TRAM M. Petit-Huguenin Internet-Draft Jive Communications Updates: 5389, 5928 (if approved) G. Salgueiro Intended status: Standards Track Cisco Systems Expires: December 29, 2014 June 27, 2014 Datagram Transport Layer Security (DTLS) as Transport for Session Traversal Utilities for NAT (STUN) draft-ietf-tram-stun-dtls-05 Abstract This document specifies the usage of Datagram Transport Layer Security (DTLS) as a transport protocol for Session Traversal Utilities for NAT (STUN). It provides guidances on when and how to use DTLS with the currently standardized STUN Usages. It also specifies modifications to the STUN URIs and TURN URIs and to the TURN resolution mechanism to facilitate the resolution of STUN URIs and TURN URIs into the IP address and port of STUN and TURN servers supporting DTLS as a transport protocol. This document updates RFC 5389 and RFC 5928. Status of This Memo This Internet-Draft is submitted in full conformance with the provisions of BCP 78 and BCP 79. Internet-Drafts are working documents of the Internet Engineering Task Force (IETF). Note that other groups may also distribute working documents as Internet-Drafts. The list of current Internet- Drafts is at http://datatracker.ietf.org/drafts/current/. Internet-Drafts are draft documents valid for a maximum of six months and may be updated, replaced, or obsoleted by other documents at any time. It is inappropriate to use Internet-Drafts as reference material or to cite them other than as "work in progress." This Internet-Draft will expire on December 29, 2014. Copyright Notice Copyright (c) 2014 IETF Trust and the persons identified as the document authors. All rights reserved. This document is subject to BCP 78 and the IETF Trust's Legal Provisions Relating to IETF Documents (http://trustee.ietf.org/license-info) in effect on the date of Petit-Huguenin & SalgueiExpires December 29, 2014 [Page 1] Internet-Draft STUN over DTLS June 2014 publication of this document. Please review these documents carefully, as they describe your rights and restrictions with respect to this document. Code Components extracted from this document must include Simplified BSD License text as described in Section 4.e of the Trust Legal Provisions and are provided without warranty as described in the Simplified BSD License. Table of Contents 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 3 2. Terminology . . . . . . . . . . . . . . . . . . . . . . . . . 3 3. DTLS as Transport for STUN . . . . . . . . . . . . . . . . . 3 4. STUN Usages . . . . . . . . . . . . . . . . . . . . . . . . . 4 4.1. NAT Discovery Usage . . . . . . . . . . . . . . . . . . . 4 4.1.1. DTLS Support in STUN URIs . . . . . . . . . . . . . . 5 4.2. Connectivity Check Usage . . . . . . . . . . . . . . . . 5 4.3. Media Keep-Alive Usage . . . . . . . . . . . . . . . . . 5 4.4. SIP Keep-Alive Usage . . . . . . . . . . . . . . . . . . 6 4.5. NAT Behavior Discovery Usage . . . . . . . . . . . . . . 6 4.6. TURN Usage . . . . . . . . . . . . . . . . . . . . . . . 6 4.6.1. DTLS Support in TURN URIs . . . . . . . . . . . . . . 6 4.6.2. Resolution Mechanism for TURN over DTLS . . . . . . . 7 5. Implementation Status . . . . . . . . . . . . . . . . . . . . 8 5.1. turnuri . . . . . . . . . . . . . . . . . . . . . . . . . 8 5.2. rfc5766-turn-server . . . . . . . . . . . . . . . . . . . 9 6. Security Considerations . . . . . . . . . . . . . . . . . . . 9 7. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 10 7.1. S-NAPTR application protocol tag . . . . . . . . . . . . 10 7.2. Service Name and Transport Protocol Port Number . . . . . 10 7.2.1. The stuns Service Name . . . . . . . . . . . . . . . 10 7.2.2. The turns Service Name . . . . . . . . . . . . . . . 11 8. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . 12 9. References . . . . . . . . . . . . . . . . . . . . . . . . . 12 9.1. Normative References . . . . . . . . . . . . . . . . . . 12 9.2. Informative References . . . . . . . . . . . . . . . . . 14 Appendix A. Examples . . . . . . . . . . . . . . . . . . . . . . 14 Appendix B. Release notes . . . . . . . . . . . . . . . . . . . 15 B.1. Modifications between ietf-tram-stun-dtls-04 and ietf- tram-stun-dtls-05 . . . . . . . . . . . . . . . . . . . . 15 B.2. Modifications between ietf-tram-stun-dtls-03 and ietf- tram-stun-dtls-04 . . . . . . . . . . . . . . . . . . . . 16 B.3. Modifications between ietf-tram-stun-dtls-02 and ietf- tram-stun-dtls-03 . . . . . . . . . . . . . . . . . . . . 16 B.4. Modifications between ietf-tram-stun-dtls-01 and ietf- tram-stun-dtls-02 . . . . . . . . . . . . . . . . . . . . 17 B.5. Modifications between ietf-tram-stun-dtls-00 and ietf- tram-stun-dtls-01 . . . . . . . . . . . . . . . . . . . . 17 B.6. Modifications between petithuguenin-tram-stun-dtls-00 and Petit-Huguenin & SalgueiExpires December 29, 2014 [Page 2] Internet-Draft STUN over DTLS June 2014 ietf-tram-stun-dtls-00 . . . . . . . . . . . . . . . . . 17 B.7. Modifications between petithuguenin-tram-turn-dtls-00 and petithuguenin-tram-stun-dtls-00 . . . . . . . . . . . . . 17 Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 18 1. Introduction STUN [RFC5389] defines Transport Layer Security (TLS) over TCP (simply referred to as TLS [RFC5246]) as the transport for STUN due to additional security advantages it offers over plain UDP or TCP transport. But TCP (and thus TLS-over-TCP) is not an optimal transport when STUN is used for its originally intended purpose, which is to support multimedia sessions. This is a well documented and understood transport limitation for real-time communications. DTLS-over-UDP (referred to in this document as simply DTLS [RFC6347]) offers the same security advantages as TLS-over-TCP, but without the undesirable concerns. 2. Terminology The key words "MUST", "MUST NOT", "REQUIRED", "MAY", and "OPTIONAL" in this document are to be interpreted as described in [RFC2119] when they appear in ALL CAPS. When these words are not in ALL CAPS (such as "must" or "Must"), they have their usual English meanings, and are not to be interpreted as RFC 2119 key words. 3. DTLS as Transport for STUN STUN [RFC5389] defines three transports: UDP, TCP, and TLS. This document adds DTLS as a valid transport for STUN. STUN over DTLS MUST use the same retransmission rules as STUN over UDP (as described in Section 7.2.1 of [RFC5389]). It MUST also use the same rules that are described in Section 7.2.2 of [RFC5389] to verify the server identity. Instead of TLS_RSA_WITH_AES_128_CBC_SHA, which is the default cipher suite for STUN over TLS, implementations of STUN over DTLS, and deployed clients and servers, MUST support TLS_DHE_RSA_WITH_AES_128_GCM_SHA256 and TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256, and MAY support other ciphersuites. Perfect Forward Secrecy (PFS) cipher suites MUST be preferred over non-PFS cipher suites. Cipher suites with known weaknesses, such as those based on (single) DES and RC4, MUST NOT be used. Implementations MUST disable TLS-level compression. The same rules established in Section 7.2.2 of [RFC5389] for keeping open and closing TCP/TLS connections MUST be used as well for DTLS associations. Petit-Huguenin & SalgueiExpires December 29, 2014 [Page 3] Internet-Draft STUN over DTLS June 2014 In addition to the path MTU rules described in Section 7.1 of [RFC5389], if the path MTU is unknown, the actual STUN message needs to be adjusted to take into account the size of the (13-byte) DTLS Record header, the MAC size, and the padding size. By default, STUN over DTLS MUST use port 5349, the same port number as STUN over TLS. However, the SRV procedures can be implemented to use a different port (as described in Section 9 of [RFC5389]). When using SRV records, the service name MUST be set to "stuns" and the protocol name to "udp". Classic STUN [RFC3489] defines only UDP as a transport and DTLS MUST NOT be used. Any STUN request or indication without the magic cookie (see Section 6 of [RFC5389]) over DTLS MUST always result in an error. 4. STUN Usages [RFC5389] Section 7.2 states that STUN usages must specify which transport protocol is used. The following sections discuss if and how the existing STUN usages are used with DTLS as the transport. Future STUN usages MUST take into account DTLS as a transport and discuss its applicability. In all cases, new STUN usages MUST explicitly state if implementing the denial-of-service counter- measure described in Section 4.2.1 of [RFC6347] is mandatory. 4.1. NAT Discovery Usage As stated by Section 13 of [RFC5389], "...TLS provides minimal security benefits..." for this particular STUN usage. DTLS will also similarly offer only limited benefit. This is because the only mandatory attribute that is TLS/DTLS protected is the XOR-MAPPED- ADDRESS, which is already known by an on-path attacker, since it is the same as the source address and port of the STUN request. On the other hand, using TLS/DTLS will prevent an active attacker to inject XOR-MAPPED-ADDRESS in responses. The TLS/DTLS transport will also protect the SOFTWARE attribute, which can be used to find vulnerabilities in STUN implementations. Regardless, this usage is rarely used by itself, since using TURN [RFC5766] with ICE [RFC5245] is generally indispensable, and TURN provides the same NAT Discovery feature as part of an Allocation creation. In fact, with ICE, the NAT Discovery usage is only used when there is no longer any resource available for new Allocations in the TURN server. Petit-Huguenin & SalgueiExpires December 29, 2014 [Page 4] Internet-Draft STUN over DTLS June 2014 A STUN server implementing the NAT Discovery Usage and using DTLS MUST implement the denial-of-service counter-measure described in Section 4.2.1 of [RFC6347]. 4.1.1. DTLS Support in STUN URIs This document does not make any changes to the syntax of a STUN URI [RFC7064]. As indicated in Section 3.2 of [RFC7064], secure transports like STUN over TLS, and now STUN over DTLS, MUST use the "stuns" URI scheme. The value MUST be used when using the rules in Section 7.2.2 of [RFC5389] to verify the server identity. A STUN URI containing an IP address MUST be rejected, unless the domain name is provided by the same mechanism that provided the STUN URI, and that this domain name can be passed to the verification code. 4.2. Connectivity Check Usage Using DTLS would hide the USERNAME, PRIORITY, USE-CANDIDATE, ICE- CONTROLLED and ICE-CONTROLLING attributes. But because MESSAGE- INTEGRITY protects the entire STUN response using a password that is known only by looking at the SDP exchanged, it is not possible for an attacker that does not have access to this SDP to inject an incorrect XOR-MAPPED-ADDRESS, XOR-MAPPED-ADDRESS which would subsequently be used as a peer reflexive candidate. Adding DTLS on top of the connectivity check would delay, and consequently impair, the ICE process. Adding additional round-trips to ICE is undesirable, so much that there is a proposal ([I-D.thomson-rtcweb-ice-dtls]) to use the DTLS handshake used by the WebRTC SRTP streams as a replacement for the connectivity checks. STUN URIs are not used with this usage. 4.3. Media Keep-Alive Usage When STUN Binding Indications are being used for media keep-alive (described in Section 10 of [RFC5245]), it runs alongside an RTP or RTCP session. It is possible to send these media keep-alive packets inside a separately negotiated non-SRTP DTLS session if DTLS-SRTP [RFC5764] is used, but that would add overhead, with minimal security benefit. STUN URIs are not used with this usage. Petit-Huguenin & SalgueiExpires December 29, 2014 [Page 5] Internet-Draft STUN over DTLS June 2014 4.4. SIP Keep-Alive Usage The SIP keep-alive (described in [RFC5626]) runs inside a SIP flow. This flow would be protected if a SIP over DTLS transport mechanism is implemented (such as described in [I-D.jennings-sip-dtls]). STUN URIs are not used with this usage. 4.5. NAT Behavior Discovery Usage The NAT Behavior Discovery usage is Experimental and to date has never being effectively deployed. Despite this, using DTLS would add the same security properties as for the NAT Discovery Usage (Section 4.1). The STUN URI can be used to access the NAT Discovery feature of a NAT Behavior Discovery server, but accessing the full features would require definition of a "stun-behaviors:" URI, which is out of scope for this document. A STUN server implementing the NAT Behavior Discovery Usage and using DTLS MUST implement the denial-of-service counter-measure described in Section 4.2.1 of [RFC6347]. 4.6. TURN Usage TURN [RFC5766] defines three combinations of transports/allocations: UDP/UDP, TCP/UDP and TLS/UDP. This document adds DTLS/UDP as a valid combination. A TURN server using DTLS MUST implement the denial-of- service counter-measure described in Section 4.2.1 of [RFC6347]. [RFC6062] states that TCP allocations cannot be obtained using a UDP association between client and server. The fact that DTLS uses UDP implies that TCP allocations MUST NOT be obtained using a DTLS association between client and server. By default, TURN over DTLS uses port 5349, the same port number as TURN over TLS. However, the SRV procedures can be implemented to use a different port (as described in Section 6 of [RFC5766]. When using SRV records, the service name MUST be set to "turns" and the protocol name to "udp". 4.6.1. DTLS Support in TURN URIs This document does not make any changes to the syntax of a TURN URI [RFC7065]. As indicated in Section 3 of [RFC7065], secure transports like TURN over TLS, and now TURN over DTLS, MUST use the "turns" URI Petit-Huguenin & SalgueiExpires December 29, 2014 [Page 6] Internet-Draft STUN over DTLS June 2014 scheme. When using the "turns" URI scheme to designate TURN over DTLS, the transport value of the TURN URI, if set, MUST be "udp". The value MUST be used when using the rules in Section 7.2.2 of [RFC5389] to verify the server identity. A TURN URI containing an IP address MUST be rejected, unless the domain is provided by the same mechanism that provided the TURN URI, and that this domain name can be passed to the verification code. 4.6.2. Resolution Mechanism for TURN over DTLS This document defines a new Straightforward Naming Authority Pointer (S-NAPTR) application protocol tag: "turn.dtls". The component, as provisioned or resulting from the parsing of a TURN URI, is passed without modification to the TURN resolution mechanism defined in Section 3 of [RFC5928], but with the following alterations to that algorithm: o The acceptable values for transport name are extended with the addition of "dtls". o The acceptable values in the ordered list of supported TURN transports is extended with the addition of "Datagram Transport Layer Security (DTLS)". o The resolution algorithm check rules list is extended with the addition of the following step: If is true and is defined as "udp" but the list of TURN transports supported by the application does not contain DTLS, then the resolution MUST stop with an error. o The 5th rule of the resolution algorithm check rules list is modified to read like this: If is true and is not defined but the list of TURN transports supported by the application does not contain TLS or DTLS, then the resolution MUST stop with an error. o Table 1 is modified to add the following line: +----------+-------------+----------------+ | | | TURN Transport | +----------+-------------+----------------+ | true | "udp" | DTLS | +----------+-------------+----------------+ Petit-Huguenin & SalgueiExpires December 29, 2014 [Page 7] Internet-Draft STUN over DTLS June 2014 o In step 1 of the resolution algorithm the default port for DTLS is 5349. o In step 4 of the resolution algorithm the following is added to the list of conversions between the filtered list of TURN transports supported by the application and application protocol tags: "turn.dtls" is used if the TURN transport is DTLS. Note that using the [RFC5928] resolution mechanism does not imply that additional round trips to the DNS server will be needed (e.g., the TURN client will start immediately if the TURN URI contains an IP address). 5. Implementation Status [[Note to RFC Editor: Please remove this section and the reference to [RFC6982] before publication.]] This section records the status of known implementations of the protocol defined by this specification at the time of posting of this Internet-Draft, and is based on a proposal described in [RFC6982]. The description of implementations in this section is intended to assist the IETF in its decision processes in progressing drafts to RFCs. Please note that the listing of any individual implementation here does not imply endorsement by the IETF. Furthermore, no effort has been spent to verify the information presented here that was supplied by IETF contributors. This is not intended as, and must not be construed to be, a catalog of available implementations or their features. Readers are advised to note that other implementations may exist. According to [RFC6982], "this will allow reviewers and working groups to assign due consideration to documents that have the benefit of running code, which may serve as evidence of valuable experimentation and feedback that have made the implemented protocols more mature. It is up to the individual working groups to use this information as they see fit". 5.1. turnuri Organization: Impedance Mismatch Name: turnuri 0.5.0 http://debian.implementers.org/stable/source/ turnuri.tar.gz Petit-Huguenin & SalgueiExpires December 29, 2014 [Page 8] Internet-Draft STUN over DTLS June 2014 Description: A reference implementation of the URI and resolution mechanism defined in this document, RFC 7065 [RFC7065] and RFC 5928 [RFC5928]. Level of maturity: Beta. Coverage: Fully implements the URIs and resolution mechanism defined in this specification, in RFC 7065 and in RFC 5928. Licensing: AGPL3 Implementation experience: TBD Contact: Marc Petit-Huguenin . 5.2. rfc5766-turn-server Organization: This is a public project, the full list of authors and contributors here: http://turnserver.open-sys.org/downloads/ AUTHORS. Name: http://code.google.com/p/rfc5766-turn-server/ Description: A mature open-source TURN server specs implementation (RFC 5766, RFC 6062, RFC 6156, etc) designed for high-performance applications, especially geared for WebRTC. Level of maturity: Production level. Coverage: Fully implements DTLS with TURN protocol. Licensing: BSD: http://turnserver.open-sys.org/downloads/LICENSE Implementation experience: DTLS is recommended for secure media applications. It has benefits of both UDP and TLS. Contact: Oleg Moskalenko 6. Security Considerations STUN over DTLS as a STUN transport does not introduce any specific security considerations beyond those for STUN over TLS detailed in [RFC5389]. The usage of "udp" as a transport parameter with the "stuns" URI scheme does not introduce any specific security issues beyond those discussed in [RFC7064]. Petit-Huguenin & SalgueiExpires December 29, 2014 [Page 9] Internet-Draft STUN over DTLS June 2014 TURN over DTLS as a TURN transport does not introduce any specific security considerations beyond those for TURN over TLS detailed in [RFC5766]. The usage of "udp" as a transport parameter with the "turns" URI scheme does not introduce any specific security issues beyond those discussed in [RFC7065]. The new S-NAPTR application protocol tag defined in this document as well as the modifications this document makes to the TURN resolution mechanism described in [RFC5928] do not introduce any additional security considerations beyond those outlined in [RFC5928]. 7. IANA Considerations 7.1. S-NAPTR application protocol tag This specification contains the registration information for one S-NAPTR application protocol tag in the "Straightforward-NAPTR (S-NAPTR) Parameters/S-NAPTR Application Protocol Tags" registry (in accordance with [RFC3958]). Application Protocol Tag: turn.dtls Intended Usage: See Section 4.6.2 Interoperability considerations: N/A Security considerations: See Section 6 Relevant publications: This document Contact information: Marc Petit-Huguenin Author/Change controller: The IESG 7.2. Service Name and Transport Protocol Port Number This specification contains the registration information for two Service Name and Transport Protocol Port Numbers in the "Service Names and Transport Protocol Port Numbers/Service Name and Transport Protocol Port Number" registry (in accordance with [RFC6335]). 7.2.1. The stuns Service Name IANA is requested to modify the following entry in the registry "Service Names and Transport Protocol Port Numbers/Service Name and Transport Protocol Port Number": Petit-Huguenin & SalgueiExpires December 29, 2014 [Page 10] Internet-Draft STUN over DTLS June 2014 Service Name: stuns Transport Protocol(s): UDP Assignee: Contact: Description: Reserved for a future enhancement of STUN Reference: RFC5389 Port Number: 5349 Such as it contains the following: Service Name: stuns Transport Protocol(s): UDP Assignee: IESG Contact: IETF Chair Description: STUN over DTLS Reference: RFC-to-be Port Number: 5349 Assignment Notes: This service name was initially created by RFC 5389 7.2.2. The turns Service Name IANA is requested to modify the following entry in the registry "Service Names and Transport Protocol Port Numbers/Service Name and Transport Protocol Port Number": Service Name: turns Transport Protocol(s): UDP Assignee: Contact: Petit-Huguenin & SalgueiExpires December 29, 2014 [Page 11] Internet-Draft STUN over DTLS June 2014 Description: Reserved for a future enhancement of TURN Reference: RFC5766 Port Number: 5349 Such as it contains the following: Service Name: turns Transport Protocol(s): UDP Assignee: IESG Contact: IETF Chair Description: TURN over DTLS Reference: RFC-to-be Port Number: 5349 Assignment Notes: This service name was initially created by RFC 5766 8. Acknowledgements Thanks to Alan Johnston, Oleg Moskalenko, Simon Perreault, Thomas Stach, Simon Josefsson, Roni Even, Kathleen Moriarty, Benoit Claise, Martin Stiemerling, Jari Arkko, and Stephen Farrell for the comments, suggestions, and questions that helped improve this document. 9. References 9.1. Normative References [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate Requirement Levels", BCP 14, RFC 2119, March 1997. [RFC3489] Rosenberg, J., Weinberger, J., Huitema, C., and R. Mahy, "STUN - Simple Traversal of User Datagram Protocol (UDP) Through Network Address Translators (NATs)", RFC 3489, March 2003. [RFC3958] Daigle, L. and A. Newton, "Domain-Based Application Service Location Using SRV RRs and the Dynamic Delegation Discovery Service (DDDS)", RFC 3958, January 2005. Petit-Huguenin & SalgueiExpires December 29, 2014 [Page 12] Internet-Draft STUN over DTLS June 2014 [RFC5245] Rosenberg, J., "Interactive Connectivity Establishment (ICE): A Protocol for Network Address Translator (NAT) Traversal for Offer/Answer Protocols", RFC 5245, April 2010. [RFC5246] Dierks, T. and E. Rescorla, "The Transport Layer Security (TLS) Protocol Version 1.2", RFC 5246, August 2008. [RFC5389] Rosenberg, J., Mahy, R., Matthews, P., and D. Wing, "Session Traversal Utilities for NAT (STUN)", RFC 5389, October 2008. [RFC5626] Jennings, C., Mahy, R., and F. Audet, "Managing Client- Initiated Connections in the Session Initiation Protocol (SIP)", RFC 5626, October 2009. [RFC5764] McGrew, D. and E. Rescorla, "Datagram Transport Layer Security (DTLS) Extension to Establish Keys for the Secure Real-time Transport Protocol (SRTP)", RFC 5764, May 2010. [RFC5766] Mahy, R., Matthews, P., and J. Rosenberg, "Traversal Using Relays around NAT (TURN): Relay Extensions to Session Traversal Utilities for NAT (STUN)", RFC 5766, April 2010. [RFC5928] Petit-Huguenin, M., "Traversal Using Relays around NAT (TURN) Resolution Mechanism", RFC 5928, August 2010. [RFC6062] Perreault, S. and J. Rosenberg, "Traversal Using Relays around NAT (TURN) Extensions for TCP Allocations", RFC 6062, November 2010. [RFC6335] Cotton, M., Eggert, L., Touch, J., Westerlund, M., and S. Cheshire, "Internet Assigned Numbers Authority (IANA) Procedures for the Management of the Service Name and Transport Protocol Port Number Registry", BCP 165, RFC 6335, August 2011. [RFC6347] Rescorla, E. and N. Modadugu, "Datagram Transport Layer Security Version 1.2", RFC 6347, January 2012. [RFC7064] Nandakumar, S., Salgueiro, G., Jones, P., and M. Petit- Huguenin, "URI Scheme for the Session Traversal Utilities for NAT (STUN) Protocol", RFC 7064, November 2013. [RFC7065] Petit-Huguenin, M., Nandakumar, S., Salgueiro, G., and P. Jones, "Traversal Using Relays around NAT (TURN) Uniform Resource Identifiers", RFC 7065, November 2013. Petit-Huguenin & SalgueiExpires December 29, 2014 [Page 13] Internet-Draft STUN over DTLS June 2014 9.2. Informative References [RFC6982] Sheffer, Y. and A. Farrel, "Improving Awareness of Running Code: The Implementation Status Section", RFC 6982, July 2013. [I-D.thomson-rtcweb-ice-dtls] Thomson, M., "Using Datagram Transport Layer Security (DTLS) For Interactivity Connectivity Establishment (ICE) Connectivity Checking: ICE-DTLS", draft-thomson-rtcweb- ice-dtls-00 (work in progress), March 2012. [I-D.jennings-sip-dtls] Jennings, C. and N. Modadugu, "Using Interactive Connectivity Establishment (ICE) in Web Real-Time Communications (WebRTC)", draft-jennings-sip-dtls-05 (work in progress), October 2007. Appendix A. Examples Table 1 shows how the , and components are populated for a TURN URI that uses DTLS as its transport. For all these examples, the component is populated with "example.net". +---------------------------------+----------+--------+-------------+ | URI | | | | +---------------------------------+----------+--------+-------------+ | turns:example.net?transport=udp | true | | DTLS | +---------------------------------+----------+--------+-------------+ Table 1 With the DNS RRs in Figure 1 and an ordered TURN transport list of {DTLS, TLS, TCP, UDP}, the resolution algorithm will convert the TURN URI "turns:example.net" to the ordered list of IP address, port, and protocol tuples in Table 2. Petit-Huguenin & SalgueiExpires December 29, 2014 [Page 14] Internet-Draft STUN over DTLS June 2014 example.net. IN NAPTR 100 10 "" RELAY:turn.udp:turn.dtls "" datagram.example.net. IN NAPTR 200 10 "" RELAY:turn.tcp:turn.tls "" stream.example.net. datagram.example.net. IN NAPTR 100 10 S RELAY:turn.udp "" _turn._udp.example.net. IN NAPTR 200 10 S RELAY:turn.dtls "" _turns._udp.example.net. stream.example.net. IN NAPTR 100 10 S RELAY:turn.tcp "" _turn._tcp.example.net. IN NAPTR 200 10 A RELAY:turn.tls "" a.example.net. _turn._udp.example.net. IN SRV 0 0 3478 a.example.net. _turn._tcp.example.net. IN SRV 0 0 5000 a.example.net. _turns._udp.example.net. IN SRV 0 0 5349 a.example.net. a.example.net. IN A 192.0.2.1 Figure 1 +-------+----------+------------+------+ | Order | Protocol | IP address | Port | +-------+----------+------------+------+ | 1 | DTLS | 192.0.2.1 | 5349 | | 2 | TLS | 192.0.2.1 | 5349 | +-------+----------+------------+------+ Table 2 Appendix B. Release notes This section must be removed before publication as an RFC. B.1. Modifications between ietf-tram-stun-dtls-04 and ietf-tram-stun- dtls-05 o Resolve nits: Updates RFC in abstract. o Update short title to reflect long title o Simplify the introduction to simply states that TCP is not optimal for realtime communications. Petit-Huguenin & SalgueiExpires December 29, 2014 [Page 15] Internet-Draft STUN over DTLS June 2014 o Add refereence to RFC 5389 section 6 for the magic cookie. o s/domain/domain name/ o Make clear that knowledge of the SDP is needed to be able to inject a false XOR-MAPPED-ADDRESS. o Invert the sentence about ICE round-trips to make clear that the cited draft is just an evidence, not an advice. o Rewrite of the IANA templates for Port numbers. o Remove compression from the list of element to take in accoutn to adjust the PMTU size, as it is now forbidden. B.2. Modifications between ietf-tram-stun-dtls-03 and ietf-tram-stun- dtls-04 o Add text to disable TLS compression. o Add text to require usage of the DTLS cookie for NAT discovery and NAT behavior discovery. o Add text to so new usages talk about cookie usage. o Change TLS-over-UDP to DTLS-over-UDP and use DTLS as alias for DTLS over UDP.. o Use new text proposed by Simon Josefsson for the cipher suites. o s/the same port/the same port number/ o s/application name/protocol name/ o Make clear that section 4.3 is only about the STUN Indication method of media keep-alive. o Changed contact information to IETF Chair in Port number template. o Added email addresses in IANA templates. B.3. Modifications between ietf-tram-stun-dtls-02 and ietf-tram-stun- dtls-03 o Make it clear that both cipher suites are mandatory. o Clarify that the ciphers suites listed are replacing the TLS cipher suites. Petit-Huguenin & SalgueiExpires December 29, 2014 [Page 16] Internet-Draft STUN over DTLS June 2014 o Change text so "mandatory" is not understood as compliance. o Clarify that STUN URI are not to be used with some usages. o Fix incorrect interpretation of ICE media keep-alive (and fixed section #). o Explain that sending media keep-alive inside DTLS is possible if RFC 5764 is used. o Added title/subtitle of IANA registries. o Change to normatively update RFC 5389 and RFC 5928. B.4. Modifications between ietf-tram-stun-dtls-01 and ietf-tram-stun- dtls-02 o Add text saying that PFS is preferred over non-PFS, to be in sync with the decision in the rtcweb session in London. o Add text about IP address in STUN/TURN URIs. o Nits B.5. Modifications between ietf-tram-stun-dtls-00 and ietf-tram-stun- dtls-01 o Update the mandatory cipher suites. o Add a new open item to determine if we want to specify favoring cipher suites which support PFS over non-PFS cipher suites. o Close remaining opening items from previous draft. B.6. Modifications between petithuguenin-tram-stun-dtls-00 and ietf- tram-stun-dtls-00 o Draft renamed after WG adoption. B.7. Modifications between petithuguenin-tram-turn-dtls-00 and petithuguenin-tram-stun-dtls-00 o Add RFC 6982 information for rfc5766-turn-server project. o Rename the draft as TURN is now just one of the usages. o Remove the references in the abstract to make idnits happy. Petit-Huguenin & SalgueiExpires December 29, 2014 [Page 17] Internet-Draft STUN over DTLS June 2014 o No longer updates other standard drafts. o Rewrite from a STUN over DTLS point of view. The previous text becomes section 4.6. o Add IANA request for stuns port. o Add acknowledgement section. Authors' Addresses Marc Petit-Huguenin Jive Communications 1275 West 1600 North, Suite 100 Orem, UT 84057 USA Email: marcph@getjive.com Gonzalo Salgueiro Cisco Systems 7200-12 Kit Creek Road Research Triangle Park, NC 27709 US Email: gsalguei@cisco.com Petit-Huguenin & SalgueiExpires December 29, 2014 [Page 18]