Re: [tram] Milestone 3: TURN server auto-discovery mechanism for enterprise and ISPs
"Tirumaleswar Reddy (tireddy)" <tireddy@cisco.com> Tue, 11 February 2014 02:39 UTC
Return-Path: <tireddy@cisco.com>
X-Original-To: tram@ietfa.amsl.com
Delivered-To: tram@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 863001A05E1 for <tram@ietfa.amsl.com>; Mon, 10 Feb 2014 18:39:37 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -15.049
X-Spam-Level:
X-Spam-Status: No, score=-15.049 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_HI=-5, RP_MATCHES_RCVD=-0.548, SPF_PASS=-0.001, USER_IN_DEF_DKIM_WL=-7.5] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id fvJeAwYgs3dM for <tram@ietfa.amsl.com>; Mon, 10 Feb 2014 18:39:35 -0800 (PST)
Received: from rcdn-iport-2.cisco.com (rcdn-iport-2.cisco.com [173.37.86.73]) by ietfa.amsl.com (Postfix) with ESMTP id D93F71A0724 for <tram@ietf.org>; Mon, 10 Feb 2014 18:39:34 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=cisco.com; i=@cisco.com; l=7928; q=dns/txt; s=iport; t=1392086375; x=1393295975; h=from:to:subject:date:message-id:references:in-reply-to: content-transfer-encoding:mime-version; bh=rJWwHqpaJ5csqp/osRYgeAPfp5Cu8+nXtiBo6kujc18=; b=XL2vpPnn3vpb94GFPqoJvgc26k6yDq23PuwvGDBh7cBM9ukMPaTG83se s9sxrxr9+D2b95U1B2M9WexaY5XCODLtUZIcDGiFnEAGsk9HUme1wBBxX w0kXjp/G3nQL/4BCo3aHuaoevIwYZLP0CefRfUW5IY0EalpBFXZ03F27s c=;
X-IronPort-AV: E=Sophos;i="4.95,822,1384300800"; d="scan'208";a="303131504"
Received: from rcdn-core2-1.cisco.com ([173.37.113.188]) by rcdn-iport-2.cisco.com with ESMTP; 11 Feb 2014 02:39:34 +0000
Received: from xhc-aln-x08.cisco.com (xhc-aln-x08.cisco.com [173.36.12.82]) by rcdn-core2-1.cisco.com (8.14.5/8.14.5) with ESMTP id s1B2dYta026384 (version=TLSv1/SSLv3 cipher=AES128-SHA bits=128 verify=FAIL); Tue, 11 Feb 2014 02:39:34 GMT
Received: from xmb-rcd-x10.cisco.com ([169.254.15.55]) by xhc-aln-x08.cisco.com ([173.36.12.82]) with mapi id 14.03.0123.003; Mon, 10 Feb 2014 20:39:34 -0600
From: "Tirumaleswar Reddy (tireddy)" <tireddy@cisco.com>
To: Karl Stahl <karl.stahl@intertex.se>, 'Simon Perreault' <simon.perreault@viagenie.ca>, "tram@ietf.org" <tram@ietf.org>, "tireddy@icisco.com" <tireddy@icisco.com>
Thread-Topic: [tram] Milestone 3: TURN server auto-discovery mechanism for enterprise and ISPs
Thread-Index: AQHPJrZnSgUY4V56JE+wy6rTjZeHIZqvVbIw
Date: Tue, 11 Feb 2014 02:39:33 +0000
Message-ID: <913383AAA69FF945B8F946018B75898A242ABA2D@xmb-rcd-x10.cisco.com>
References: <082c01cf17d4$393d7bb0$abb87310$@stahl@intertex.se> <9F33F40F6F2CD847824537F3C4E37DDF17CC3AFB@MCHP04MSX.global-ad.net> <02cd01cf24cf$42ff6de0$c8fe49a0$@stahl@intertex.se> <52F8DF21.2080303@viagenie.ca> <049801cf26b6$5a87db30$0f979190$@stahl@intertex.se>
In-Reply-To: <049801cf26b6$5a87db30$0f979190$@stahl@intertex.se>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-originating-ip: [10.65.70.251]
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: base64
MIME-Version: 1.0
Subject: Re: [tram] Milestone 3: TURN server auto-discovery mechanism for enterprise and ISPs
X-BeenThere: tram@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "Discussing the creation of a Turn Revised And Modernized \(TRAM\) WG, which goal is to consolidate the various initiatives to update TURN and STUN." <tram.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tram>, <mailto:tram-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tram/>
List-Post: <mailto:tram@ietf.org>
List-Help: <mailto:tram-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tram>, <mailto:tram-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 11 Feb 2014 02:39:37 -0000
> The only way we found around this, was to stop STUN through the IP default > gateway (like a restrictive Enterprise firewall does inhibiting ICE connectivity, > which others are concerned about...). Since the provisioning of auto- > discovery using the anycast mechanism, would be adding a route in a default > gateway, adding a firewall rule to eat STUN packets would assure that the > provisioned TURN server actually becomes used (and not bypassed "by > accident"). (That was the thought behind the “automatically” within quotes.) There are various ways to prioritize WebRTC media streams and I don't see a need to block P2P connectivity. Using TURN server itself endpoint can learn server-reflexive candidates. If there is a restrictive firewall that blocks P2P connectivity then relayed candidate would eventually be nominated because ICE connectivity check fails with other candidate types. I don't see any need to advertise only relayed candidates in the offer/answer other than for privacy reasons. -Tiru. > -----Original Message----- > From: tram [mailto:tram-bounces@ietf.org] On Behalf Of Karl Stahl > Sent: Tuesday, February 11, 2014 4:48 AM > To: 'Simon Perreault'; tram@ietf.org; tireddy@icisco.com > Subject: Re: [tram] Milestone 3: TURN server auto-discovery mechanism for > enterprise and ISPs > > Simon, > > Good questions - see inline below --> . > Some more thought is required! > > /Karl > > -----Ursprungligt meddelande----- > Från: tram [mailto:tram-bounces@ietf.org] För Simon Perreault > Skickat: den 10 februari 2014 15:16 > Till: Karl Stahl; tram@ietf.org; tireddy@icisco.com > Ämne: Re: [tram] Milestone 3: TURN server auto-discovery mechanism for > enterprise and ISPs > > Karl, > > It is great to see such enthusiasm! Thanks! > > I have a couple technical questions... > > Le 2014-02-08 08:11, Karl Stahl a écrit : > > - Note that to achieve some of the above points, TURN must be favored > > over STUN to enforce that the TURN-path actually is used. (The Anycast > > method suggested below, “automatically” does this.) > > I understand the STUN vs TURN priority issue. But I don't see how anycast > affects it in any way. Can you please explain? > > --- Good point - I was a bit quick here (maybe too quick) We have given this > quite bit of thought, since even if a TURN server is provided and discovered, > CURRENT usage of ICE may suggest a candidate from the remote party that > will make a connection without the need/usage of the TURN server (that we > wanted to be used for the good purposes listed). > > The only way we found around this, was to stop STUN through the IP default > gateway (like a restrictive Enterprise firewall does inhibiting ICE connectivity, > which others are concerned about...). Since the provisioning of auto- > discovery using the anycast mechanism, would be adding a route in a default > gateway, adding a firewall rule to eat STUN packets would assure that the > provisioned TURN server actually becomes used (and not bypassed "by > accident"). (That was the thought behind the “automatically” within quotes.) > > BUT, since you brought up the question, assuming that we have the power to > enforce WebRTC usage of ICE, I believe a MUST requirement to use an auto- > discovered TURN server instead of STUN, would solve the same problem. > However, thinking further (in relation to your next question - "anyone could > set up a badly-maintained" - enforcing such ICE usage may not be good.) > > > > - 3^rd The Anycast method below – I see no problem > > > > It also has the advantage of encouraging (but not requiring) the > > STUN/TURN to be built in the default gateway or NAT/firewall/access > > router itself, with a second interface to a public IP address on the > > WAN side. (Current volume deployed, low cost NSP triple play modems > > usually have a quality assured level 2 or level 3 WAN pipe for just > > voice (and another for IPTV) – The anycast discovered TURN-server can > > be the access gateway to such quality pipe for WebRTC media, in a > > single NSP provided CPE, scaling from residential and up.) > > Suppose we define well-known anycast TURN server addresses. How would > this not be subject to the same service quality issues that plagued 6to4? That > is, anyone could set up a badly-maintained, under-provisioned TURN server > and announce it over BGP to the world, as it was done for > 6to4 relays. Or just bad BGP outbound filter configuration. And how can we > prevent triangle routing? There is nothing guaranteeing that the anycast > server you see is being provided to you by your ISP, rather than a server > sitting on the other side of the planet. > > --- Good point - needs to be resolved. For this I don't have a ready answer... > An auto-discovered TURN server must be trusted (whatever method it is > discovered by). We are trusting the one providing us with an IP address and > default gateway anyway. It would be easy if we could reuse that trust, > instead of another mechanisms. > > Is there a good way for the browser to check that the anycast address is not > handled beyond the network service provider's default gateway? Ideas? > > > > Thanks, > Simon > -- > DTN made easy, lean, and smart --> http://postellation.viagenie.ca > NAT64/DNS64 open-source --> http://ecdysis.viagenie.ca > STUN/TURN server --> http://numb.viagenie.ca > _______________________________________________ > tram mailing list > tram@ietf.org > https://www.ietf.org/mailman/listinfo/tram > > _______________________________________________ > tram mailing list > tram@ietf.org > https://www.ietf.org/mailman/listinfo/tram
- [tram] Milestone 3: TURN server auto-discovery me… Simon Perreault
- Re: [tram] Milestone 3: TURN server auto-discover… Tirumaleswar Reddy (tireddy)
- [tram] Milestone 3: TURN server auto-discovery me… Karl Stahl
- Re: [tram] Milestone 3: TURN server auto-discover… Hutton, Andrew
- Re: [tram] Milestone 3: TURN server auto-discover… Simon Perreault
- Re: [tram] Milestone 3: TURN server auto-discover… Karl Stahl
- Re: [tram] Milestone 3: TURN server auto-discover… Justin Uberti
- Re: [tram] Milestone 3: TURN server auto-discover… Tirumaleswar Reddy (tireddy)
- Re: [tram] Milestone 3: TURN server auto-discover… Dan Wing
- Re: [tram] Milestone 3: TURN server auto-discover… Marc Blanchet
- Re: [tram] Milestone 3: TURN server auto-discover… Dan Wing
- Re: [tram] Milestone 3: TURN server auto-discover… Karl Stahl
- Re: [tram] Milestone 3: TURN server auto-discover… Karl Stahl
- Re: [tram] Milestone 3: TURN server auto-discover… Justin Uberti
- Re: [tram] Milestone 3: TURN server auto-discover… Tirumaleswar Reddy (tireddy)
- Re: [tram] Milestone 3: TURN server auto-discover… Muthu Arul Mozhi Perumal (mperumal)
- Re: [tram] Milestone 3: TURN server auto-discover… Oleg Moskalenko
- Re: [tram] Milestone 3: TURN server auto-discover… Pal Martinsen (palmarti)
- Re: [tram] Milestone 3: TURN server auto-discover… Muthu Arul Mozhi Perumal (mperumal)
- Re: [tram] Milestone 3: TURN server auto-discover… Justin Uberti
- Re: [tram] Milestone 3: TURN server auto-discover… Hutton, Andrew
- Re: [tram] Milestone 3: TURN server auto-discover… Justin Uberti
- Re: [tram] Milestone 3: TURN server auto-discover… Tirumaleswar Reddy (tireddy)
- Re: [tram] Milestone 3: TURN server auto-discover… Karl Stahl
- Re: [tram] Milestone 3: TURN server auto-discover… Hutton, Andrew
- Re: [tram] Milestone 3: TURN server auto-discover… Karl Stahl
- Re: [tram] Milestone 3: TURN server auto-discover… Karl Stahl
- Re: [tram] Milestone 3: TURN server auto-discover… Karl Stahl
- Re: [tram] Milestone 3: TURN server auto-discover… Karl Stahl
- Re: [tram] Milestone 3: TURN server auto-discover… Karl Stahl
- Re: [tram] Milestone 3: TURN server auto-discover… Karl Stahl
- Re: [tram] Milestone 3: TURN server auto-discover… Karl Stahl
- Re: [tram] Milestone 3: TURN server auto-discover… Muthu Arul Mozhi Perumal (mperumal)
- Re: [tram] Milestone 3: TURN server auto-discover… Muthu Arul Mozhi Perumal (mperumal)
- Re: [tram] Milestone 3: TURN server auto-discover… Karl Stahl
- Re: [tram] Milestone 3: TURN server auto-discover… Karl Stahl
- [tram] IMPORTANT CLARIFICATIONS: Milestone 3: TUR… Karl Stahl
- Re: [tram] Milestone 3: TURN server auto-discover… Karl Stahl
- Re: [tram] Milestone 3: TURN server auto-discover… Karl Stahl
- Re: [tram] Milestone 3: TURN server auto-discover… Simon Perreault
- Re: [tram] Milestone 3: TURN server auto-discover… Pal Martinsen (palmarti)
- Re: [tram] Milestone 3: TURN server auto-discover… Tirumaleswar Reddy (tireddy)
- Re: [tram] IMPORTANT CLARIFICATIONS: Milestone 3:… Tirumaleswar Reddy (tireddy)
- Re: [tram] Milestone 3: TURN server auto-discover… Tirumaleswar Reddy (tireddy)
- Re: [tram] Milestone 3: TURN server auto-discover… Justin Uberti
- Re: [tram] Milestone 3: TURN server auto-discover… Justin Uberti
- Re: [tram] Milestone 3: TURN server auto-discover… Hutton, Andrew
- Re: [tram] Milestone 3: TURN server auto-discover… Tirumaleswar Reddy (tireddy)
- Re: [tram] Milestone 3: TURN server auto-discover… Karl Stahl
- [tram] QoS for RTC over the Internet, DISCUSS: Mi… Karl Stahl
- Re: [tram] QoS for RTC over the Internet, DISCUSS… Simon Perreault
- Re: [tram] QoS for RTC over the Internet, DISCUSS… Pal Martinsen (palmarti)
- Re: [tram] QoS for RTC over the Internet, DISCUSS… Karl Stahl