Skip to main content

8. Permissions

For each allocation, the server keeps a list of zero or more permissions. Each permission consists of an IP address and an associated time-to-expiry. When a permission exists, the server allows all peers using the IP address in the permission to send data to the client. The time-to-expiry is the number of seconds until the permission expires. In the context of an allocation, a permission is uniquely identified by its associated IP address.

By sending either a CreatePermission request or a ChannelBind request, the client can cause the server to install or refresh a permission for a given IP address. This causes one of two things to occur:

  • If no permission for that IP address exists, then a permission is created with the given IP address and a time-to-expiry equal to the Permission Lifetime.

  • If a permission for that IP address already exists, then the time-to-expiry for that permission is reset to the Permission Lifetime.

The Permission Lifetime MUST be 300 seconds (= 5 minutes).

The time-to-expiry for each permission is decremented once per second until it reaches zero, at which point the permission expires and is deleted.

CreatePermission and ChannelBind requests may be freely intermixed on a permission. A given permission may be initially installed and/or refreshed with a CreatePermission request, and then later refreshed with a ChannelBind request, or vice versa.

When a UDP datagram arrives at the relayed transport address for the allocation, the server extracts the source IP address from the IP header. The server then compares this address with the IP address associated with each permission in the list of permissions for the allocation. If no match is found, the relay is not permitted, and the server silently discards the UDP datagram. If an exact match is found, then the permission check is considered to have succeeded and the server continues to process the UDP datagram as specified elsewhere (Section 10.3). Note that only the address is compared and the port number is not considered.

The permissions for one allocation are totally unrelated to the permissions for a different allocation. If an allocation expires, all its permissions expire with it.

NOTE: Though TURN permissions expire after 5 minutes, many of the NATs deployed at the time of publication of this document expire their UDP bindings considerably faster. Thus, an application using TURN will probably wish to send some sort of keep-alive traffic at a much faster rate. Applications using ICE should follow the keep-alive guidelines of ICE [RFC5245], and applications not using ICE are RECOMMENDED to do something similar.

Last updated on