IETF Logo Mail Archive

[tram] Happy Turnballs

Jonathan Lennox <jonathan@vidyo.com> Wed, 29 March 2017 04:04 UTC

Return-Path: <prvs=0261e7accb=jonathan@vidyo.com>
X-Original-To: tram@ietfa.amsl.com
Delivered-To: tram@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 9FCFC12955E for <tram@ietfa.amsl.com>; Tue, 28 Mar 2017 21:04:17 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.601
X-Spam-Level:
X-Spam-Status: No, score=-2.601 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 1LQ9gdcTP6Vk for <tram@ietfa.amsl.com>; Tue, 28 Mar 2017 21:04:15 -0700 (PDT)
Received: from mx0b-00198e01.pphosted.com (mx0a-00198e01.pphosted.com [67.231.149.202]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 3E50F129636 for <tram@ietf.org>; Tue, 28 Mar 2017 21:04:13 -0700 (PDT)
Received: from pps.filterd (m0073109.ppops.net [127.0.0.1]) by mx0a-00198e01.pphosted.com (8.16.0.20/8.16.0.20) with SMTP id v2T3tkuf013936 for <tram@ietf.org>; Wed, 29 Mar 2017 00:04:11 -0400
Received: from mail.vidyo.com ([162.209.16.214]) by mx0a-00198e01.pphosted.com with ESMTP id 29dhnkaf41-1 (version=TLSv1 cipher=AES128-SHA bits=128 verify=NOT) for <tram@ietf.org>; Wed, 29 Mar 2017 00:04:10 -0400
Received: from 492132-EXCH1.vidyo.com ([fe80::50:56ff:fe85:4f77]) by 492133-EXCH2.vidyo.com ([fe80::50:56ff:fe85:6b62%13]) with mapi id 14.03.0195.001; Tue, 28 Mar 2017 23:04:09 -0500
From: Jonathan Lennox <jonathan@vidyo.com>
To: "tram@ietf.org" <tram@ietf.org>
Thread-Topic: Happy Turnballs
Thread-Index: AQHSqEGEXZGdNc4iZES8BGujtDsYBg==
Date: Wed, 29 Mar 2017 04:04:09 +0000
Message-ID: <28057480-A193-4B8F-9953-78A21949483C@vidyo.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-originating-ip: [31.133.149.69]
Content-Type: text/plain; charset="utf-8"
Content-ID: <F44473E0F7AD1A49A3E98E9570491861@vidyo.com>
Content-Transfer-Encoding: base64
MIME-Version: 1.0
X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10432:, , definitions=2017-03-28_21:, , signatures=0
X-Proofpoint-Spam-Details: rule=outbound_notspam policy=outbound score=0 priorityscore=1501 malwarescore=0 suspectscore=0 phishscore=0 bulkscore=0 spamscore=0 clxscore=1011 lowpriorityscore=0 impostorscore=0 adultscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.0.1-1702020001 definitions=main-1703290032
Archived-At: <https://mailarchive.ietf.org/arch/msg/tram/xslWS8jpblDAUdGBD4xzWKbD2GI>
Subject: [tram] Happy Turnballs
X-BeenThere: tram@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: "Discussing the creation of a Turn Revised And Modernized \(TRAM\) WG, which goal is to consolidate the various initiatives to update TURN and STUN." <tram.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tram>, <mailto:tram-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tram/>
List-Post: <mailto:tram@ietf.org>
List-Help: <mailto:tram-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tram>, <mailto:tram-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 29 Mar 2017 04:04:18 -0000

So I was asked to write up my comments on Happy Eyeballs for TURN.  Here’re my thoughts.

As always with Happy Eyeballs, when connecting to a TURN server specified by a DNS name, do a DNS query for both IPv6 and IPv4, and then (with appropriate timing based on expected success), attempt to connect to both the returned IPv6 and IPv4 addresses, in parallel.

The complexities occur when both IPv4 and IPv6 connections succeed; the dispreferred connection (which should usually be the IPv4 connection, but this is client policy) must be closed in a way that doesn’t leave lingering state on the server.

The process to follow depends on the transport protocol being used for TURN.

1. For TCP or TLS, do standard Happy Eyeballs: initiate a TCP connect to both addresses, and use the first connection to succeed.  If both succeed, close the dispreferred connection normally (with TCP FIN, i.e. socket close) before sending any data on the connection.

2. For DTLS, send (separate) clientHello messages to both addresses.  Terminating the dispreferred DTLS association depends on the response.  If the server is using stateless cookies (as it normally should for a TURN server on the open Internet), it will send back a HelloVerifyRequest.  The preferred association can continue normally, and the dispreferred association can be silently discarded.

If the server is not using stateless cookies, it will instead send back a ServerHello message (and associated messages in that flight).  In this case, the client should gracefully tear down the dispreffered association to avoid lingering server state: it should send a user_canceled alert, followed by a close_notify alert.

[This section should be verified by a DTLS expert.]

3. For UDP, send TURN Allocate requests to both addresses, without authentication information.  If the TURN server is requiring authentication (as it normally will), it will send back 401 Unauthenticated responses.  This does not create server state, so the dispreferred allocation attempt can be silently discarded.

If the TURN server is not requiring authentication (as, for example, a server which controls access via network topology, as described in Section 9 of draft-ietf-tram-turn-server-discovery), it is possible for both Allocate requests to succeed.  (Note that since the scenario this is describing is using plaintext UDP, this is a case that draft-ietf-tram-turn-server-discovery requires only be enabled by explicit administrator configuration.)  In this case, the dispreffered allocation should be explicitly torn down, by sending a Refresh with a LIFETIME value of 0.


Comments welcome.

v2.23.0 | Report a Bug | By Email