One document matched: draft-patil-tram-turn-serv-selection-00.xml
<?xml version="1.0" encoding="US-ASCII"?>
<!DOCTYPE rfc SYSTEM "rfc2629.dtd">
<?rfc toc="yes"?>
<?rfc tocompact="yes"?>
<?rfc tocdepth="3"?>
<?rfc tocindent="yes"?>
<?rfc symrefs="yes"?>
<?rfc sortrefs="yes"?>
<?rfc comments="yes"?>
<?rfc inline="yes"?>
<?rfc compact="yes"?>
<?rfc subcompact="no"?>
<rfc category="info" docName="draft-patil-tram-turn-serv-selection-00"
ipr="trust200902">
<front>
<title abbrev="TURN server selection">Traversal Using Relays around NAT
(TURN) Server Selection</title>
<author fullname="Prashanth Patil" initials="P." surname="Patil">
<organization abbrev="Cisco">Cisco Systems, Inc.</organization>
<address>
<postal>
<street></street>
<street></street>
<city>Bangalore</city>
<country>India</country>
</postal>
<email>praspati@cisco.com</email>
</address>
</author>
<author fullname="Tirumaleswar Reddy" initials="T." surname="Reddy">
<organization abbrev="Cisco">Cisco Systems, Inc.</organization>
<address>
<postal>
<street>Cessna Business Park, Varthur Hobli</street>
<street>Sarjapur Marathalli Outer Ring Road</street>
<city>Bangalore</city>
<region>Karnataka</region>
<code>560103</code>
<country>India</country>
</postal>
<email>tireddy@cisco.com</email>
</address>
</author>
<author fullname="Gonzalo Salgueiro" initials="G." surname="Salgueiro">
<organization>Cisco</organization>
<address>
<postal>
<street>7200-12 Kit Creek Road</street>
<city>Research Triangle Park</city>
<region>NC</region>
<code>27709</code>
<country>US</country>
</postal>
<email>gsalguei@cisco.com</email>
</address>
</author>
<date />
<workgroup>TRAM</workgroup>
<abstract>
<t>A TURN client may discover multiple TURN servers. In such a case,
there are no guidelines that a client can follow to choose or prefer a
particular TURN server among those discovered. This document details
selection criteria, as guidelines, that can be used by a client to
perform an informed TURN server selection decision.</t>
</abstract>
</front>
<middle>
<section anchor="introduction" title="Introduction">
<t>Using any of the discovery mechanisms described in <xref
target="I-D.ietf-tram-turn-server-discovery"></xref>, a client may
discover multiple Traversal Using Relays around NAT (TURN) servers. The
TURN servers discovered could be provided by an enterprise network, an
access network, an application service provider or a third party
provider. Therefore, the client needs to be able to choose a TURN server
that best suits its needs.</t>
<t>Selection criteria could be based on parameters such as:</t>
<t><list style="symbols">
<t>Security</t>
<t>Location Privacy</t>
<t>Authentication</t>
<t>User Experience</t>
<t>Interface Selection (if the client is multi-interfaced)</t>
<t>Mobility Support</t>
</list></t>
<t>This document describes procedures that a client can use to choose
the most appropriate TURN server based on any one or more combinations
of the above parameters. A client could also use the aforementioned
selection criteria to prioritize the discovered TURN servers based on
these parameters if backup servers are implemented for added resiliency
and robustness.</t>
</section>
<section anchor="term" title="Terminology">
<t>The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
"SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this
document are to be interpreted as described in <xref
target="RFC2119"></xref>.</t>
</section>
<section title="TURN Server Selection Criteria">
<t>The accessibility of possible TURN servers SHOULD be tested and
verified prior to beginning Interactive Connectivity Establishment (ICE)
<xref target="RFC5245"></xref>. Any TURN servers that fail such
accessibility tests (including credentials verification) SHOULD be
excluded. These early tests are an often an optimal opportunity to
calculate performance metrics, such as the round-trip time (RTT), that
might be used as TURN server prioritization factors, as discussed in
<xref target="UE"></xref>. Throughout the lifetime of the application,
it is RECOMMENDED to periodically test the entire selection list, in
case better TURN servers suddenly appear or connectivity to others is
unexpectedly lost.</t>
<t>The parameters described in this Section are intended as TURN server
selection criteria or as weighting factors for TURN server
prioritization.</t>
<section title="Local Configuration">
<t>Local or manual configuration takes precedence for TURN server
selection. A client could be configured with an explicit preferred
list of TURN servers. Local configuration could list servers in order
of preference. For example, a TURN client could opt for a TURN server
offered by the Enterprise and fall back to a TURN server offered by
the Internet Service Provider (ISP) or a cloud service if the
Enterprise TURN server wasn't available.</t>
<t>An implementation MAY give the user an opportunity (e.g., by means
of configuration file options or menu items) to specify this
preference.</t>
</section>
<section anchor="Sec" title="Security">
<t>If a TURN client wants security for its connections, it should opt
for a TURN server that supports the usage of Transport Layer Security
(TLS) <xref target="RFC5246"></xref> and Datagram Transport Layer
Security (DTLS) <xref target="RFC6347"></xref> as a transport protocol
for Session Traversal Utilities for NAT (STUN), as defined in <xref
target="RFC5389"></xref> and <xref target="RFC7350"></xref>. If
multiple servers offer this support, the client could use Location
Privacy (<xref target="LP"></xref>) and Authentication (<xref
target="Auth"></xref>) criteria to determine which among the list is
most suitable.</t>
<t>The need for security depends on the type of connected network
(i.e., whether the host is connected to a home network versus an
Enterprise network versus a coffee shop network). It is recommended
that a client always choose security, but this condition could vary
depending on the degree of trust with the connected network.</t>
<section anchor="LP" title="Location Privacy">
<t>In addition to security, a TURN client may require additional
location privacy from an external peer.</t>
<t><list style="hanging">
<t hangText="Scenario 1:">A client may not wish to use a TURN
server in its Enterprise or access network because the client
location could be determined by the external peer. In such a
case, the client may choose to use a distributed multi-tenant or
a cloud-based TURN server that can provide privacy by obscuring
the network from which the client is communicating with the
remote peer.</t>
<t hangText="Scenario 2:">A TURN client that desires to perform
Scenario 1, but cannot because of firewall policy that forces
the client to pick Enterprise-provided TURN server for external
communication, can use TURN-in-TURN through the enterprise's
TURN server as described in <xref
target="I-D.schwartz-rtcweb-return"></xref>.</t>
</list></t>
<t>Location privacy may not be critical if the client attempts to
communicate with a peer within the same domain.</t>
</section>
<section anchor="Auth" title="Authentication">
<t>A TURN client should prefer a TURN server whose authenticity can
be ascertained. A simple certificate trust chain validation during
the process of (D)TLS handshake should be able to validate the
server.</t>
<t>A TURN client could also be pre-configured with the names of
trusted TURN servers. When connecting to a TURN server, a TURN
client should start with verifying that the TURN server name matches
the pre-configured list of TURN servers, and finally validating its
certificate trust chain. For TURN servers that don't have a
certificate trust chain, the configured list of TURN servers can
contain the certificate fingerprint of the TURN server (i.e., a
simple whitelist of name and certificate fingerprint).</t>
<t>DNS-based Authentication of Named Entities (DANE) can also be
used to validate the certificate presented by TURN server as
described in <xref
target="I-D.petithuguenin-tram-stun-dane"></xref>.</t>
</section>
</section>
<section anchor="UE" title="User Experience">
<t>All else being equal (or if a TURN client is able to converge on a
set of TURN servers based on parameters described in <xref
target="Sec"></xref>), a TURN client should choose a TURN server that
provides the best user experience at that point in time (based on
factors such as RTT, real-time clock (RTC), etc).</t>
<t>If using ICE regular nomination, ICE connectivity check round-trip
time can influence the selection amongst the valid pairs. This way a
candidate pair with relayed candidate could be selected even if it has
lower-priority than other valid pairs.</t>
</section>
<section title="Interface">
<t>With a multi-interfaced node, selection of the correct interface
and source address is often crucial. How to select an interface and IP
address family is out of scope for this document. A client could
account for the provisioning domain described in <xref
target="I-D.ietf-mif-mpvd-arch"></xref> to determine which interface
to choose.</t>
</section>
<section title="Mobility Support">
<t>If a TURN client is aware that the host is mobile, and all other
parameters being equal, the client SHOULD choose a TURN server that
supports mobility <xref
target="I-D.wing-tram-turn-mobility"></xref>.</t>
</section>
</section>
<section anchor="security" title="Security Considerations">
<t>This document does not itself introduce security issues, rather it
merely presents best practices for TURN server selection. Security
considerations described in <xref target="RFC5766"></xref> are
applicable to for all TURN usage.</t>
</section>
<section anchor="ack" title="Acknowledgements">
<t>The authors would like to thank Dan Wing, Marc Petit-Huguenin for
their review and valuable comments.</t>
</section>
</middle>
<back>
<references title="Normative References">
<?rfc include="reference.RFC.2119"?>
<?rfc include="reference.RFC.5766"?>
<?rfc include="reference.RFC.7350"?>
<?rfc include="reference.I-D.ietf-tram-turn-server-discovery"?>
<?rfc include="reference.I-D.schwartz-rtcweb-return"?>
<?rfc include='reference.I-D.wing-tram-turn-mobility'?>
<?rfc include='reference.I-D.ietf-mif-mpvd-arch'?>
<?rfc include="reference.I-D.petithuguenin-tram-stun-dane"?>
</references>
<references title="Informative References">
<?rfc include='reference.RFC.5245'?>
<?rfc include='reference.RFC.5246'?>
<?rfc include='reference.RFC.5389'?>
<?rfc include='reference.RFC.6347'?>
</references>
</back>
</rfc>
| PAFTECH AB 2003-2026 | 2026-04-24 05:41:49 |