Re: [tram] Milestone 3: TURN server auto-discovery mechanism for enterprise and ISPs

[Dan Wing <dwing@cisco.com>]

On Feb 11, 2014, at 9:08 AM, Marc Blanchet <marc.blanchet@viagenie.ca> wrote:

> Le 2014-02-11 à 00:39, Dan Wing <dwing@cisco.com> a écrit :
> 
>> 
>> On Feb 10, 2014, at 5:30 PM, Justin Uberti <juberti@google.com> wrote:
>> 
>>> Good to see there is a lot of interest for this milestone. But based on the description here, it seems like we want to use TURN primarily to identify WebRTC flows, as opposed to using it as a NAT traversal tool. This makes me concerned that we may be using the wrong technology to solve the problem.
>> 
>> +1.
>> 
>> I would prefer allowing flows to establish themselves using their 'best' path, and the best path is seldom through a TURN server.  When we imagine IPv6 in our future, we don't want to force an application-level proxy (TURN) server on the path solely for traversing an IPv6 firewall.
>> 
>> 
>> It seems this thread is conflating all the possible reasons / justifications for TURN:
>>   * mobility
>>   * NAT traversal (both endpoints are behind endpoint-dependent mapping NATs)
>>   * firewall traversal (firewall blocks UDP)
>>   * enhancing privacy
>> 
>> Unfortunately the TURN server nor the endpoint really know which of those use-cases is desired (by the user or by the IT network administrator) or necessary (for the call to work at all).
> 
> Dan, while I agree in principle, I doubt that a user could ever say "I want mobility or I want NAT traversal". I think the user only want the call to succeed, whatever the properties of its network point of attachment are.

So what can we do?  Should the TURN server provide any and all services the TURN client might possibly want, as that is what a robust TURN server will do, and the endpoint should prefer TURN candidates over all others because there might be some functionality / usefulness of TURN that the user might gain through TURN (e.g., enhanced privacy)?

-d


> 
>>  This seems problematic.  Perhaps we need a way to signal the desired use-case ("trait"), or as Justin suggests, using a different technology for some of these use-cases.
>> 
>> -d
>> 
>> 
>> 
>>> 
>>> 
>>> On Mon, Feb 10, 2014 at 3:18 PM, Karl Stahl <karl.stahl@intertex.se> wrote:
>>> Simon,
>>> 
>>> Good questions - see inline below --> .
>>> Some more thought is required!
>>> 
>>> /Karl
>>> 
>>> -----Ursprungligt meddelande-----
>>> Från: tram [mailto:tram-bounces@ietf.org] För Simon Perreault
>>> Skickat: den 10 februari 2014 15:16
>>> Till: Karl Stahl; tram@ietf.org; tireddy@icisco.com
>>> Ämne: Re: [tram] Milestone 3: TURN server auto-discovery mechanism for enterprise and ISPs
>>> 
>>> Karl,
>>> 
>>> It is great to see such enthusiasm! Thanks!
>>> 
>>> I have a couple technical questions...
>>> 
>>> Le 2014-02-08 08:11, Karl Stahl a écrit :
>>> > - Note that to achieve some of the above points, TURN must be favored
>>> > over STUN to enforce that the TURN-path actually is used. (The Anycast
>>> > method suggested below, “automatically” does this.)
>>> 
>>> I understand the STUN vs TURN priority issue. But I don't see how anycast affects it in any way. Can you please explain?
>>> 
>>> --- Good point - I was a bit quick here (maybe too quick)
>>> We have given this quite bit of thought, since even if a TURN server is provided and discovered, CURRENT usage of ICE may suggest a candidate from the remote party that will make a connection without the need/usage of the TURN server (that we wanted to be used for the good purposes listed).
>>> 
>>> The only way we found around this, was to stop STUN through the IP default gateway (like a restrictive Enterprise firewall does inhibiting ICE connectivity, which others are concerned about...). Since the provisioning of auto-discovery using the anycast mechanism, would be adding a route in a default gateway, adding a firewall rule to eat STUN packets would assure that the provisioned TURN server actually becomes used (and not bypassed "by accident"). (That was the thought behind the “automatically” within quotes.)
>>> 
>>> BUT, since you brought up the question, assuming that we have the power to enforce WebRTC usage of ICE, I believe a MUST requirement to use an auto-discovered TURN server instead of STUN, would solve the same problem. However, thinking further (in relation to your next question - "anyone could set up a badly-maintained" - enforcing such ICE usage may not be good.)
>>> 
>>> 
>>> > - 3^rd The Anycast method below – I see no problem
>>> >
>>> > It also has the advantage of encouraging (but not requiring) the
>>> > STUN/TURN to be built in the default gateway or NAT/firewall/access
>>> > router itself, with a second interface to a public IP address on the
>>> > WAN side. (Current volume deployed, low cost NSP triple play modems
>>> > usually have a quality assured level 2 or level 3 WAN pipe for just
>>> > voice (and another for IPTV) – The anycast discovered TURN-server can
>>> > be the access gateway to such quality pipe for WebRTC media, in a
>>> > single NSP provided CPE, scaling from residential and up.)
>>> 
>>> Suppose we define well-known anycast TURN server addresses. How would this not be subject to the same service quality issues that plagued 6to4? That is, anyone could set up a badly-maintained, under-provisioned TURN server and announce it over BGP to the world, as it was done for
>>> 6to4 relays. Or just bad BGP outbound filter configuration. And how can we prevent triangle routing? There is nothing guaranteeing that the anycast server you see is being provided to you by your ISP, rather than a server sitting on the other side of the planet.
>>> 
>>> --- Good point - needs to be resolved. For this I don't have a ready answer...
>>> An auto-discovered TURN server must be trusted (whatever method it is discovered by). We are trusting the one providing us with an IP address and default gateway anyway. It would be easy if we could reuse that trust, instead of another mechanisms.
>>> 
>>> Is there a good way for the browser to check that the anycast address is not handled beyond the network service provider's default gateway? Ideas?
>>> 
>>> 
>>> 
>>> Thanks,
>>> Simon
>>> --
>>> DTN made easy, lean, and smart --> http://postellation.viagenie.ca
>>> NAT64/DNS64 open-source        --> http://ecdysis.viagenie.ca
>>> STUN/TURN server               --> http://numb.viagenie.ca
>>> _______________________________________________
>>> tram mailing list
>>> tram@ietf.org
>>> https://www.ietf.org/mailman/listinfo/tram
>>> 
>>> _______________________________________________
>>> tram mailing list
>>> tram@ietf.org
>>> https://www.ietf.org/mailman/listinfo/tram
>>> 
>>> _______________________________________________
>>> tram mailing list
>>> tram@ietf.org
>>> https://www.ietf.org/mailman/listinfo/tram
>> 
>> _______________________________________________
>> tram mailing list
>> tram@ietf.org
>> https://www.ietf.org/mailman/listinfo/tram
>