1. No category

Introduction to the IETF ICE/TURN/STUN set of RFCs

Introduction to the IETF
ICE/TURN/STUN set of RFCs
Emil Ivov, Pal Martinsen,
Justin Uberti & Brandon Williams
IETF 92
Copyright (c) 2015 IETF Trust and the persons identified as the document authors
Content
Q and A
SHOULD happen
during the session
• What is the Problem?
– Basics of IP telephony
– How NAT works
• Core ICE functionality
–
–
–
–
What is a Candidate
Candidate Gathering
Connectivity Checks
Concluding
• IETF RFCs, drafts and I-Ds
• Summary
WHAT IS THE PROBLEM?
The basics of IP telephony
A sample call
l:
Cal A
b
To: ia: B:P
Med
Bob
Address: B
Port: Pb
network core
(registrars, proxies, …)
Alice
Address: A
Port: Pa
The basics of IP telephony
A sample call
network core
(registrars, proxies, …)
Bob
Address: B
Port: Pb
Ans
To: wer:
Med B
ia:
A:P
a
Alice
Address: A
Port: Pa
The basics of IP telephony.
network core
(registrars, proxies, …)
… MEDIA over (S)RTP …
Bob
Address: B
Port: Pb
Alice
Address: A
Port: Pa
And then NATs were born …
Call:
To: B Ap
:
Media
Call:
To: B
Medi
a:
Ap
ERROR
Alice
Private Address: A
NAT/Firewall
Address: FA
NAT/Firewall
Address: FB
Impossible for Bob to initiate a media connection to Alice
Impossible for Alice to initiate a media connection to Bob
Bob
Address: B
How NAT boxes work
Web Server
158.38.48.10
NAT Mappings
Src addr
Src
port
Internet
Dst addr
Dst
port
Rewritten
src port
194.70.154.237
NAT
192.168.10.1
Client
192.168.10.5
How NAT boxes work
Web Server
158.38.48.10
NAT Mappings
Src addr
Src port
Internet
Dst addr
Dst port
Rewritten
src port
192.168.10.
5
23045
158.38.48.10
80
34567
194.70.154.237
NAT
192.168.10.1
Client
192.168.10.5
How NAT boxes work
Web Server
158.38.48.10
NAT Mappings
Src addr
Src port
Internet
Dst addr
Dst port
Rewritten
src port
192.168.10.
5
23045
158.38.48.10
80
34567
194.70.154.237
NAT
192.168.10.1
Client
192.168.10.5
Rewrite outgoing
IP packet
How NAT boxes work
Web Server
158.38.48.10
NAT Mappings
Src addr
Src port
Internet
Dst addr
Dst port
Rewritten
src port
192.168.10.
5
23045
158.38.48.10
80
34567
194.70.154.237
34567
NAT
192.168.10.1
Client
192.168.10.5
How NAT boxes work
Web Server
158.38.48.10
NAT Mappings
Src addr
Src port
Internet
Dst addr
Dst port
Rewritten
src port
192.168.10.
5
23045
158.38.48.10
80
34567
194.70.154.237
NAT
192.168.10.1
A client request is required to open the
pinhole, but the mapping is usually active
for at least 30 sec, so subsequent packets
get through.
Client
192.168.10.5
“Pinhole”
Problem Summary
• The signaling path works because the server
has a known publicly routable IP address.
• The media path breaks because the peers
have private non-routable IP addresses.
• IPv6 could solve the problem, except
firewalls/NATs still exist there.
STUN to the Rescue
• STUN binding request exchanged with the
server opens a NAT pinhole.
• Client learns the NAT mapping from the STUN
server in the binding response.
• Remote peer can send to this address.
• Doesn't work for all NATs. Some NATs only
accept from the original server.
STUN to the Rescue
Call:
To: B
Medi
a:
Call:
To: B
FAp
Media:
FAp
STUN
Alice
Private Address: A
NAT/Firewall
Address: FA
NAT/Firewall
Address: FB
Alice learns FAp from the STUN server, and sends it to Bob.
Bob can initiate a media connection to Alice via FAp.
Bob
Address: B
TURN to the Rescue
• TURN server allocates a public address for the
client to advertise.
• All p2p data is relayed via the TURN server, so
restrictive NAT pinhole works.
• Often more overhead than direct: processing
time on relay, additional latency.
TURN to the Rescue
Call:
To: B
Medi
a:
Call:
To: B
TAp
Media:
Address: TA
Address: TB
TURN
TURN
TAp
Alice
Private Address: A
Alice and Bob get addresses from their TURN servers.
The media connection is relayed via TA and TB.
Bob
Address: B
CORE ICE FUNCTIONALITY
What is ICE?
• Each peer can have multiple "candidate"
addresses.
• Interactive Connectivity Establishment is how
the peers pick a candidate pair to use.
• Basically, test connectivity for all pairs and
pick the best* pair that works.
What is a Candidate?
I listen for
media here!
Bob
IP: 192.168.1.34
Port: 4567
HOST
What is a Candidate?
And here!
Bob
IP: 192.168.1.34
Port: 4567
HOST
What is a Candidate?
NAT/Firewall
IP: 1.4.7.4
Port: 7865
RFLX
And even
here!
What is a Candidate?
TURN Server
Bob
IP: 192.168.1.34
Port: 4567
HOST
NAT/Firewall
IP: 1.4.7.4
TURN Server
Allocated
IP: 45.67.89.34
Port: 7865
Port: 45678
RFLX
RELAY
What is a Candidate?
TURN Server
Bob
IP: 192.168.1.34
Port: 4567
HOST
NAT/Firewall
IP: 1.4.7.4
TURN Server
Allocated
IP: 45.67.89.34
Port: 7865
Port: 45678
RFLX
RELAY
Alice
What is a Candidate?
TURN Server
Bob
IP: 192.168.1.34
Port: 4567
HOST
NAT/Firewall
IP: 1.4.7.4
TURN Server
Allocated
IP: 45.67.89.34
Port: 7865
Port: 45678
RFLX
RELAY
No assumptions
regarding remote
or local network
?
Alice
IP: 192.168.1.35
Port: 4567
What is a Candidate?
TURN
Alice
can Server
even be
on the desk next
to Bob..
Bob
IP: 192.168.1.34
Port: 4567
HOST
NAT/Firewall
IP: 1.4.7.4
TURN Server
Allocated
IP: 45.67.89.34
Port: 7865
Port: 45678
RFLX
RELAY
Candidate Gathering
TURN Server
Bob
IP: 192.168.1.34
Port: 4567
HOST
Candidate Gathering
TURN Server
TURN Allocate Request
Bob
IP: 192.168.1.34
Port: 4567
HOST
Candidate Gathering
TURN Server
TURN Allocate Request
Bob
IP: 192.168.1.34
Port: 4567
HOST
NAT/Firewall
IP: 1.4.7.4
TURN Server
Allocated
IP: 45.67.89.34
Port: 7865
Port: 45678
RFLX
RELAY
Allocating
RELAY port and
reports back
where request
came from
(RFLX)
Checklist
TURN
Server
TURN
Server
Agents gather
their candidates
HOST
RFLX
RELAY
RELAY
RFLX
HOST
Checklist
TURN
Server
TURN
Server
Need to check
connectivity from
host candidate
HOST
HOST
RFLX
RFLX
RELAY
RELAY
Checklist
TURN
Server
TURN
Server
.. and from RELAY
candidate.
Not possible to send from
RFLX, that “just” happens.
HOST
HOST
RFLX
RFLX
RELAY
RELAY
Checklist
TURN
Server
TURN
Server
And checks from the other
directions as well.
(This is important, more on that later)
HOST
HOST
RFLX
RFLX
RELAY
RELAY
Connectivity Check
STUN Binding Request
STUN Binding Response
?
Connectivity Checks
TURN
Server
TURN
Server
HOST to HOST is a nice start.
If that works all is good.
HOST
HOST
RFLX
RFLX
RELAY
RELAY
Connectivity Checks
TURN
Server
TURN
Server
No “pinhole” packet
dropped
“Pinhole” open to
allow answers back in
HOST
HOST
RFLX
RFLX
RELAY
RELAY
Connectivity Checks
“Pinhole” allow
answer back in
TURN
Server
TURN
Server
“Pinhole” open to
allow answers back in
HOST
HOST
RFLX
RFLX
RELAY
RELAY
Connectivity Checks
TURN
Server
TURN
Server
“Pinhole” open to
allow answer back in
Retrying connectivity
check
HOST
HOST
RFLX
RFLX
RELAY
RELAY
Concluding
TURN
Server
TURN
Server
Success!
P2P Media
without need
for relay!
HOST
HOST
RFLX
RFLX
RELAY
RELAY
Concluding
TURN
Server
TURN
Server
Dependent on the NAT/FW media
might take many paths
IETF RFCS, DRAFTS AND I-DS
RFCs, drafts and I-Ds
Core RFCs
RFCs, drafts and I-Ds
Core RFCs
STUN
(RFC 5389)
ALPN
(RFC 7443)
STUN DTLS
Security
(RFC7350)
RFCs, drafts and I-Ds
Core RFCs
TURN TCP
(RFC 6062)
TURN IPv6
(RFC 6156)
TURN
(RFC 5766)
STUN
(RFC 5389)
ALPN
(RFC 7443)
STUN DTLS
Security
(RFC7350)
RFCs, drafts and I-Ds
Core RFCs
ICE SIP
options
(RFC 5768)
TURN TCP
(RFC 6062)
TURN IPv6
(RFC 6156)
TURN
(RFC 5766)
ICE
(RFC 5245)
STUN
(RFC 5389)
ALPN
(RFC 7443)
STUN DTLS
Security
(RFC7350)
ICE IANA
Registry
(RFC 6336)
ICE TCP
(RFC 6544)
RFCs, drafts and I-Ds
Adopted Drafts
Core RFCs
ICE SIP
options
(RFC 5768)
TURN TCP
(RFC 6062)
TURN IPv6
(RFC 6156)
TURN
(RFC 5766)
ICE
(RFC 5245)
STUN
(RFC 5389)
ALPN
(RFC 7443)
STUN DTLS
Security
(RFC7350)
ICE IANA
Registry
(RFC 6336)
ICE TCP
(RFC 6544)
RFCs, drafts and I-Ds
SIP
Adopted Drafts
ICE SIP SDP
Trickle ICE
SIP
TURNBis
Discovery
Trickle ICE
Core RFCs
ICE SIP
options
(RFC 5768)
TURN TCP
(RFC 6062)
rd
3 party
Auth
TURN IPv6
(RFC 6156)
TURN
(RFC 5766)
ICE IANA
Registry
(RFC 6336)
ICE
(RFC 5245)
ICE TCP
(RFC 6544)
STUN
(RFC 5389)
ALPN
(RFC 7443)
STUN
Origin
STUN DTLS
Security
(RFC7350)
STUNbis
ICEBis
RFCs, drafts and I-Ds
Individual Drafts
SIP
Adopted Drafts
ICE SIP SDP
Trickle ICE
SIP
TURNBis
Discovery
Trickle ICE
Core RFCs
ICE SIP
options
(RFC 5768)
TURN TCP
(RFC 6062)
rd
3 party
Auth
TURN IPv6
(RFC 6156)
TURN
(RFC 5766)
ICE IANA
Registry
(RFC 6336)
ICE
(RFC 5245)
ICE TCP
(RFC 6544)
STUN
(RFC 5389)
ALPN
(RFC 7443)
STUN
Origin
STUN DTLS
Security
(RFC7350)
STUNbis
ICEBis
RFCs, drafts and I-Ds
Individual Drafts
Peer
Redirect
TURN
Mobility
Nombis
Dual Stack
Fairness
SIP
Adopted Drafts
ICE SIP SDP
MICE
Trickle ICE
SIP
TURNBis
Discovery
Trickle ICE
Server
Selection
Core RFCs
ICE SIP
options
(RFC 5768)
TURN TCP
(RFC 6062)
rd
3 party
Auth
TURN IPv6
(RFC 6156)
TURN
(RFC 5766)
ICE IANA
Registry
(RFC 6336)
ICE
(RFC 5245)
ICE TCP
(RFC 6544)
STUN
(RFC 5389)
ALPN
(RFC 7443)
STUN
Origin
rtcWEB
STUN DTLS
Security
(RFC7350)
STUNbis
Consent
Freshness
PMTUd
DISCUSS
PATH Data
DANE
ICEBis
RFC/Draft
ICE
ICE SIP Options
ICE IANA Registry
ICE TCP
ICEBis
ICE SIP SDP
Trickle ICE
Trickle ICE SIP
Dual Stack Fairness
MICE
Continious Nomination
STUN
STUN DTLS
STUN Origin
ALPN
STUNbis
PMTUd
DISCUSS
DANE
PATH Data
TURN
TURN TCP
TURN IPv6
TURNbis
Discovery
3rd Party Auth
TURN Mobility
Peer Redirect
Server Selection
Category
RFC
RFC
RFC
RFC
Adopted Draft
Adopted Draft
Adopted Draft
Adopted Draft
I-D
I-D
?
RFC
RFC
Adopted Draft
RFC
Adopted Draft
I-D
I-D
I-D
I-D
RFC
RFC
RFC
Adopted Draft
Adopted Draft
Adopted Draft
I-D
I-D
I-D
Name
RFC 5245
RFC 5768
RFC 6544
draft-ietf-mmusic-trickle-ice
draft-ietf-mmusic-ice-sip-sdp
draft-ietf-mmusic-trickle-ice
draft-ietf-mmusic-trickle-ice-sip
draft-martinsen-mmusic-ice-dualstack-fairness
draft-wing-mmusic-ice-mobility
RFC 5389
RFC 7350
draft-ietf-tram-stun-origin
RFC 7443
draft-ietf-tram-stunbis
draft-petithuguenin-tram-stun-pmtud
draft-martinsen-tram-discuss
draft-petithuguenin-tram-stun-dane
draft-reddy-tram-stun-path-data
RFC 5766
RFC 6062
RFC 6156
draft-ietf-tram-turnbis
draft-ietf-tram-turn-server-discovery
draft-ietf-tram-turn-third-party-authz
draft-wing-tram-turn-mobility
draft-williams-peer-redirect
draft-patil-tram-turn-serv-selection
Pages
117
6
5
31
89
41
25
22
8
16
0
51
16
12
5
51
10
15
7
9
67
13
14
68
11
20
11
13
7
760
SUMMARY
Main Steps
• Gather candidates
• Exchange candidates
(Signaling path, SIP/XMPP, etc.)
• Create checklist and do connectivity checks
• Stop, conclude and send media
It´s Complicated
IPv4
IPv6
eth0
IPv4
IPv6
IPv6
eth1
IPv4
IPv6
utun2
IPv4
IPv6
IPv4
IPv6
IPv6
IPv6
IPv4
IPv6
IPv6
IPv4
IPv6
IPv6
IPv6
IPv4
IPv6
IPv4
IPv6
IPv4
IPv6
IPv4
IPv6
en0
en1
It´s Complicated
Default candidate?
When to stop?
IPv4
IPv6
eth0
IPv4
IPv6
IPv6
eth1
IPv4
IPv6
utun2
IPv4
IPv6
IPv4
IPv6
IPv6
IPv6
IPv4
IPv6
IPv6
IPv4
IPv6
IPv6
IPv6
What to check first?
IPv4
IPv6
IPv4
IPv6
IPv4
IPv6
IPv4
IPv6
en0
en1
Local and Remote
checklist need to be
coordinated to punch
the right holes in the
FW/NAT
It´s Complicated
When to stop?
IPv4
IPv6
eth0
IPv4
IPv6
IPv6
eth1
IPv4
IPv6
utun2
IPv4
IPv6
IPv6
IPv6
IPv4
IPv6
because we are living in a
complicated world
IPv4
IPv6
IPv4
IPv6
IPv4
IPv6
IPv4
IPv6
IPv4
IPv6
IPv6
IPv6
IPv4
IPv6
IPv6
en0
en1
Local and Remote
checklist need to be
coordinated to punch
the right holes in the
FW/NAT
It´s Complicated
When to stop?
IPv4
IPv6
IPv4
IPv6
IPv6
eth0
eth1
IPv4
IPv6
IPv4
IPv6
IPv6
IPv6
where you try to standardize
something that tries to fix up nonstandardized behaviour
utun2
IPv4
IPv6
IPv4
IPv6
IPv6
IPv4
IPv6
IPv6
IPv6
IPv4
IPv6
IPv4
IPv6
IPv4
IPv6
IPv4
IPv6
en0
en1
Local and Remote
checklist need to be
coordinated to punch
the right holes in the
FW/NAT
… the end
Authors / Presenters
Pål-Erik Martinsen (Cisco)
Emil Ivov (Jitsi)
Justin Uberti (Google)
Brandon Williams (Akamai)

 Download  Report

Paperzz.com

Your Paperzz

© Copyright 2026 Paperzz