Internet DRAFT - draft-patil-tram-turn-serv-selection

draft-patil-tram-turn-serv-selection







TRAM                                                            P. Patil
Internet-Draft                                                  T. Reddy
Intended status: Informational                              G. Salgueiro
Expires: April 29, 2015                                            Cisco
                                                        October 26, 2014


       Traversal Using Relays around NAT (TURN) Server Selection
                draft-patil-tram-turn-serv-selection-00

Abstract

   A TURN client may discover multiple TURN servers.  In such a case,
   there are no guidelines that a client can follow to choose or prefer
   a particular TURN server among those discovered.  This document
   details selection criteria, as guidelines, that can be used by a
   client to perform an informed TURN server selection decision.

Status of This Memo

   This Internet-Draft is submitted in full conformance with the
   provisions of BCP 78 and BCP 79.

   Internet-Drafts are working documents of the Internet Engineering
   Task Force (IETF).  Note that other groups may also distribute
   working documents as Internet-Drafts.  The list of current Internet-
   Drafts is at http://datatracker.ietf.org/drafts/current/.

   Internet-Drafts are draft documents valid for a maximum of six months
   and may be updated, replaced, or obsoleted by other documents at any
   time.  It is inappropriate to use Internet-Drafts as reference
   material or to cite them other than as "work in progress."

   This Internet-Draft will expire on April 29, 2015.

Copyright Notice

   Copyright (c) 2014 IETF Trust and the persons identified as the
   document authors.  All rights reserved.

   This document is subject to BCP 78 and the IETF Trust's Legal
   Provisions Relating to IETF Documents
   (http://trustee.ietf.org/license-info) in effect on the date of
   publication of this document.  Please review these documents
   carefully, as they describe your rights and restrictions with respect
   to this document.  Code Components extracted from this document must
   include Simplified BSD License text as described in Section 4.e of




Patil, et al.            Expires April 29, 2015                 [Page 1]

Internet-Draft            TURN server selection             October 2014


   the Trust Legal Provisions and are provided without warranty as
   described in the Simplified BSD License.

Table of Contents

   1.  Introduction  . . . . . . . . . . . . . . . . . . . . . . . .   2
   2.  Terminology . . . . . . . . . . . . . . . . . . . . . . . . .   3
   3.  TURN Server Selection Criteria  . . . . . . . . . . . . . . .   3
     3.1.  Local Configuration . . . . . . . . . . . . . . . . . . .   3
     3.2.  Security  . . . . . . . . . . . . . . . . . . . . . . . .   3
       3.2.1.  Location Privacy  . . . . . . . . . . . . . . . . . .   4
       3.2.2.  Authentication  . . . . . . . . . . . . . . . . . . .   4
     3.3.  User Experience . . . . . . . . . . . . . . . . . . . . .   5
     3.4.  Interface . . . . . . . . . . . . . . . . . . . . . . . .   5
     3.5.  Mobility Support  . . . . . . . . . . . . . . . . . . . .   5
   4.  Security Considerations . . . . . . . . . . . . . . . . . . .   5
   5.  Acknowledgements  . . . . . . . . . . . . . . . . . . . . . .   5
   6.  References  . . . . . . . . . . . . . . . . . . . . . . . . .   5
     6.1.  Normative References  . . . . . . . . . . . . . . . . . .   6
     6.2.  Informative References  . . . . . . . . . . . . . . . . .   6
   Authors' Addresses  . . . . . . . . . . . . . . . . . . . . . . .   7

1.  Introduction

   Using any of the discovery mechanisms described in
   [I-D.ietf-tram-turn-server-discovery], a client may discover multiple
   Traversal Using Relays around NAT (TURN) servers.  The TURN servers
   discovered could be provided by an enterprise network, an access
   network, an application service provider or a third party provider.
   Therefore, the client needs to be able to choose a TURN server that
   best suits its needs.

   Selection criteria could be based on parameters such as:

   o  Security

   o  Location Privacy

   o  Authentication

   o  User Experience

   o  Interface Selection (if the client is multi-interfaced)

   o  Mobility Support

   This document describes procedures that a client can use to choose
   the most appropriate TURN server based on any one or more



Patil, et al.            Expires April 29, 2015                 [Page 2]

Internet-Draft            TURN server selection             October 2014


   combinations of the above parameters.  A client could also use the
   aforementioned selection criteria to prioritize the discovered TURN
   servers based on these parameters if backup servers are implemented
   for added resiliency and robustness.

2.  Terminology

   The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
   "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this
   document are to be interpreted as described in [RFC2119].

3.  TURN Server Selection Criteria

   The accessibility of possible TURN servers SHOULD be tested and
   verified prior to beginning Interactive Connectivity Establishment
   (ICE) [RFC5245].  Any TURN servers that fail such accessibility tests
   (including credentials verification) SHOULD be excluded.  These early
   tests are an often an optimal opportunity to calculate performance
   metrics, such as the round-trip time (RTT), that might be used as
   TURN server prioritization factors, as discussed in Section 3.3.
   Throughout the lifetime of the application, it is RECOMMENDED to
   periodically test the entire selection list, in case better TURN
   servers suddenly appear or connectivity to others is unexpectedly
   lost.

   The parameters described in this Section are intended as TURN server
   selection criteria or as weighting factors for TURN server
   prioritization.

3.1.  Local Configuration

   Local or manual configuration takes precedence for TURN server
   selection.  A client could be configured with an explicit preferred
   list of TURN servers.  Local configuration could list servers in
   order of preference.  For example, a TURN client could opt for a TURN
   server offered by the Enterprise and fall back to a TURN server
   offered by the Internet Service Provider (ISP) or a cloud service if
   the Enterprise TURN server wasn't available.

   An implementation MAY give the user an opportunity (e.g., by means of
   configuration file options or menu items) to specify this preference.

3.2.  Security

   If a TURN client wants security for its connections, it should opt
   for a TURN server that supports the usage of Transport Layer Security
   (TLS) [RFC5246] and Datagram Transport Layer Security (DTLS)
   [RFC6347] as a transport protocol for Session Traversal Utilities for



Patil, et al.            Expires April 29, 2015                 [Page 3]

Internet-Draft            TURN server selection             October 2014


   NAT (STUN), as defined in [RFC5389] and [RFC7350].  If multiple
   servers offer this support, the client could use Location Privacy
   (Section 3.2.1) and Authentication (Section 3.2.2) criteria to
   determine which among the list is most suitable.

   The need for security depends on the type of connected network (i.e.,
   whether the host is connected to a home network versus an Enterprise
   network versus a coffee shop network).  It is recommended that a
   client always choose security, but this condition could vary
   depending on the degree of trust with the connected network.

3.2.1.  Location Privacy

   In addition to security, a TURN client may require additional
   location privacy from an external peer.

   Scenario 1:  A client may not wish to use a TURN server in its
      Enterprise or access network because the client location could be
      determined by the external peer.  In such a case, the client may
      choose to use a distributed multi-tenant or a cloud-based TURN
      server that can provide privacy by obscuring the network from
      which the client is communicating with the remote peer.

   Scenario 2:  A TURN client that desires to perform Scenario 1, but
      cannot because of firewall policy that forces the client to pick
      Enterprise-provided TURN server for external communication, can
      use TURN-in-TURN through the enterprise's TURN server as described
      in [I-D.schwartz-rtcweb-return].

   Location privacy may not be critical if the client attempts to
   communicate with a peer within the same domain.

3.2.2.  Authentication

   A TURN client should prefer a TURN server whose authenticity can be
   ascertained.  A simple certificate trust chain validation during the
   process of (D)TLS handshake should be able to validate the server.

   A TURN client could also be pre-configured with the names of trusted
   TURN servers.  When connecting to a TURN server, a TURN client should
   start with verifying that the TURN server name matches the pre-
   configured list of TURN servers, and finally validating its
   certificate trust chain.  For TURN servers that don't have a
   certificate trust chain, the configured list of TURN servers can
   contain the certificate fingerprint of the TURN server (i.e., a
   simple whitelist of name and certificate fingerprint).





Patil, et al.            Expires April 29, 2015                 [Page 4]

Internet-Draft            TURN server selection             October 2014


   DNS-based Authentication of Named Entities (DANE) can also be used to
   validate the certificate presented by TURN server as described in
   [I-D.petithuguenin-tram-stun-dane].

3.3.  User Experience

   All else being equal (or if a TURN client is able to converge on a
   set of TURN servers based on parameters described in Section 3.2), a
   TURN client should choose a TURN server that provides the best user
   experience at that point in time (based on factors such as RTT, real-
   time clock (RTC), etc).

   If using ICE regular nomination, ICE connectivity check round-trip
   time can influence the selection amongst the valid pairs.  This way a
   candidate pair with relayed candidate could be selected even if it
   has lower-priority than other valid pairs.

3.4.  Interface

   With a multi-interfaced node, selection of the correct interface and
   source address is often crucial.  How to select an interface and IP
   address family is out of scope for this document.  A client could
   account for the provisioning domain described in
   [I-D.ietf-mif-mpvd-arch] to determine which interface to choose.

3.5.  Mobility Support

   If a TURN client is aware that the host is mobile, and all other
   parameters being equal, the client SHOULD choose a TURN server that
   supports mobility [I-D.wing-tram-turn-mobility].

4.  Security Considerations

   This document does not itself introduce security issues, rather it
   merely presents best practices for TURN server selection.  Security
   considerations described in [RFC5766] are applicable to for all TURN
   usage.

5.  Acknowledgements

   The authors would like to thank Dan Wing, Marc Petit-Huguenin for
   their review and valuable comments.

6.  References







Patil, et al.            Expires April 29, 2015                 [Page 5]

Internet-Draft            TURN server selection             October 2014


6.1.  Normative References

   [I-D.ietf-mif-mpvd-arch]
              Anipko, D., "Multiple Provisioning Domain Architecture",
              draft-ietf-mif-mpvd-arch-07 (work in progress), October
              2014.

   [I-D.ietf-tram-turn-server-discovery]
              Patil, P., Reddy, T., and D. Wing, "TURN Server Auto
              Discovery", draft-ietf-tram-turn-server-discovery-00 (work
              in progress), July 2014.

   [I-D.petithuguenin-tram-stun-dane]
              Petit-Huguenin, M. and G. Salgueiro, "Using DNS-based
              Authentication of Named Entities (DANE) to validate TLS
              certificates for the Session Traversal Utilities for NAT
              (STUN) protocol", draft-petithuguenin-tram-stun-dane-02
              (work in progress), October 2014.

   [I-D.schwartz-rtcweb-return]
              Schwartz, B., "Recursively Encapsulated TURN (RETURN) for
              Connectivity and Privacy in WebRTC", draft-schwartz-
              rtcweb-return-03 (work in progress), September 2014.

   [I-D.wing-tram-turn-mobility]
              Wing, D., Patil, P., Reddy, T., and P. Martinsen,
              "Mobility with TURN", draft-wing-tram-turn-mobility-02
              (work in progress), September 2014.

   [RFC2119]  Bradner, S., "Key words for use in RFCs to Indicate
              Requirement Levels", BCP 14, RFC 2119, March 1997.

   [RFC5766]  Mahy, R., Matthews, P., and J. Rosenberg, "Traversal Using
              Relays around NAT (TURN): Relay Extensions to Session
              Traversal Utilities for NAT (STUN)", RFC 5766, April 2010.

   [RFC7350]  Petit-Huguenin, M. and G. Salgueiro, "Datagram Transport
              Layer Security (DTLS) as Transport for Session Traversal
              Utilities for NAT (STUN)", RFC 7350, August 2014.

6.2.  Informative References

   [RFC5245]  Rosenberg, J., "Interactive Connectivity Establishment
              (ICE): A Protocol for Network Address Translator (NAT)
              Traversal for Offer/Answer Protocols", RFC 5245, April
              2010.





Patil, et al.            Expires April 29, 2015                 [Page 6]

Internet-Draft            TURN server selection             October 2014


   [RFC5246]  Dierks, T. and E. Rescorla, "The Transport Layer Security
              (TLS) Protocol Version 1.2", RFC 5246, August 2008.

   [RFC5389]  Rosenberg, J., Mahy, R., Matthews, P., and D. Wing,
              "Session Traversal Utilities for NAT (STUN)", RFC 5389,
              October 2008.

   [RFC6347]  Rescorla, E. and N. Modadugu, "Datagram Transport Layer
              Security Version 1.2", RFC 6347, January 2012.

Authors' Addresses

   Prashanth Patil
   Cisco Systems, Inc.
   Bangalore
   India

   Email: praspati@cisco.com


   Tirumaleswar Reddy
   Cisco Systems, Inc.
   Cessna Business Park, Varthur Hobli
   Sarjapur Marathalli Outer Ring Road
   Bangalore, Karnataka  560103
   India

   Email: tireddy@cisco.com


   Gonzalo Salgueiro
   Cisco
   7200-12 Kit Creek Road
   Research Triangle Park, NC  27709
   US

   Email: gsalguei@cisco.com














Patil, et al.            Expires April 29, 2015                 [Page 7]