2. Overview of Operation
This section gives an overview of the operation of TURN. The material in this section is non-normative.
In a typical configuration, a TURN client is connected to a private network [RFC1918] and, through one or more NATs, to the public Internet. On the public Internet is a TURN server. Elsewhere in the Internet are one or more peers with which the TURN client wishes to communicate. These peers may or may not be behind one or more NATs. The client uses the server as a relay to send packets to these peers and to receive packets from these peers.
Peer A
Server-Reflexive +---------+
Transport Address | |
192.0.2.150:32102 | |
| /| |
TURN | / ^| Peer A |
Client's Server | / || |
Host Transport Transport | // || |
Address Address | // |+---------+
10.1.1.2:49721 192.0.2.15:3478 |+-+ // Peer A
| | ||N| / Host Transport
| +-+ | ||A|/ Address
| | | | v|T| 192.168.100.2:49582
| | | | /+-+
+---------+| | | |+---------+ / +---------+
| || |N| || | // | |
| TURN |v | | v| TURN |/ | |
| Client |----|A|----------| Server |------------------| Peer B |
| | | |^ | |^ ^| |
| | |T|| | || || |
+---------+ | || +---------+| |+---------+
| || | |
| || | |
+-+| | |
| | |
| | |
Client's | Peer B
Server-Reflexive Relayed Transport
Transport Address Transport Address Address
192.0.2.1:7000 192.0.2.15:50000 192.0.2.210:49191
Figure 1
Figure 1 shows a typical deployment. In this figure, the TURN client and the TURN server are separated by a NAT, with the client on the private side and the server on the public side of the NAT. This NAT is assumed to be a "bad" NAT; for example, it might have a mapping property of "Address-and-Port-Dependent Mapping" (see [RFC4787]).
The client talks to the server from a (IP address, port) combination called the client's HOST TRANSPORT ADDRESS. (A combination of an IP address and port is called a TRANSPORT ADDRESS.)
The client sends TURN messages from its host transport address to a transport address on the TURN server that is known as the TURN SERVER TRANSPORT ADDRESS. The client learns the TURN server transport address through some unspecified means (e.g., configuration), and this address is typically used by many clients simultaneously.
Since the client is behind a NAT, the server sees packets from the client as coming from a transport address on the NAT itself. This address is known as the client's SERVER-REFLEXIVE TRANSPORT ADDRESS, and packets sent by the server to the client's server-reflexive transport address will be forwarded by the NAT to the client's host transport address.
The client uses TURN commands to create and manipulate an ALLOCATION on the server. An allocation is a data structure on the server. This data structure contains, among other things, the relayed transport address for the allocation. The relayed transport address is the transport address on the server that peers can use to have the server relay data to the client. An allocation is uniquely identified by its relayed transport address.
Once an allocation is created, the client can send application data to the server along with an indication of to which peer the data is to be sent, and the server will relay this data to the appropriate peer. The client sends the application data to the server inside a TURN message; at the server, the data is extracted from the TURN message and sent to the peer in a UDP datagram. In the reverse direction, a peer can send application data in a UDP datagram to the relayed transport address for the allocation; the server will then encapsulate this data inside a TURN message and send it to the client along with an indication of which peer sent the data. Since the TURN message always contains an indication of which peer the client is communicating with, the client can use a single allocation to communicate with multiple peers.
When the peer is behind a NAT, the client must identify the peer using its server-reflexive transport address rather than its host transport address. For example, to send application data to Peer A in the example above, the client must specify 192.0.2.150:32102 (Peer A's server-reflexive transport address) rather than 192.168.100.2:49582 (Peer A's host transport address).
Each allocation on the server belongs to a single client and has exactly one relayed transport address that is used only by that allocation. Thus, when a packet arrives at a relayed transport address on the server, the server knows for which client the data is intended.
A client can have multiple allocations on a server at the same time.
2.1. Transports
As defined in this specification, TURN always uses UDP between the server and the peer. However, this specification allows the use of any one of UDP, TCP, or Transport Layer Security (TLS) over TCP to carry the TURN messages between the client and the server.
+----------------------------+---------------------+
| TURN client to TURN server | TURN server to peer |
+----------------------------+---------------------+
| UDP | UDP |
| TCP | UDP |
| TLS over TCP | UDP |
+----------------------------+---------------------+
If TCP or TLS-over-TCP is used between the client and the server, then the server will translate between these transports and UDP when relaying data to or from the peer.
Since this version of TURN only supports UDP between the server and the peer, it is expected that most clients will prefer to use UDP between the client and the server as well. This being the case, some readers may wonder: why support TCP and TLS-over-TCP?
TURN supports TCP transport between the client and the server because some firewalls are configured to block UDP entirely. These firewalls block UDP but not TCP, in part because TCP has properties that make the intent of the nodes behind the firewall more obvious to the firewall. For example, TCP has a three-way handshake that makes it clearer that the protected node really wishes to establish that particular connection, whereas with UDP, the firewall can at best use filtering rules to guess which flows are desired. Also, TCP has an explicit connection teardown, whereas with UDP, the firewall must use timers to guess when a flow has ended.
TURN supports TLS-over-TCP transport between the client and the server because TLS provides additional security properties that TURN's default digest authentication does not, and some clients may wish to take advantage of these properties. In particular, TLS provides a way for the client to ascertain that it is talking to the correct server and provides confidentiality for TURN control messages. TURN does not require the use of TLS, since the overhead of using TLS is higher than that of digest authentication, and, for example, using TLS may mean that most application data will be doubly encrypted (once by TLS and once to ensure it remains encrypted in the UDP datagrams).
Extensions to TURN are planned to add support for TCP between the server and the peer [TURN-TCP]. Thus, allocations that use UDP between the server and the peer are called UDP ALLOCATIONS, while allocations that use TCP between the server and the peer are called TCP ALLOCATIONS. This specification describes only UDP allocations.
As defined in this specification, TURN only supports IPv4. All IP addresses in this specification MUST be IPv4 addresses. Extensions to TURN are planned to add support for IPv6 and for relaying between IPv4 and IPv6 [TURN-IPv6].
In some applications of TURN, the client may be able to send and receive packets other than TURN packets on the host transport address it uses to communicate with the server. For example, this occurs when TURN is being used with ICE. In these cases, the client can distinguish TURN packets from other packets by examining the source address of arriving packets: packets from the TURN server will be TURN packets.
2.2. Allocations
To create an allocation on the server, the client uses an Allocate transaction. The client sends an Allocate request to the server, and the server replies with an Allocate success response containing the relayed transport address of the allocation. The client can include attributes in the Allocate request that describe the type of allocation it desires (e.g., the lifetime of the allocation). Since relaying data has security implications, the server REQUIRES that the client authenticate itself and that the client use authentication with its Allocate request, typically using STUN's long-term credential mechanism, to prove that it is authorized to use the server.
Once a relayed transport address is allocated, a client MUST keep the allocation alive. To do this, the client periodically sends a Refresh request to the server. TURN deliberately uses a different method (Refresh rather than Allocate) for refreshes to ensure that the client is informed if the allocation vanishes for some reason.
The frequency of the Refresh transaction is determined by the lifetime of the allocation. The default lifetime of an allocation is 10 minutes - this value was picked to be long enough that the refresh typically does not become a burden on the client, while being short enough that a non-graceful client exit will expire the allocation in a timely manner. However, the client can request a longer lifetime in the Allocate request and can modify its request in a Refresh request, and the server always indicates the actual lifetime in its response. The client MUST issue a new Refresh transaction within the "lifetime" seconds of the prior Allocate or Refresh transaction. Once the client no longer wishes to use the allocation, it SHOULD delete the allocation using a Refresh request with a requested lifetime of zero.
Both the server and the client keep track of a value called the 5-TUPLE. On the client, the 5-tuple consists of the client's host transport address, the server transport address, and the transport protocol used by the client to communicate with the server. On the server, the 5-tuple value is the same except that the client's host transport address is replaced by the client's server-reflexive address since that is the address the server sees the client as using.
Both the client and the server remember the 5-tuple used in the Allocate request. Subsequent messages between the client and the server use this same 5-tuple. In this way, the client and the server know which allocation is being referred to. If the client wishes to allocate a second relayed transport address, it MUST create a second allocation using a different 5-tuple (for example, by using a different client host address or port).
Note: Though the term used in this document refers to a 5-tuple, the TURN server can store any identifier it likes as long as it produces the same result. Specifically, an implementation may use a file descriptor instead of a 5-tuple to represent a TCP connection.
TURN TURN Peer Peer
client server A B
|-- Allocate request --------------->| | |
| | | |
|<--------------- Allocate failure --| | |
| (401 Unauthorized) | | |
| | | |
|-- Allocate request --------------->| | |
| | | |
|<---------- Allocate success resp --| | |
| (192.0.2.15:50000) | | |
// // // //
| | | |
|-- Refresh request ---------------->| | |
| | | |
|<----------- Refresh success resp --| | |
| | | |
Figure 2
In Figure 2, the client sends an Allocate request to the server without credentials. Since the server requires the use of STUN's long-term credential mechanism for all requests, the server rejects the request with a 401 (Unauthorized) error code. The client then tries again, this time including credentials (not shown). This time, the server accepts the Allocate request and returns an Allocate success response containing (among other things) the relayed transport address assigned to the allocation. Later, the client decides to refresh the allocation, so it sends a Refresh request to the server. The refresh is accepted and the server replies with a Refresh success response.
2.3. Permissions
To mitigate concerns from enterprise IT administrators that TURN might be used to circumvent corporate firewall security, TURN includes the concept of PERMISSIONS. A TURN permission mimics the address-restricted filtering mechanism of a NAT that conforms to [RFC4787].
An allocation can have zero or more permissions. Each permission consists of an IP address and a lifetime. When the server receives a UDP datagram on the relayed transport address of an allocation, it first checks the list of permissions. If the source IP address of the datagram matches a permission, the application data is relayed to the client, otherwise the UDP datagram is silently discarded.
If a permission expires without being refreshed, it is deleted, and there is no way to explicitly delete a permission. This behavior was chosen to match the behavior of a NAT that conforms to [RFC4787].
A client can install or refresh a permission using either a CreatePermission request or a ChannelBind request. Using a CreatePermission request, multiple permissions can be installed or refreshed with a single request - this is important for applications using ICE. For security reasons, permissions can only be installed or refreshed through transactions that can be authenticated, so Send indications and ChannelData messages (which are used to send data to a peer) do not install or refresh any permissions.
Note that permissions are within the context of an allocation, so adding or expiring a permission in one allocation does not affect other allocations.
2.4. Send Mechanism
There are two mechanisms by which the client and peers exchange application data using the TURN server. The first mechanism uses Send and Data methods, and the second uses channels. The two mechanisms are mutually exclusive for a given peer: the client can choose which mechanism to use for a given peer, but once chosen, the mechanism cannot be changed. Common to both mechanisms is the ability for the client to communicate with multiple peers using a single allocated relayed transport address; thus, both mechanisms include a means for the client to indicate to the server which peer should receive the data, and for the server to indicate to the client which peer sent the data.
The Send mechanism uses Send and Data indications. Send indications are used to send application data from the client to the server, while Data indications are used to send application data from the server to the client.
When using the Send mechanism, the client sends a Send indication to the TURN server that includes (a) an XOR-PEER-ADDRESS attribute specifying the (server-reflexive) transport address of the peer, and (b) a DATA attribute holding the application data. When the TURN server receives the Send indication, it extracts the application data from the DATA attribute and sends it in a UDP datagram to the peer, using the allocated relayed address as the source address. Note that there is no need to specify the relayed transport address since it is implied by the 5-tuple used for the Send indication.
In the reverse direction, UDP datagrams arriving at the relayed transport address on the TURN server are turned into Data indications and sent to the client, with the peer's server-reflexive transport address included in an XOR-PEER-ADDRESS attribute and the data itself in a DATA attribute. Since the relayed transport address uniquely identifies the allocation, the server knows which client should receive the data.
Send and Data indications cannot be authenticated, since STUN's long-term credential mechanism does not support the authentication of indications. This is not as big a problem as it might at first seem, since the path from the client to the server is only half of the total path to the peer. Applications desiring appropriate security should encrypt the data being sent between the client and the peer.
Since Send indications are not authenticated, an attacker could send a forged Send indication to the server, which the server would then relay to the peer. To partially mitigate this attack, TURN REQUIRES that the client install a permission to the peer before sending data to that peer using a Send indication.
TURN TURN Peer Peer
client server A B
| | | |
|-- CreatePermission req (Peer A) -->| | |
|<-- CreatePermission success resp --| | |
| | | |
|--- Send ind (Peer A)-------------->| | |
| |=== data ===>| |
| | | |
| |<== data ====| |
|<-------------- Data ind (Peer A) --| | |
| | | |
| | | |
|--- Send ind (Peer B)-------------->| | |
| | dropped | |
| | | |
| |<== data ==================|
| dropped | | |
| | | |
Figure 3
In Figure 3, the client has already created an allocation and now wishes to send data to its peers. The client first creates a permission by sending a CreatePermission request to the server, specifying the (server-reflexive) IP address of Peer A in an XOR-PEER-ADDRESS attribute, since without doing so, the server will not relay data between the client and the server. Then, the client sends data to Peer A using a Send indication, and at the server, the application data is extracted and forwarded to Peer A in a UDP datagram using the relayed transport address as the source transport address. When a UDP datagram is received from Peer A at the relayed transport address, the contents are placed in a Data indication and forwarded to the client. Later, the client attempts to exchange data with Peer B, however, no permission has been installed for Peer B, so both the Send indication from the client and the UDP datagram from the peer are dropped by the server.
2.5. Channels
For some applications (e.g., Voice over IP), the 36 bytes of overhead that a Send indication or Data indication adds to the application data can substantially increase the bandwidth required between the client and the server. To remedy this, TURN offers a second way for the client and server to associate data with a specific peer.
This second way uses an alternate packet format known as the ChannelData message. The ChannelData message does not use the STUN header used by other TURN messages, but instead has a 4-byte header that includes a number known as a CHANNEL NUMBER. Each channel number in use is bound to a specific peer and thus serves as a shorthand for the peer's host transport address.
To bind a channel to a peer, the client sends a ChannelBind request to the server, and includes an unbound channel number and the transport address of the peer. Once the channel is bound, the client can use a ChannelData message to send data to the peer destined for the server. Similarly, the server can relay data from that peer to the client using a ChannelData message.
Channel bindings last for 10 minutes unless refreshed - this lifetime was chosen to be longer than the permission lifetime. A channel binding is refreshed by sending another ChannelBind request rebinding the channel to the peer. Like permissions (but unlike allocations), there is no way to explicitly delete a channel binding, and the client must simply wait for it to time out.
TURN TURN Peer Peer
client server A B
| | | |
|-- ChannelBind req ---------------->| | |
| (Peer A to 0x4001) | | |
| | | |
|<---------- ChannelBind succ resp --| | |
| | | |
|-- [0x4001] data ------------------>| | |
| |=== data ===>| |
| | | |
| |<== data ====| |
|<------------------ [0x4001] data --| | |
| | | |
|--- Send ind (Peer A)-------------->| | |
| |=== data ===>| |
| | | |
| |<== data ====| |
|<------------------ [0x4001] data --| | |
| | | |
Figure 4
Figure 4 shows the channel mechanism in use. The client has already created an allocation and now wishes to bind a channel to Peer A. To do this, the client sends a ChannelBind request to the server, specifying the transport address of Peer A and a channel number (0x4001). After that, the client can send application data to Peer A encapsulated inside a ChannelData message: this is shown as "[0x4001] data", where 0x4001 is the channel number. When the ChannelData message arrives at the server, the server transfers the data to a UDP datagram and sends it to Peer A (i.e., the peer bound to channel number 0x4001).
In the reverse direction, when Peer A sends a UDP datagram to the relayed transport address, this UDP datagram arrives at the server on the relayed transport address assigned to the allocation. Since the UDP datagram was received from Peer A, and Peer A has been assigned a channel number, the server encapsulates the data in a ChannelData message when sending the data to the client.
Once a channel is bound, the client is free to intermix ChannelData messages and Send indications. In the figure, the client later decides to send additional data to Peer A using a Send indication rather than a ChannelData message. The client might decide to do this, for example, so that it can use the DONT-FRAGMENT attribute (see the next section). However, once a channel is bound, the server will always use a ChannelData message, as shown in the call flow.
Note that ChannelData messages can only be used for peers for which the client has bound a channel. In the example above, Peer A has been bound to a channel but Peer B has not, so application data to or from Peer B will use the Send mechanism.
2.6. Unprivileged TURN Servers
This version of TURN is designed so that the server can be implemented as an application that runs in user space under commonly deployed operating systems without requiring special privileges. This design decision was made to make TURN servers easy to deploy: for example, to allow TURN servers to be integrated into peer applications so that one peer can offer NAT traversal services to another.
This design decision has the following implications for data relayed by a TURN server:
-
The value of the Diffserv field may not be preserved across the server.
-
The Time to Live (TTL) field may be reset, rather than decremented, across the server.
-
The Explicit Congestion Notification (ECN) field may be reset by the server.
-
ICMP messages are not relayed by the server.
-
There is no end-to-end fragmentation, since packets are reassembled at the server.
Future work may specify alternate TURN semantics that address these limitations.
2.7. Avoiding IP Fragmentation
For the reasons described in [Frag-Harmful], applications, especially those sending large amounts of data, should try to avoid having their packets fragmented. Applications using TCP can more or less ignore this issue, since fragmentation avoidance is now a standard part of TCP, but applications using UDP (and thus any application using this version of TURN) must handle fragmentation avoidance themselves.
Applications running on the client and the peer can take one of two approaches to avoid IP fragmentation.
The first approach is to avoid sending large amounts of application data in the TURN messages/UDP datagrams exchanged between the client and the peer. This is the approach taken by most VoIP (Voice over IP) applications. In this approach, the application takes advantage of the fact that the IP specification [RFC0791] specifies that IP packets up to 576 bytes should never need to be fragmented.
The exact amount of application data that can be included (while avoiding fragmentation) depends on the details of the TURN session between the client and the server: whether UDP, TCP, or TLS transport is being used, whether ChannelData messages or Send/Data indications are being used, and whether any additional attributes (such as the DONT-FRAGMENT attribute) are included. Another factor that is hard to determine is whether the MTU is reduced somewhere along the path for other reasons, for example, due to the use of IP-in-IP tunneling.
As a guideline, sending at most 500 bytes of application data in a single TURN message (by the client on the client-to-server path) or UDP datagram (by the peer on the peer-to-server path) will generally avoid IP fragmentation. To further reduce the chance of fragmentation, it is recommended that the client use ChannelData messages when sending large amounts of data, since the ChannelData message has less overhead than Send and Data indications.
The second approach that the client and peer can take to avoid fragmentation is to use a path MTU discovery algorithm to determine the maximum amount of application data that can be sent without fragmentation.
Unfortunately, the classic path MTU discovery algorithm defined in [RFC1191] cannot discover the MTU of the transmission path between the client and the peer, since servers implementing this version of TURN do not relay ICMP messages. (And even if they did relay ICMP messages, the algorithm would not always work since ICMP messages are often filtered out by combined NAT/firewall devices).
Thus, the client and server need to use a path MTU discovery algorithm that does not require ICMP messages. The Packetized Path MTU Discovery algorithm defined in [RFC4821] is one such algorithm.
The details of how to use the algorithm of [RFC4821] with TURN are still being worked out. However, as a step towards this goal, this version of TURN supports the DONT-FRAGMENT attribute. When the client includes this attribute in a Send indication, this tells the server to set the DF bit in the resulting UDP datagram that the server sends to the peer. Since some servers may be unable to set the DF bit, the client should also include this attribute in the Allocate request - any server that does not support the DONT-FRAGMENT attribute will indicate so by rejecting the Allocate request.
2.8. RTP Support
One of the envisioned uses of TURN is as a relay for clients and peers wishing to exchange real-time data (such as voice or video) using RTP. To facilitate using TURN for this purpose, TURN includes some special support for older versions of RTP.
Older versions of RTP [RFC3550] required that the RTP stream be on an even port number and the associated RTP Control Protocol (RTCP) stream (if present) be on the next highest port. To allow clients to work with peers that still require this, TURN allows the client to request that the server allocate a relayed transport address with an even port number, and to optionally request that the server reserve the next highest port number for a subsequent allocation.
2.9. Anycast Discovery of Servers
This version of TURN is designed to allow for future specifications to enable anycast discovery of TURN servers over UDP.
Specifically, a TURN server can reject an Allocate request and suggest that the client try an alternate server. To prevent certain types of attacks, the client MUST use the same credentials with the alternate server as it would have used with the initial server.