author fullname="G. Salgueiro" initials="G."
surname="Salgueiro">
<organization/>
</author>
<author fullname="P. Jones" initials="P." surname="Jones">
<organization/>
</author>
<author fullname="M. Petit-Huguenin" initials="M."
surname="Petit-Huguenin">
<organization/>
</author>
<date month="November" year="2013"/>
<abstract>
<t>This document specifies the syntax and semantics of the
Uniform Resource Identifier (URI) scheme for the Session
Traversal Utilities for NAT (STUN) protocol.</t>
</abstract>
</front>
<seriesInfo name="RFC" value="7064"/>
<format octets="15045"
target="http://www.rfc-editor.org/rfc/rfc7064.txt"
type="TXT"/>
</reference>
<reference anchor="RFC7065">
<front>
<title>Traversal Using Relays around NAT (TURN) Uniform
Resource Identifiers</title>
<author fullname="M. Petit-Huguenin" initials="M."
surname="Petit-Huguenin">
<organization/>
</author>
<author fullname="S. Nandakumar" initials="S."
surname="Nandakumar">
<organization/>
</author>
<author fullname="G. Salgueiro" initials="G."
surname="Salgueiro">
<organization/>
</author>
<author fullname="P. Jones" initials="P." surname="Jones">
<organization/>
</author>
<date month="November" year="2013"/>
<abstract>
<t>This document specifies the syntax of Uniform Resource
Identifier (URI) schemes for the Traversal Using Relays
around NAT (TURN) protocol. It defines two URI schemes to
provision the TURN Resolution Mechanism (RFC 5928).</t>
</abstract>
</front>
<seriesInfo name="RFC" value="7065"/>
<format octets="16143"
target="http://www.rfc-editor.org/rfc/rfc7065.txt"
type="TXT"/>
</reference>
</references>
<references title="Informative References">
<reference anchor="RFC6982">
<front>
<title>Improving Awareness of Running Code: The
Implementation Status Section</title>
<author fullname="Y. Sheffer" initials="Y."
surname="Sheffer">
<organization/>
</author>
<author fullname="A. Farrel" initials="A." surname="Farrel">
<organization/>
</author>
<date month="July" year="2013"/>
<abstract>
<t>This document describes a simple process that allows
authors of Internet-Drafts to record the status of known
implementations by including an Implementation Status
section. This will allow reviewers and working groups to
assign due consideration to documents that have the
benefit of running code, which may serve as evidence of
valuable experimentation and feedback that have made the
implemented protocols more mature.</t><t> The
process in this document is offered as an experiment.
Authors of Internet-Drafts are encouraged to consider
using the process for their documents, and working groups
are invited to think about applying the process to all of
their protocol specifications. The authors of this
document intend to collate experiences with this
experiment and to report them to the community.</t>
</abstract>
</front>
<seriesInfo name="RFC" value="6982"/>
<format octets="19358"
target="http://www.rfc-editor.org/rfc/rfc6982.txt"
type="TXT"/>
</reference>
<reference anchor="I-D.thomson-rtcweb-ice-dtls">
<front>
<title>Using Datagram Transport Layer Security (DTLS) For
Interactivity Connectivity Establishment (ICE) Connectivity
Checking: ICE-DTLS</title>
<author fullname="Martin Thomson" initials="M"
surname="Thomson">
<organization/>
</author>
<date day="27" month="March" year="2012"/>
<abstract>
<t>Interactivity Connectivity Establishment (ICE)
connectivity checking using the Datagram Transport Layer
Security (DTLS) handshake is described. The DTLS handshake
provides sufficient information to identify valid
candidates and establish consent.</t>
</abstract>
</front>
<seriesInfo name="Internet-Draft"
value="draft-thomson-rtcweb-ice-dtls-00"/>
<format target="http://www.ietf.org/internet-drafts/draft-thomson-rtcweb-ice-dtls-00.txt"
type="TXT"/>
</reference>
<reference anchor="I-D.jennings-sip-dtls">
<front>
<title>Using Interactive Connectivity Establishment (ICE) in
Web Real-Time Communications (WebRTC)</title>
<author fullname="Cullen Jennings" initials="C."
surname="Jennings">
<organization>Cisco Systems</organization>
<address>
<postal>
<street>170 West Tasman Drive</street>
<street>MS: SJC-21/2</street>
<city>San Jose</city>
<region>CA</region>
<code>95134</code>
<country>USA</country>
</postal>
<phone>+1 408 902-3341</phone>
<email>fluffy@cisco.com</email>
</address>
</author>
<author fullname="Nagendra Modadugu" initials="N."
surname="Modadugu">
<organization>Google, Inc.</organization>
<address>
<postal>
<street>1600 Ampitheatre Parkway</street>
<city>Muntain View</city>
<region>CA</region>
<code>94043</code>
<country>USA</country>
</postal>
<email>ngm@google.com</email>
</address>
</author>
<date day="10" month="October" year="2007"/>
<abstract>
<t>This specification defines how to use Datagram
Transport Layer Security (DTLS) as a transport for Session
Initiation Protocol (SIP). DTLS is a protocol for
providing Transport Layer Security (TLS) security over a
datagram protocol. This specification also specifies the
IANA registrations for using SIP with Datagram Congestion
Control Protocol (DCCP). DTLS can be used with either UDP
or the Datagram Congestion Control Protocol (DCCP). To
accommodate this, this specification also defines how to
use SIP directly over DCCP.</t>
</abstract>
</front>
<seriesInfo name="Internet-Draft"
value="draft-jennings-sip-dtls-05"/>
<format target="http://www.ietf.org/internet-drafts/draft-jennings-sip-dtls-05.txt"
type="TXT"/>
</reference>
</references>
<section anchor="appendix.examples" title="Examples" toc="default">
<t><xref format="default" pageno="false" target="example.1"/>
shows how the <secure>, <port> and <transport>
components are populated for a TURN URI that uses DTLS as its
transport. For all these examples, the <host> component is
populated with "example.net".</t>
<texttable align="center" anchor="example.1" style="full"
suppress-title="false" title="">
<ttcol align="left">URI</ttcol>
<ttcol align="left"><secure></ttcol>
<ttcol align="left"><port></ttcol>
<ttcol align="left"><transport></ttcol>
<c>turns:example.net?transport=udp</c>
<c>true</c>
<c/>
<c>DTLS</c>
</texttable>
<t>With the DNS RRs in <xref format="default" pageno="false"
target="example.2"/> and an ordered TURN transport list of
{DTLS, TLS, TCP, UDP}, the resolution algorithm will convert the
TURN URI "turns:example.net" to the ordered list of IP address,
port, and protocol tuples in <xref format="default"
pageno="false" target="table.2"/>.</t>
<figure align="left" alt="" anchor="example.2" height=""
suppress-title="false" title="" width="">
<artwork align="left" alt="" height="" name="" type=""
width="" xml:space="preserve"><![CDATA[example.net.
IN NAPTR 100 10 "" RELAY:turn.udp:turn.dtls "" datagram.example.net.
IN NAPTR 200 10 "" RELAY:turn.tcp:turn.tls "" stream.example.net.
datagram.example.net.
IN NAPTR 100 10 S RELAY:turn.udp "" _turn._udp.example.net.
IN NAPTR 100 10 S RELAY:turn.dtls "" _turns._udp.example.net.
stream.example.net.
IN NAPTR 100 10 S RELAY:turn.tcp "" _turn._tcp.example.net.
IN NAPTR 200 10 A RELAY:turn.tls "" a.example.net.
_turn._udp.example.net.
IN SRV 0 0 3478 a.example.net.
_turn._tcp.example.net.
IN SRV 0 0 5000 a.example.net.
_turns._udp.example.net.
IN SRV 0 0 5349 a.example.net.
a.example.net.
IN A 192.0.2.1
]]></artwork>
</figure>
<texttable align="center" anchor="table.2" style="full"
suppress-title="false" title="">
<ttcol align="left">Order</ttcol>
<ttcol align="left">Protocol</ttcol>
<ttcol align="left">IP address</ttcol>
<ttcol align="left">Port</ttcol>
<c>1</c>
<c>DTLS</c>
<c>192.0.2.1</c>
<c>5349</c>
<c>2</c>
<c>TLS</c>
<c>192.0.2.1</c>
<c>5349</c>
</texttable>
</section>
<section title="Release notes" toc="default">
<t>This section must be removed before publication as an
RFC.</t>
<section title="Modifications between ietf-tram-stun-dtls-00 and ietf-tram-stun-dtls-01"
toc="default">
<t><list style="symbols">
<t>Updated the mandatory cipher suites.</t>
<t>Added a new open item to determine if we want to
specify favoring cipher suites which support PFS over
non-PFS cipher suites.</t>
<t>Closed remaining opening items from previous draft.</t>
</list></t>
</section>
<section title="Modifications between petithuguenin-tram-stun-dtls-00 and ietf-tram-stun-dtls-00"
toc="default">
<t><list style="symbols">
<t>Draft renamed after WG adoption.</t>
</list></t>
</section>
<section title="Modifications between petithuguenin-tram-turn-dtls-00 and petithuguenin-tram-stun-dtls-00"
toc="default">
<t><list style="symbols">
<t>Add RFC 6982 information for rfc5766-turn-server
project.</t>
<t>Rename the draft as TURN is now just one of the
usages.</t>
<t>Remove the references in the abstract to make idnits
happy.</t>
<t>No longer updates other standard drafts.</t>
<t>Rewrite from a STUN over DTLS point of view. The
previous text becomes section 4.6.</t>
<t>Add IANA request for stuns port.</t>
<t>Add acknowledgement section.</t>
</list></t>
</section>
</section>
</back>
</rfc>
| PAFTECH AB 2003-2026 | 2026-04-24 01:23:52 |