IETF Logo Mail Archive

Re: [tram] Milestone 3: TURN server auto-discovery mechanism for enterprise and ISPs

"Karl Stahl" <karl.stahl@intertex.se> Mon, 10 February 2014 23:18 UTC

Return-Path: <karl.stahl@intertex.se>
X-Original-To: tram@ietfa.amsl.com
Delivered-To: tram@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 88BD11A06EF for <tram@ietfa.amsl.com>; Mon, 10 Feb 2014 15:18:16 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -0.9
X-Spam-Level:
X-Spam-Status: No, score=-0.9 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, MSGID_MULTIPLE_AT=1] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ZLP6tTg1aJQs for <tram@ietfa.amsl.com>; Mon, 10 Feb 2014 15:18:13 -0800 (PST)
Received: from smtp.it-norr.com (smtp.it-norr.com [80.244.64.162]) by ietfa.amsl.com (Postfix) with ESMTP id 64BCA1A06E2 for <tram@ietf.org>; Mon, 10 Feb 2014 15:18:11 -0800 (PST)
Received: from ([90.229.134.75]) by smtp.it-norr.com (Telecom3 SMTP service) with ASMTP id 201402110018077151; Tue, 11 Feb 2014 00:18:07 +0100
From: Karl Stahl <karl.stahl@intertex.se>
To: 'Simon Perreault' <simon.perreault@viagenie.ca>, tram@ietf.org, tireddy@icisco.com
References: <082c01cf17d4$393d7bb0$abb87310$@stahl@intertex.se> <9F33F40F6F2CD847824537F3C4E37DDF17CC3AFB@MCHP04MSX.global-ad.net> <02cd01cf24cf$42ff6de0$c8fe49a0$@stahl@intertex.se> <52F8DF21.2080303@viagenie.ca>
In-Reply-To: <52F8DF21.2080303@viagenie.ca>
Date: Tue, 11 Feb 2014 00:18:05 +0100
Message-ID: <049801cf26b6$5a87db30$0f979190$@stahl>
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: quoted-printable
X-Mailer: Microsoft Office Outlook 12.0
Thread-Index: Ac8maqcqnZhwFrJjTOa0ogBhh2GzagAK7h1Q
Content-Language: sv
Subject: Re: [tram] Milestone 3: TURN server auto-discovery mechanism for enterprise and ISPs
X-BeenThere: tram@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "Discussing the creation of a Turn Revised And Modernized \(TRAM\) WG, which goal is to consolidate the various initiatives to update TURN and STUN." <tram.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tram>, <mailto:tram-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tram/>
List-Post: <mailto:tram@ietf.org>
List-Help: <mailto:tram-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tram>, <mailto:tram-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 10 Feb 2014 23:18:17 -0000

Simon,

Good questions - see inline below --> . 
Some more thought is required!

/Karl

-----Ursprungligt meddelande-----
Från: tram [mailto:tram-bounces@ietf.org] För Simon Perreault
Skickat: den 10 februari 2014 15:16
Till: Karl Stahl; tram@ietf.org; tireddy@icisco.com
Ämne: Re: [tram] Milestone 3: TURN server auto-discovery mechanism for enterprise and ISPs

Karl,

It is great to see such enthusiasm! Thanks!

I have a couple technical questions...

Le 2014-02-08 08:11, Karl Stahl a écrit :
> - Note that to achieve some of the above points, TURN must be favored 
> over STUN to enforce that the TURN-path actually is used. (The Anycast 
> method suggested below, “automatically” does this.)

I understand the STUN vs TURN priority issue. But I don't see how anycast affects it in any way. Can you please explain?

--- Good point - I was a bit quick here (maybe too quick)
We have given this quite bit of thought, since even if a TURN server is provided and discovered, CURRENT usage of ICE may suggest a candidate from the remote party that will make a connection without the need/usage of the TURN server (that we wanted to be used for the good purposes listed).

The only way we found around this, was to stop STUN through the IP default gateway (like a restrictive Enterprise firewall does inhibiting ICE connectivity, which others are concerned about...). Since the provisioning of auto-discovery using the anycast mechanism, would be adding a route in a default gateway, adding a firewall rule to eat STUN packets would assure that the provisioned TURN server actually becomes used (and not bypassed "by accident"). (That was the thought behind the “automatically” within quotes.)

BUT, since you brought up the question, assuming that we have the power to enforce WebRTC usage of ICE, I believe a MUST requirement to use an auto-discovered TURN server instead of STUN, would solve the same problem. However, thinking further (in relation to your next question - "anyone could set up a badly-maintained" - enforcing such ICE usage may not be good.)  


> - 3^rd The Anycast method below – I see no problem
> 
> It also has the advantage of encouraging (but not requiring) the 
> STUN/TURN to be built in the default gateway or NAT/firewall/access 
> router itself, with a second interface to a public IP address on the 
> WAN side. (Current volume deployed, low cost NSP triple play modems 
> usually have a quality assured level 2 or level 3 WAN pipe for just 
> voice (and another for IPTV) – The anycast discovered TURN-server can 
> be the access gateway to such quality pipe for WebRTC media, in a 
> single NSP provided CPE, scaling from residential and up.)

Suppose we define well-known anycast TURN server addresses. How would this not be subject to the same service quality issues that plagued 6to4? That is, anyone could set up a badly-maintained, under-provisioned TURN server and announce it over BGP to the world, as it was done for
6to4 relays. Or just bad BGP outbound filter configuration. And how can we prevent triangle routing? There is nothing guaranteeing that the anycast server you see is being provided to you by your ISP, rather than a server sitting on the other side of the planet.

--- Good point - needs to be resolved. For this I don't have a ready answer...
An auto-discovered TURN server must be trusted (whatever method it is discovered by). We are trusting the one providing us with an IP address and default gateway anyway. It would be easy if we could reuse that trust, instead of another mechanisms.

Is there a good way for the browser to check that the anycast address is not handled beyond the network service provider's default gateway? Ideas?



Thanks,
Simon
--
DTN made easy, lean, and smart --> http://postellation.viagenie.ca
NAT64/DNS64 open-source        --> http://ecdysis.viagenie.ca
STUN/TURN server               --> http://numb.viagenie.ca
_______________________________________________
tram mailing list
tram@ietf.org
https://www.ietf.org/mailman/listinfo/tram

v2.23.0 | Report a Bug | By Email