Re: [tram] Anycast discovery, was: draft-ietf-tram-turn-server-discovery
"Karl Stahl" <karl.stahl@ingate.com> Fri, 02 December 2016 08:33 UTC
Return-Path: <karl@ingate.com>
X-Original-To: tram@ietfa.amsl.com
Delivered-To: tram@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 47B27129502; Fri, 2 Dec 2016 00:33:46 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.002
X-Spam-Level:
X-Spam-Status: No, score=-1.002 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, MSGID_MULTIPLE_AT=1, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_MSPIKE_H2=-0.001, SPF_HELO_PASS=-0.001] autolearn=no autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=ingate.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 8-FPONnzmKgz; Fri, 2 Dec 2016 00:33:42 -0800 (PST)
Received: from EUR01-VE1-obe.outbound.protection.outlook.com (mail-ve1eur01on0080.outbound.protection.outlook.com [104.47.1.80]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 40B3E126BF7; Fri, 2 Dec 2016 00:33:42 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ingate.com; s=selector1; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version; bh=ctzqK6pXDSPxebOxRTAJBGe8tQKO5ybCo3KQpEPBlQM=; b=Ur3sSYVVkbiIuvH0XQrvn+YekzcUKPWp7kxo37E9hl1f4atihumobGCVp+cO5lbYtvtu2t1HZ4SqzkO+x2eLmVcWwT26ibcUm6Zxwm3pI25CcoY1gelrQCom9O+19X3JcsVlS1NCkKNgyqUox+4KbRAhqm7zCX6OjkONRHPyubU=
Authentication-Results: spf=none (sender IP is ) smtp.mailfrom=karl@ingate.com;
Received: from Kallei7 (90.227.80.227) by DB5PR01MB1832.eurprd01.prod.exchangelabs.com (10.166.168.154) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384_P384) id 15.1.747.13; Fri, 2 Dec 2016 08:33:36 +0000
From: Karl Stahl <karl.stahl@ingate.com>
To: 'Simon Perreault' <sperreault@jive.com>, "'Tirumaleswar Reddy (tireddy)'" <tireddy@cisco.com>, 'Brandon Williams' <brandon.williams@akamai.com>, "'Prashanth Patil (praspati)'" <praspati@cisco.com>, tram@ietf.org
References: <E1FFF433-D80C-4567-9C7D-16E46C025F00@cisco.com> <010501d23ba4$875bc760$96135620$@stahl@ingate.com> <295fd023-c73e-84f1-3acc-1b578c042434@akamai.com> <02cc01d23e4e$2da03150$88e093f0$@stahl@ingate.com> <a5f77a074936495e96d60d7cc83c6f37@XCH-RCD-017.cisco.com> <8db2f352-fa9b-8376-f6d6-fd53dd5abe05@akamai.com> <011701d24110$e76b8070$b6428150$@stahl@ingate.com> <d2442639-a81c-cd8d-dfd6-663a69f3f420@akamai.com> <982922d0d9c1411cb0a70f413b19220d@XCH-RCD-017.cisco.com> <583206ac.8558620a.5877d.48e5SMTPIN_ADDED_BROKEN@mx.google.com> <ef69c622-e1d9-7ec6-2ec2-e1ca00285803@jive.com> <583482f5.46d9540a.d3af4.d038SMTPIN_ADDED_BROKEN@mx.google.com> <82658049-45c6-0626-b6b5-b8684e92ab41@jive.com> <583556f7.c9079d0a.ac67d.0289SMTPIN_ADDED_BROKEN@mx.google.com> <c0c8fcda-34b7-4e76-4879-0e19e0e1092b@jive.com> <583b3b6c.d0cdca0a.24d3a.b35cSMTPIN_ADDED_BROKEN@mx.google.com> <5b9e6fc2-596f-17ee-7423-d35d1a59ed36@jive.com>
In-Reply-To: <5b9e6fc2-596f-17ee-7423-d35d1a59ed36@jive.com>
Date: Fri, 02 Dec 2016 09:33:33 +0100
Message-ID: <00a801d24c76$c71d6510$55582f30$@stahl>
MIME-Version: 1.0
Content-Type: text/plain; charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable
X-Mailer: Microsoft Office Outlook 12.0
Thread-Index: AdJJe6qmoL6WI5bQSQS0WATcWsFlNACVkVyw
Content-Language: sv
X-Originating-IP: [90.227.80.227]
X-ClientProxiedBy: DB6PR1001CA0019.EURPRD10.PROD.OUTLOOK.COM (10.171.79.29) To DB5PR01MB1832.eurprd01.prod.exchangelabs.com (10.166.168.154)
X-MS-Office365-Filtering-Correlation-Id: 878b0a87-e530-48ec-b778-08d41a8de97b
X-Microsoft-Antispam: UriScan:;BCL:0;PCL:0;RULEID:(22001);SRVR:DB5PR01MB1832;
X-Microsoft-Exchange-Diagnostics: 1; DB5PR01MB1832; 3:bkf9kw7MiaN74hqH8vyVoI19XN6rLzorsk/6I7TAEivkKOBf0QothfCdNItwGxng074xf781nDk/sTk8osmicpnUuQQmKlIUU4P0s/bRenebWj1hkmA2jM2sG8YXV+k2lEMckrDCdQ3W9qhL21Q6bquyw/nGFTQ+uPqr1fwAW0FDetj8j6kg9bR82foJk/VpdOv+VyUw/+qKyOuxr7Qxzk6fWZn4j+SC/y6mbDg0Bc0+EWBofsoDAH4sk/Dvwc4ZfZiU0dCxp+fKV1vgXLNnlw==
X-Microsoft-Exchange-Diagnostics: 1; DB5PR01MB1832; 25:jCMmUvZqD4URwuCN6myQtxz9NOBrVJrK1fhNDw6aQQotCtYSFpi8YGGsb1FS8vSFoV+P0xBqC8AQ7+aBO+EuYToZsCnGp5Nm9ixBVW2tWzPX8nFL9+Tom743Gq8K9JhmcWz2OHOMca7aZbj9q9Z5cuIYjNRsgIJDCMa5FOln4NxRHCwp0X+mDlcq3QWux8taBQsGvClq/mD4pRMadQLUorTm+h+w/YRPqwe2WA1kvbIOKwU2HjzdC2m7PNQYgar8QYqchPSpr3QL32tn1tkKSGs1mzYqdtWGlc8mk9QV9+ZHykS1rt9ZLI+J6AAe4/rIpSv95q83KE+B8XhnpEeUA69ePGlIcRkGLL5R92v4KlTadFEUJhwTUVmvmd6s73CNciAZcOq2Ivdc0cgmPEdOZgoMCKYM5UGoA1UiiaGwKsI89ywxfUzA3+5I2FLJvcX4C3fveCxRQJeNREpS38Vm6vrb3EeWb8ipmUVcXTjQICH5cx67to0yTd6PlIciRvvNIqaZZTmqGNQmjGm64itC6q5Z72KbLLuKsKRcv7YJev+ChquaQGCuL6v90fTANIxDMYTT/ImQhGSEDSkusDgC27pdoD7Je7I/A/Zh9spotpJrM0oV17MQJUOQhfyQae2U8SBDkR2bHUHce0dlzVEppTdZQ8S388W8xJW7tHPHhhpL3QnRkEOhdb0BC3bvxko1UsW8MNKFpStWHzheyTdsFWPcKEPPBqBlJpbK1TAOrUDmWmOeQ4JavQ9o0gymz5/0HQC0KuPGSN1a1a2Owg2QarVY1FlQZM7kKHCWq95R2aJQIW0mNjpvZZYuNaMysknxYGK1GjZDgF7SlyKk2aoNsiZ9Sw49Ewe5QrT5r/t3QoZiBWVs6Cq7gnqEovXn6rrF8xLQl6nNa2yteYEVP99W3g==
X-Microsoft-Exchange-Diagnostics: 1; DB5PR01MB1832; 31:iimprbMFuj/1u2U2xA1NuWfvc2GnZnOv66s9ht2gRXR47X8lpN4ibiwu3d4oFAWMsvT0h28xewHYUM4EqpEBtvh+DoH2YjNr4gTt/85XSBkQB0WZxSi7NMt4CNwQh4FM01RXMJueAbuI2EwFzHfCZCfVK3bAyA9dQZde6xnsaahMhPYRATfmT/cA85C7WDg9lrZbnH9CiqcBe0g15FriRMMyFW5utRbBq21HSUF+RpzmvHqP9HMtye04/UNwPQU6glv9aC94UoG2hjQq0S2EjPLyO40CO8JQeF0s/e7fCeQ=
X-Microsoft-Antispam-PRVS: <DB5PR01MB18320A76A7858C86F93AC17BB18E0@DB5PR01MB1832.eurprd01.prod.exchangelabs.com>
X-Exchange-Antispam-Report-Test: UriScan:(158342451672863)(41835079513199)(80594328560443)(21532816269658)(99016152597232)(17755550239193);
X-Exchange-Antispam-Report-CFA-Test: BCL:0; PCL:0; RULEID:(6040375)(601004)(2401047)(8121501046)(5005006)(10201501046)(3002001)(6041248)(20161123564025)(20161123562025)(20161123555025)(20161123560025)(2016111802025)(6072148)(6043046); SRVR:DB5PR01MB1832; BCL:0; PCL:0; RULEID:; SRVR:DB5PR01MB1832;
X-Microsoft-Exchange-Diagnostics: 1; DB5PR01MB1832; 4:tNMS+TEVXhu9RTLsNu8HDKGAlc7ah9e/rbizGF+r53PLaX72uelwz6n8XwGBOtIygY+b0vQR/JTuPiQRYr4Memc1Wlbdx4YCLH0v5BpZpu6l0V0b2D6RGsxX4Ml0vlDLEpIhyY5Fkkg0ZpT/KocR/dm38MROA5CGUfG7QCT0vfwGDpJfU2K4Zu6y97eCysAXx00vOvB9VcmYAyzOLlzy/8AoF9EfLCpei+GjfLv8Lb5JcJ/ymwMV6uw8u/1bJiwXKijU4lQ9XQxTJc8tWPkCBJSoomwkaMehcdmVoFALDw+wa2uMLQXphnLYXEatPelVHr+NSZ+XeMWCBLQoeUpoMUwRNWfBqF5/3ixumW2k/k/Qv/wksX4j35SIhZ9/vNJflanYAjV2qUwRKYqxqlrOAHEfZW6N+Mg1zzkhvh8juNvMh9bug223moFifpSiWhYtl5YZoiFm8U/0CCWV9CgehZXqJKeQQEHw+GbA2EUV9gFww/sHk2W4M514n6XHzfcKm7nHj0gicOOj9Ddc94SN3g+obGUqLoPbLstmUggAUDGoYnTlSAHMrqNZRsSjgOaon32GqfD2EqpwxJ3fL/0e84MLl2dCS83g2Y9rusjH2RoVYS4Ubf61LbeyYxLoYs4lGPJgjLy/dLIDfYC9J4v4pDUxoOvFkJHJYlyfEErJ2ENVFcSazBGmWUompXDPhIa6oL5Zb/9yMc5evxkvfCfQc4eMgzJxgJmSDzrrzg/UoPSKiM48jYgLRFtyav6qUJbxqjAzSIEMasEJzyEIruG60nAb3kbmAB1QXGK1qp2HgAmZsF9u6j2DY8yh0WdL/VkwlE52b4Of02jBKt9rO061bw==
X-Forefront-PRVS: 0144B30E41
X-Forefront-Antispam-Report: SFV:NSPM; SFS:(10009020)(4630300001)(6009001)(7916002)(38534002)(199003)(189002)(377424004)(96836002)(14726001)(84116002)(8746002)(305945005)(7736002)(61296003)(76176999)(50986999)(50226002)(42186005)(33646002)(68736007)(44736005)(2950100002)(6666003)(23756003)(5660300001)(4326007)(7846002)(50466002)(36756003)(2906002)(3846002)(9686002)(6116002)(230783001)(102836003)(66066001)(93886004)(47776003)(106356001)(105586002)(5001770100001)(92566002)(97736004)(6486002)(39450400002)(733004)(6496003)(189998001)(101416001)(4001150100001)(8676002)(81156014)(81166006)(1420700001)(39060400001)(38730400001)(39410400001)(175924003); DIR:OUT; SFP:1101; SCL:1; SRVR:DB5PR01MB1832; H:Kallei7; FPR:; SPF:None; PTR:InfoNoRecords; A:1; MX:1; LANG:en;
Received-SPF: None (protection.outlook.com: ingate.com does not designate permitted sender hosts)
X-Microsoft-Exchange-Diagnostics: 1; DB5PR01MB1832; 23:sXNY3EyiOH/sLv/Jit0w0GoxBl9e4p9gcQbDYT6Kk/nZINXRJlI/by1uEW9LIju0dXThqFwL8lQGbRO5j4iVeeZnfIwkK6oyBWr+IB4C9Fk6u19u8hZkncTN2hYg81/tdIc/5t6UhLeWjSeQUCsfLe6v/REPos++em9qO5F518tWAg5H0feN/umCeahsBjIIkW6KwbFO4I8QGz9jR6LlC2Y+jHfky6BuHn+m/wXXHIZqd0kBjfabUQFofD7rK8uEN/wgCuQ1LpywAto0MSHw0SfsKhS6uAtJ9GzXZNXDsoRwr8xAvlQAV+l7hq3YW76g0Fkk5o3t4p1IqelMVvtECgNCn8vQWKAVSqeGyT87FdxHr3BaFL1kKmHuFQfYnaw0pUTbs9xAc2iu0o7NO2qJZWmkHViZu9UYDKd00dgfDQTwbnwNrDw+B7EyvwFeT0rHir8kjZkPv0GpgWxNi56TJ6p9yAXx3eV09sLXDkLWOxNd2BPffnvb4VgtLyxaNIMjplz4Nh4fvFZ+x5CqBdl9Yn730GnAFPL3N+HRZnuUpLwUIq3gHwceb6GkDStPsw1kQ3FvoHPDwsJXPkSsug3HmzvWRcVXNo9QbUGpxjB2GgLp/ZIMp9nWfCKq0A11I/pYAcsPemTTOuJ9tw+B3Nzed9Xh8NeP87UjChX8efd2ItBWwGC1VE2MifXsKrMjliUSI8M7t81WvEv/1otjuBVtGr3B7YMXEoJSvM9yPgVJmLjt6HgY5f8MSbrdoIKlwvcO5mopE8oKpSDorlDJ6vT3S9byWwGEPe8TKtXsTp/tFuvlX0ynwW3yamVV8CgTPQfwXOwB2iPM+2yQhxv3bBISnHWkoq26EVxdzn3VTLb47VlhLmMapGZaJmMw4kcC2oGIdhFDExoumiJUgi5YfUvc9WAe9Sxhn5acHyAI94ym6KOkxR5I7n9KWqZ082GYgayMSF2Kg0P5qB7JM/3H/6l0sot1oOtjSFBKmD/z3S49sdvkrs9QeFGrR/QcsnbQIWHZHPmFq9PEok85w9/ef3TS8bXZz2eq4WRzQFLSjyGmJdH19lDSehQZUw5LM5PdBMdFVXObC029HaEUC4ikJErO0s9faLn+tE5Ir/T03hSbV0JXIlNKObCJlK4Kyi8+Nma0nSQz01TDuqzq4zwPuNFaWAkqAm52JyVn+VmXpoUV+RYLJCpA0LWvv4xMvwJKsgcIxUs/TQr4i+vGBH20rr8wyPi5fHzsCIPDvm8DYWM1Dlk+Zz3JbOsxK6UuGFIgDjK868/HryQO+w3YQ8A89ZxyTH2qSg4O74V/kkK/pgPiMaUu+2Fh0PwGph+li+Gr3GNGKp8oVK8TKwtUAsJQVwRrHllVx4fx9omj2hR7tSaAOxL7VmIMYX11R5kdRPtWhx9l
X-Microsoft-Exchange-Diagnostics: 1; DB5PR01MB1832; 6:JCmd/WVe/E1JGj6oLkdK/eMIklmXSo5lC7co8eEtzNM4MPC/GnaVUI6+5t8E4WlF4AK0QE3jQtWgUzsZkCPUd4LNiclYWIxEdS3bMP8KIEY/+eL8s9vds35YCu3wJYeG8otJDwxTza4ol6Jr4Pxzlax3vs+aZhL++1LiZEMcliuj5bfBF/BITKfSmnDZMMG5iRFXYHI7xM60g8hX+pEuQvCguMFbFKPvlddSOWfOW2SQFuPtvq3t5THoqZryBtLqgzxOAWJY40Svd42zmpWC9GWBJw4+mXrTQWsNsNMOIsyfclZY3V5mfl7TQe//K2w0em35kz0osgQV6qGfBkVtvsH2YWFILSBRRcT91eOUQRSKhP9YasHlLFCfx3SRqsbtP3y5nY3FUSoIFSqo81Uw8MyPXmNWH3HtS1Nk8z1OLcgrqqLXYxmVFm02vZ6zAJ7yUnMzZjCCVQaK/0jFqWGTLvaAI4aqful26HZW4t5Aca8=; 5:9SFysGM45S0wlyzFhh03gKHtCc/EXZk1tO7DnA6ND3eiUHB6xt4o3lEqtqR4W3IsiRivsn0B3wS1Ic/GAbmR86VmG6jRYOUKNZ7J6ZGaBRFKEMdWy76qE3DI1J3ZAyICpaU7F5utOQ6JuTzahKASHA==; 24:c6gIYzcuVqlYJXKWT0C2e3Sz+SFACB2HFPi3OiY/O3WErSWkudf7ecr8X6GHE/nykEcRFQexLaQeyyAPO3RuaH21aL0c4NEt12sYQw0fiuQ=
SpamDiagnosticOutput: 1:99
SpamDiagnosticMetadata: NSPM
X-Microsoft-Exchange-Diagnostics: 1; DB5PR01MB1832; 7:WQWkffyCDCM1AtOaoWme0tAeFPybcC+gPf4nEsklfD6pEEsMD52Ri5YEiKN5LvNPBpTgZwi5JVCbWE1kxEBp4g45yXQXtVE8nKPIKhREoPny6rmC/9jJtZHu9minrjjfT2YfWLd5MojJfDoy0Wh2uND8vHOxVTfPDunNS3am2QuyaOuwSd03fIK9kY2zxNPSXznCr8A/9Uqj0kHEfMQ8XOONATyDw1jNIEK2DwBy69m7BtTwvZuShQaCHocu/c3LCF/XK/k5iH2O0te4wo3VDFCSQ0ShMCU1S73QmSezrQ3z0MdriUs6885IN9wXG1U7QGwRS2rgNfUyWH8j+arsDDeAqD6d3rQGGuyyeTXUL2pn2soWIDZPFc7E26rD0vlmf+TD1uSOymxEDkMAv7VI+1C8fPbZWOVbHjcIrGY3HvqfGxD+4ndnZKPLJs8XSapJqFFC5VrIeouIwqBU8Z5y0g==
X-OriginatorOrg: ingate.com
X-MS-Exchange-CrossTenant-OriginalArrivalTime: 02 Dec 2016 08:33:36.9687 (UTC)
X-MS-Exchange-CrossTenant-FromEntityHeader: Hosted
X-MS-Exchange-Transport-CrossTenantHeadersStamped: DB5PR01MB1832
Archived-At: <https://mailarchive.ietf.org/arch/msg/tram/lb_44a6I_y7MLQX_WP6L-lCi_0g>
Cc: tram-chairs@ietf.org, 'Dan Wing' <dan@danwing.org>, 'Spencer Dawkins at IETF' <spencerdawkins.ietf@gmail.com>
Subject: Re: [tram] Anycast discovery, was: draft-ietf-tram-turn-server-discovery
X-BeenThere: tram@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: "Discussing the creation of a Turn Revised And Modernized \(TRAM\) WG, which goal is to consolidate the various initiatives to update TURN and STUN." <tram.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tram>, <mailto:tram-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tram/>
List-Post: <mailto:tram@ietf.org>
List-Help: <mailto:tram-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tram>, <mailto:tram-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 02 Dec 2016 08:33:46 -0000
Hi Simon, Sorry for late reply, I wanted to connect that Linksys router again to see if I had missed something in the GUI (I actually had - I admit), so detail argumentation may hide the more general points I am trying to convey/exemplify. I also want to avoid confusion that may arise from that I wrote "> resolve the NAT/Firewall traversal problem that has plagued real-time communication since SIP was introduced in early 2000" (that was a very general overview comment" which is NOT the same NAT thing you are commenting as "Why would you want to use port forwarding and have to deal with NAT issues" (here I think you relate to a "NAT issue" of getting the anycast Allocate packet to the correct IP address of that special TWO LAN IP TURN server so it can respond with the 300 error, while using the anycast Binding request instead, there is no such "NAT issue" to resolve - Just get the anycast packet to *the TURN server* (no matter how) and you will get the unicast address of "the TURN server" to USE in the 300 error response. I am (trying to) exemplify/clarify the high level (important) points why we need/want anycast discovery by saying Binding instead of Allocate. These points are: (A) We need an anycast discovery method for auto-discovering "a TURN server" (not some special TURN server or arrangement of TURN servers "invented" for being discoverable by a certain method) (B) We need an anycast discovery method for a TURN server that is setup/installed/configured for its USAGE (which is relaying traffic) - not requiring a special network configuration just for being discoverable. (And more widely, it must be the goal of this specification to provide at least one discovery method that works for ALL network types and configurations, where a network provided TURN server may be useful - I see only anycast using Binding for querying *the TURN server's* unicast address fulfilling this.) (C) Robust (tolerant) deployment is highly preferable. (D) Ease of deployment is highly preferable. Saying Binding instead Allocate, is nessesary to achieve (A) and (B), and improves (C) and (D). Both the requirements RFC https://tools.ietf.org/html/rfc7478 "straddle" (in "deploy a TURN server that straddles the boundary between the internal and the external network. *The firewall* will block all attempts to use STUN with an external destination unless they go to the enterprise auditing TURN server." and the return draft's https://tools.ietf.org/html/draft-ietf-rtcweb-return-01 "firewall configuration" (in "This TURN server may be placed inside the network, with *a firewall configuration* allowing it to communicate with the public internet, or it may be operated by a third party outside the network, with a firewall configuration that allows hosts inside the network to communicate with it.") assumes (or at least implies/allows/suggest) network configurations that should works if we say Binding, but not if we say Allocate. These are not shoot-yourself-in-the-foot deployment scenarios, but real ones that this draft shall support: Point (A) and (B) fails when saying Allocate in the anycast method. And generally, saying Binding works in All cases where saying Allocate CAN work (There are no drawbacks). Saying Binding results in more robust configuration and more ways how to deploy (never less). In addition, changing to Binding from Allocate, is the fastest/easiest way to clarify the draft (in addition to clarify what that TWO LAN IP TURN "anycast server" actually is, we have the lack of distinction between discovery and usage, and even the confusion around the authentication/DTLS discussion that has nothing to do with the discovery method (It only applies to usage). Regarding the points below in my exemplification, starting with where we agree: > Note however that the preferred deployment scenario here would be to have the TURN server be embedded on the home router [Karl] Fully agree so as to have one leg on the LAN and another on the WAN [Karl] Fully agree and thus avoid NAT. [Karl] ?? Don't follow No need for manual routing setup in this case, and the current anycast discovery method would work perfectly. [Karl] Fully agree and understand, and the same applies if you say Binding instead of Allocate. In addition, by saying Binding, you get the advantage of an easier implementation with ONE TURN server instead of TWO embedded in the home router (the second only adds the limited function of responding with the 300 response to an Allocate request). But, yes, BOTH works - and hides the complication from saying Allocate and having to be concerned about anycast routing setup. [Karl] Further, an embedded TURN server AT the default gateway address may be an even more preferred deployment scenario, and easier implementation and will work is saying Binding but not if saying Allocate... Further in-line below --> /Karl -----Ursprungligt meddelande----- Från: Simon Perreault [mailto:sperreault@jive.com] Skickat: den 28 november 2016 14:31 Till: Karl Stahl; 'Tirumaleswar Reddy (tireddy)'; 'Brandon Williams'; 'Prashanth Patil (praspati)'; tram@ietf.org Kopia: tram-chairs@ietf.org; 'Dan Wing'; 'Spencer Dawkins at IETF' Ämne: Re: SV: SV: SV: SV: [tram] Anycast discovery, was: draft-ietf-tram-turn-server-discovery Le 2016-11-27 à 15:00, Karl Stahl a écrit : > I just looked into the GUI of a Cisco 14890/Linksys EA2700 WiFi Router > having a single subnet for wireless and its 4 LAN ports. In a data crowded > environment it is in need of a paralleled TURN server for a path to the high > quality voip pipe in my triple play network access, especially with WebRTC > voice+video wanting 2.5 mbps through the access for one session. > > Finding "Single Port Forwarding" in the router GUI, it should be able to > forward all STUN and TURN packets to a TURN server at the LAN, I'm not following, sorry. Why would you want to use port forwarding and have to deal with NAT issues, [Karl] ?? With the Binding variant, there is no "NAT issue" to deal with! Port forwarding was just to get the anycast packet to *the TURN server*. while there are much simpler mechanisms available to you? [Karl] What could possibly be simpler? With this port forwarding I assure that the anycast packet arrives at *the TURN server* and also seals the network (in a way that the TURN client can detect) [Karl] And by this trivial UDP port 3478 forwarding to *the TURN server* I both fix the routing to the TURN server and seal the network (STUN request don't go out) (which the TURN client can detect and use sealed behavior). (Maybe you only have "pure IP routing" in mind, but routing based on port or application, or quality needs is very common in triple play broadband access networks that I am familiar with - Here I have one LAN but 4 WAN pipes (Surf, Voice, IP-TV, TR069-managent) over my copper ADSL phone line and routing involves even more "obscure" criteria than port-based, e.g. knowing whether the application is SIP trunking to a certain SP, to enforce usage of the Priority Voice pipe for a specific SIP service. And you typically have classifiers, e.g. selecting a port range to have DSCP bits sets AND to route to a special network. So I would say this kind of routing is not at all unusual, especially when it comes to real-time communications.) > but I could > not find the routing table for adding a static anycast route, nor could I > find a way to create an extra subnet on the LAN side (or at all). http://www.linksys.com/us/support-article?articleNum=135048 Step 5 shows how to configure static routing table entries. [Karl] You are correct, I missed that under "Advanced Routing" when I looked in the GUI... This is a super common feature on home routers. As another example, I'm currently using an Asus RT-AC66U and it also has that feature: http://www.asus.com/us/support/FAQ/1011706/ [Karl] Probably fully correct, but IF/WHEN missing, saying Binding will work, saying Allocate will not work. Note however that the preferred deployment scenario here would be to have the TURN server be embedded on the home router so as to have one leg on the LAN and another on the WAN and thus avoid NAT. No need for manual routing setup in this case, and the current anycast discovery method would work perfectly. [Karl] Yes correct, but saying Binding give even further advantages, see above > The > Binding anycast discovery method should work, but not the discussed > separating between TWO TURN addresses. See above. In addition, your proposed alternative would require NAT, which is a non-starter. [Karl] ?? Now I don't follow. The only requirement is that the anycast Binding request goes to *the TURN server* (NAT or no NAT, however you do it). > And thinking further, will we not just delay this highly needed RFC further > by more demonstrations?... (This discussion is not delaying anything. The DTLS one is.) I will not respond to the paragraphs below because they ask questions that are premature. Again with my chair hat on, problems with the current mechanism need to be demonstrated before a solution can be proposed. This has not yet happened. Simon > The more I look into this, and even if I would agree to all your > comments/answers below, we cannot accept a discovery draft that is highly > unclear, on what it is we are able to discover (TWO TURN servers or combined > into ONE, listening to TWO IP addresses, not described here or in RFC5766 > (TURN protocol not being changed is no excuse)) and with a method > description that even qualified members of this WG have discussed in terms > of using DTLS for the anycast-addressed Allocate or Binding request packets > (anycast packets *are over UPD*) and similarly confused by the lack of > distinction between discovery and usage in the draft. > > I understand and share the opinion that it is urgent to now finally get this > draft into place, but accepting the anycast method as it is in this version, > may add another decade to finally resolve the NAT/Firewall traversal problem > that has plagued real-time communication since SIP was introduced in early > 2000, when we now are about to complete the ICE/STUN/TURN suit into > something deployable (as we know, instead of ICE, SBCs are still what is > used for NAT/Firewall traversal - we make them :-) - but SBCs are not usable > with WebRTC. > > The magic of exchanging the anycast addressed Allocate request to a Binding > request for getting the IP address of *the TURN server* is a resolution, and > the text for that update is already suggested. This method was proposed > already in October 2013 after detailed discussion on the RTCWEB list after > which the TRAM WG was formed > https://www.ietf.org/mail-archive/web/tram/current/msg00132.html > You Simon, already then, pointed out the two relevant issues/problems, > https://www.ietf.org/mail-archive/web/tram/current/msg00138.html > which I also in the suggested "Deployment Considerations for TURN Servers > Provided by the Local or Access Network" to be added, now have spelled out > the full solutions to (including the "leakage-problem" that is related to > your second issue raised at that time). > > So, I think we safely and quickly can fix up this draft for becoming the > long awaited RFC that gets us an anycast method that at least works for > detecting "a TURN server" (OK, not "ordinary TURN server" and absolutely not > un-described "anycast TURN server"). And without having to bother about how > the then anycast addressed Binding arrives at *the TURN server*, we can > remove the "not all TURN servers may support anycast" under section 3 and > have no worries over that ">Anycast *is* difficult to implement in many > real-world scenarios,". > > /Karl > > PS: I don't agree to the "you'd be shooting yourself in the foot" comment, > which you made on a quote from draft-ietf-rtcweb-return-00, which this > specification should service with a working and deployable discovery method > (which I believe will be done by the changes suggested). Then there will be > no need to ">NAT to a different UDP port, so that you are able to > differentiate unicast and anycast traffic". I said something about "robust" > in my suggested deployment considerations to add to this draft - Robustness > must also be a goal for successful deployment and for this draft. > > And, since the configuration described in draft-ietf-rtcweb-return-00, is > for USAGE of the TURN server paralleling the default gateway, those authors > could/should not foresee that we come up with a DISCOVERY method that will > complicate deployment configuration by requiring an extra subnet on the LAN > side (that may not be supported by the default gateway router). Using DHCP > for discovery, one would not have thought of this as a > shoot-yourself-in-the-foot deployment. > > But DHCP is unfortunately not commonly available on many of the access > networks we use today (LTE.., IPv6) (and the DHCP discovery is also > unnecessarily complicated by going via domain name + DNS rather than > defining a new IANA DHCP option (but I not going to request such change :-) > since we cannot use DHCP discovery on all networks a WebRTC browser is > commonly used from anyway). We simply need the anycast discovery method for > WebRTC browsers' general usage. > > The anycast discovery method must be clear, well defined and understood by > readers of the draft, and with the aim to work in all deployment scenarios > (for USAGE of such TURN server) and to be as robust and tolerant as > possible. > > Let's do it! That is also faster and simpler than just making current method > clearly defined and understood. > (We are just making a small change to the method: Allocate -> Binding in the > DISCOVERY package to get all these advantages.) -- Simon Perreault Director of Engineering, Platform | Jive Communications, Inc. https://jive.com | +1 418 478 0989 ext. 1241 | sperreault@jive.com
- [tram] draft-ietf-tram-turn-server-discovery Prashanth Patil (praspati)
- Re: [tram] draft-ietf-tram-turn-server-discovery Karl Stahl
- Re: [tram] draft-ietf-tram-turn-server-discovery Brandon Williams
- Re: [tram] draft-ietf-tram-turn-server-discovery Karl Stahl
- Re: [tram] draft-ietf-tram-turn-server-discovery Tirumaleswar Reddy (tireddy)
- Re: [tram] draft-ietf-tram-turn-server-discovery Tirumaleswar Reddy (tireddy)
- Re: [tram] draft-ietf-tram-turn-server-discovery Brandon Williams
- Re: [tram] draft-ietf-tram-turn-server-discovery Brandon Williams
- Re: [tram] draft-ietf-tram-turn-server-discovery Tirumaleswar Reddy (tireddy)
- Re: [tram] draft-ietf-tram-turn-server-discovery Tirumaleswar Reddy (tireddy)
- [tram] Anycast discovery, was: draft-ietf-tram-tu… Karl Stahl
- Re: [tram] draft-ietf-tram-turn-server-discovery Karl Stahl
- Re: [tram] Anycast discovery, was: draft-ietf-tra… Brandon Williams
- Re: [tram] Anycast discovery, was: draft-ietf-tra… Karl Stahl
- Re: [tram] Anycast discovery, was: draft-ietf-tra… Tirumaleswar Reddy (tireddy)
- Re: [tram] draft-ietf-tram-turn-server-discovery Tirumaleswar Reddy (tireddy)
- Re: [tram] Anycast discovery, was: draft-ietf-tra… Karl Stahl
- Re: [tram] draft-ietf-tram-turn-server-discovery Karl Stahl
- Re: [tram] Anycast discovery, was: draft-ietf-tra… Simon Perreault
- Re: [tram] Anycast discovery, was: draft-ietf-tra… Tirumaleswar Reddy (tireddy)
- Re: [tram] draft-ietf-tram-turn-server-discovery Tirumaleswar Reddy (tireddy)
- Re: [tram] Anycast discovery, was: draft-ietf-tra… Karl Stahl
- Re: [tram] draft-ietf-tram-turn-server-discovery Karl Stahl
- Re: [tram] Anycast discovery, was: draft-ietf-tra… Simon Perreault
- Re: [tram] draft-ietf-tram-turn-server-discovery Tirumaleswar Reddy (tireddy)
- Re: [tram] Anycast discovery, was: draft-ietf-tra… Karl Stahl
- Re: [tram] Anycast discovery, was: draft-ietf-tra… Simon Perreault
- Re: [tram] Anycast discovery, was: draft-ietf-tra… Karl Stahl
- Re: [tram] draft-ietf-tram-turn-server-discovery Karl Stahl
- Re: [tram] draft-ietf-tram-turn-server-discovery Tirumaleswar Reddy (tireddy)
- Re: [tram] draft-ietf-tram-turn-server-discovery Karl Stahl
- Re: [tram] draft-ietf-tram-turn-server-discovery Tirumaleswar Reddy (tireddy)
- Re: [tram] Anycast discovery, was: draft-ietf-tra… Simon Perreault
- Re: [tram] Anycast discovery, was: draft-ietf-tra… Karl Stahl
- Re: [tram] draft-ietf-tram-turn-server-discovery Karl Stahl
- Re: [tram] draft-ietf-tram-turn-server-discovery Pal Martinsen (palmarti)
- Re: [tram] draft-ietf-tram-turn-server-discovery Tirumaleswar Reddy (tireddy)
- Re: [tram] draft-ietf-tram-turn-server-discovery Tirumaleswar Reddy (tireddy)
- Re: [tram] to Tiru, WAS:draft-ietf-tram-turn-serv… Karl Stahl
- Re: [tram] draft-ietf-tram-turn-server-discovery Karl Stahl
- Re: [tram] to Tiru, WAS:draft-ietf-tram-turn-serv… Tirumaleswar Reddy (tireddy)
- Re: [tram] to Tiru, WAS:draft-ietf-tram-turn-serv… Karl Stahl
- Re: [tram] to Tiru, WAS:draft-ietf-tram-turn-serv… Tirumaleswar Reddy (tireddy)
- Re: [tram] to Tiru, WAS:draft-ietf-tram-turn-serv… Brandon Williams
- Re: [tram] to Tiru, WAS:draft-ietf-tram-turn-serv… Brandon Williams
- Re: [tram] draft-ietf-tram-turn-server-discovery Brandon Williams
- Re: [tram] Maybe we have (D)TLS consensus; WAS: d… Brandon Williams
- Re: [tram] to Tiru, WAS:draft-ietf-tram-turn-serv… Karl Stahl
- Re: [tram] Maybe we have (D)TLS consensus; WAS: d… Karl Stahl
- Re: [tram] draft-ietf-tram-turn-server-discovery Karl Stahl
- Re: [tram] to Tiru, WAS:draft-ietf-tram-turn-serv… Tirumaleswar Reddy (tireddy)
- Re: [tram] draft-ietf-tram-turn-server-discovery Brandon Williams
- Re: [tram] Maybe we have (D)TLS consensus; WAS: d… Brandon Williams
- Re: [tram] Maybe we have (D)TLS consensus; WAS: d… Brandon Williams
- Re: [tram] Maybe we have (D)TLS consensus; WAS: d… Tirumaleswar Reddy (tireddy)
- Re: [tram] Maybe we have (D)TLS consensus; WAS: d… Pal Martinsen (palmarti)
- Re: [tram] Maybe we have (D)TLS consensus; WAS: d… Tirumaleswar Reddy (tireddy)
- Re: [tram] Maybe we have (D)TLS consensus; WAS: d… Brandon Williams
- Re: [tram] Maybe we have (D)TLS consensus; WAS: d… Brandon Williams
- Re: [tram] Maybe we have (D)TLS consensus; WAS: d… Tirumaleswar Reddy (tireddy)
- Re: [tram] Maybe we have (D)TLS consensus; WAS: d… Karl Stahl