TRAM P. Patil Internet-Draft T. Reddy Intended status: Informational G. Salgueiro Expires: April 29, 2015 Cisco October 26, 2014 Traversal Using Relays around NAT (TURN) Server Selection draft-patil-tram-turn-serv-selection-00 Abstract A TURN client may discover multiple TURN servers. In such a case, there are no guidelines that a client can follow to choose or prefer a particular TURN server among those discovered. This document details selection criteria, as guidelines, that can be used by a client to perform an informed TURN server selection decision. Status of This Memo This Internet-Draft is submitted in full conformance with the provisions of BCP 78 and BCP 79. Internet-Drafts are working documents of the Internet Engineering Task Force (IETF). Note that other groups may also distribute working documents as Internet-Drafts. The list of current Internet- Drafts is at http://datatracker.ietf.org/drafts/current/. Internet-Drafts are draft documents valid for a maximum of six months and may be updated, replaced, or obsoleted by other documents at any time. It is inappropriate to use Internet-Drafts as reference material or to cite them other than as "work in progress." This Internet-Draft will expire on April 29, 2015. Copyright Notice Copyright (c) 2014 IETF Trust and the persons identified as the document authors. All rights reserved. This document is subject to BCP 78 and the IETF Trust's Legal Provisions Relating to IETF Documents (http://trustee.ietf.org/license-info) in effect on the date of publication of this document. Please review these documents carefully, as they describe your rights and restrictions with respect to this document. Code Components extracted from this document must include Simplified BSD License text as described in Section 4.e of Patil, et al. Expires April 29, 2015 [Page 1] Internet-Draft TURN server selection October 2014 the Trust Legal Provisions and are provided without warranty as described in the Simplified BSD License. Table of Contents 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 2 2. Terminology . . . . . . . . . . . . . . . . . . . . . . . . . 3 3. TURN Server Selection Criteria . . . . . . . . . . . . . . . 3 3.1. Local Configuration . . . . . . . . . . . . . . . . . . . 3 3.2. Security . . . . . . . . . . . . . . . . . . . . . . . . 3 3.2.1. Location Privacy . . . . . . . . . . . . . . . . . . 4 3.2.2. Authentication . . . . . . . . . . . . . . . . . . . 4 3.3. User Experience . . . . . . . . . . . . . . . . . . . . . 5 3.4. Interface . . . . . . . . . . . . . . . . . . . . . . . . 5 3.5. Mobility Support . . . . . . . . . . . . . . . . . . . . 5 4. Security Considerations . . . . . . . . . . . . . . . . . . . 5 5. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . 5 6. References . . . . . . . . . . . . . . . . . . . . . . . . . 5 6.1. Normative References . . . . . . . . . . . . . . . . . . 6 6.2. Informative References . . . . . . . . . . . . . . . . . 6 Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 7 1. Introduction Using any of the discovery mechanisms described in [I-D.ietf-tram-turn-server-discovery], a client may discover multiple Traversal Using Relays around NAT (TURN) servers. The TURN servers discovered could be provided by an enterprise network, an access network, an application service provider or a third party provider. Therefore, the client needs to be able to choose a TURN server that best suits its needs. Selection criteria could be based on parameters such as: o Security o Location Privacy o Authentication o User Experience o Interface Selection (if the client is multi-interfaced) o Mobility Support This document describes procedures that a client can use to choose the most appropriate TURN server based on any one or more Patil, et al. Expires April 29, 2015 [Page 2] Internet-Draft TURN server selection October 2014 combinations of the above parameters. A client could also use the aforementioned selection criteria to prioritize the discovered TURN servers based on these parameters if backup servers are implemented for added resiliency and robustness. 2. Terminology The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be interpreted as described in [RFC2119]. 3. TURN Server Selection Criteria The accessibility of possible TURN servers SHOULD be tested and verified prior to beginning Interactive Connectivity Establishment (ICE) [RFC5245]. Any TURN servers that fail such accessibility tests (including credentials verification) SHOULD be excluded. These early tests are an often an optimal opportunity to calculate performance metrics, such as the round-trip time (RTT), that might be used as TURN server prioritization factors, as discussed in Section 3.3. Throughout the lifetime of the application, it is RECOMMENDED to periodically test the entire selection list, in case better TURN servers suddenly appear or connectivity to others is unexpectedly lost. The parameters described in this Section are intended as TURN server selection criteria or as weighting factors for TURN server prioritization. 3.1. Local Configuration Local or manual configuration takes precedence for TURN server selection. A client could be configured with an explicit preferred list of TURN servers. Local configuration could list servers in order of preference. For example, a TURN client could opt for a TURN server offered by the Enterprise and fall back to a TURN server offered by the Internet Service Provider (ISP) or a cloud service if the Enterprise TURN server wasn't available. An implementation MAY give the user an opportunity (e.g., by means of configuration file options or menu items) to specify this preference. 3.2. Security If a TURN client wants security for its connections, it should opt for a TURN server that supports the usage of Transport Layer Security (TLS) [RFC5246] and Datagram Transport Layer Security (DTLS) [RFC6347] as a transport protocol for Session Traversal Utilities for Patil, et al. Expires April 29, 2015 [Page 3] Internet-Draft TURN server selection October 2014 NAT (STUN), as defined in [RFC5389] and [RFC7350]. If multiple servers offer this support, the client could use Location Privacy (Section 3.2.1) and Authentication (Section 3.2.2) criteria to determine which among the list is most suitable. The need for security depends on the type of connected network (i.e., whether the host is connected to a home network versus an Enterprise network versus a coffee shop network). It is recommended that a client always choose security, but this condition could vary depending on the degree of trust with the connected network. 3.2.1. Location Privacy In addition to security, a TURN client may require additional location privacy from an external peer. Scenario 1: A client may not wish to use a TURN server in its Enterprise or access network because the client location could be determined by the external peer. In such a case, the client may choose to use a distributed multi-tenant or a cloud-based TURN server that can provide privacy by obscuring the network from which the client is communicating with the remote peer. Scenario 2: A TURN client that desires to perform Scenario 1, but cannot because of firewall policy that forces the client to pick Enterprise-provided TURN server for external communication, can use TURN-in-TURN through the enterprise's TURN server as described in [I-D.schwartz-rtcweb-return]. Location privacy may not be critical if the client attempts to communicate with a peer within the same domain. 3.2.2. Authentication A TURN client should prefer a TURN server whose authenticity can be ascertained. A simple certificate trust chain validation during the process of (D)TLS handshake should be able to validate the server. A TURN client could also be pre-configured with the names of trusted TURN servers. When connecting to a TURN server, a TURN client should start with verifying that the TURN server name matches the pre- configured list of TURN servers, and finally validating its certificate trust chain. For TURN servers that don't have a certificate trust chain, the configured list of TURN servers can contain the certificate fingerprint of the TURN server (i.e., a simple whitelist of name and certificate fingerprint). Patil, et al. Expires April 29, 2015 [Page 4] Internet-Draft TURN server selection October 2014 DNS-based Authentication of Named Entities (DANE) can also be used to validate the certificate presented by TURN server as described in [I-D.petithuguenin-tram-stun-dane]. 3.3. User Experience All else being equal (or if a TURN client is able to converge on a set of TURN servers based on parameters described in Section 3.2), a TURN client should choose a TURN server that provides the best user experience at that point in time (based on factors such as RTT, real- time clock (RTC), etc). If using ICE regular nomination, ICE connectivity check round-trip time can influence the selection amongst the valid pairs. This way a candidate pair with relayed candidate could be selected even if it has lower-priority than other valid pairs. 3.4. Interface With a multi-interfaced node, selection of the correct interface and source address is often crucial. How to select an interface and IP address family is out of scope for this document. A client could account for the provisioning domain described in [I-D.ietf-mif-mpvd-arch] to determine which interface to choose. 3.5. Mobility Support If a TURN client is aware that the host is mobile, and all other parameters being equal, the client SHOULD choose a TURN server that supports mobility [I-D.wing-tram-turn-mobility]. 4. Security Considerations This document does not itself introduce security issues, rather it merely presents best practices for TURN server selection. Security considerations described in [RFC5766] are applicable to for all TURN usage. 5. Acknowledgements The authors would like to thank Dan Wing, Marc Petit-Huguenin for their review and valuable comments. 6. References Patil, et al. Expires April 29, 2015 [Page 5] Internet-Draft TURN server selection October 2014 6.1. Normative References [I-D.ietf-mif-mpvd-arch] Anipko, D., "Multiple Provisioning Domain Architecture", draft-ietf-mif-mpvd-arch-07 (work in progress), October 2014. [I-D.ietf-tram-turn-server-discovery] Patil, P., Reddy, T., and D. Wing, "TURN Server Auto Discovery", draft-ietf-tram-turn-server-discovery-00 (work in progress), July 2014. [I-D.petithuguenin-tram-stun-dane] Petit-Huguenin, M. and G. Salgueiro, "Using DNS-based Authentication of Named Entities (DANE) to validate TLS certificates for the Session Traversal Utilities for NAT (STUN) protocol", draft-petithuguenin-tram-stun-dane-02 (work in progress), October 2014. [I-D.schwartz-rtcweb-return] Schwartz, B., "Recursively Encapsulated TURN (RETURN) for Connectivity and Privacy in WebRTC", draft-schwartz- rtcweb-return-03 (work in progress), September 2014. [I-D.wing-tram-turn-mobility] Wing, D., Patil, P., Reddy, T., and P. Martinsen, "Mobility with TURN", draft-wing-tram-turn-mobility-02 (work in progress), September 2014. [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate Requirement Levels", BCP 14, RFC 2119, March 1997. [RFC5766] Mahy, R., Matthews, P., and J. Rosenberg, "Traversal Using Relays around NAT (TURN): Relay Extensions to Session Traversal Utilities for NAT (STUN)", RFC 5766, April 2010. [RFC7350] Petit-Huguenin, M. and G. Salgueiro, "Datagram Transport Layer Security (DTLS) as Transport for Session Traversal Utilities for NAT (STUN)", RFC 7350, August 2014. 6.2. Informative References [RFC5245] Rosenberg, J., "Interactive Connectivity Establishment (ICE): A Protocol for Network Address Translator (NAT) Traversal for Offer/Answer Protocols", RFC 5245, April 2010. Patil, et al. Expires April 29, 2015 [Page 6] Internet-Draft TURN server selection October 2014 [RFC5246] Dierks, T. and E. Rescorla, "The Transport Layer Security (TLS) Protocol Version 1.2", RFC 5246, August 2008. [RFC5389] Rosenberg, J., Mahy, R., Matthews, P., and D. Wing, "Session Traversal Utilities for NAT (STUN)", RFC 5389, October 2008. [RFC6347] Rescorla, E. and N. Modadugu, "Datagram Transport Layer Security Version 1.2", RFC 6347, January 2012. Authors' Addresses Prashanth Patil Cisco Systems, Inc. Bangalore India Email: praspati@cisco.com Tirumaleswar Reddy Cisco Systems, Inc. Cessna Business Park, Varthur Hobli Sarjapur Marathalli Outer Ring Road Bangalore, Karnataka 560103 India Email: tireddy@cisco.com Gonzalo Salgueiro Cisco 7200-12 Kit Creek Road Research Triangle Park, NC 27709 US Email: gsalguei@cisco.com Patil, et al. Expires April 29, 2015 [Page 7]