Skip to content
New issue

Have a question about this project? # for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “#”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? # to your account

Single port mode? #284

Open
danjenkins opened this issue Jan 10, 2023 · 8 comments
Open

Single port mode? #284

danjenkins opened this issue Jan 10, 2023 · 8 comments

Comments

@danjenkins
Copy link

Within the TURN spec... can we support using pion's single udp port mode?

https://github.com/pion/webrtc/tree/master/examples/ice-single-port

@stv0g
Copy link
Member

stv0g commented Jan 17, 2023

Related pion/ice#400

Within the TURN spec...

I dont see a single port mode explicitly mentioned in RFC8656.
Do you have some more infos? E.g. other TURN implementations which support it?

@danjenkins
Copy link
Author

As far as im aware @stv0g it should just work - I didnt mean to say that the turn spec has it... I was asking those who know more about the turn spec than me if it would be ok. I think it would be. But I hadnt seen that the upstream project only supports muxing on host candidates.

@stv0g
Copy link
Member

stv0g commented Jan 17, 2023

I agree @danjenkins,

according to the RFC it should be possible to implement it. pion/ice already supports muxing for Host and Srflx candidates. Muxing for Relay candidates is still on the todo list.

@renandincer
Copy link

@danjenkins do you mean single port on the TURN Client <> TURN server or TURN server <> remote peer path?

@danjenkins
Copy link
Author

@danjenkins do you mean single port on the TURN Client <> TURN server or TURN server <> remote peer path?

I meant multiplexing all turn traffic over one port - just like webrtc media servers do now, far easier to deploy to environments like kubernetes etc

@rg0now
Copy link
Contributor

rg0now commented Mar 2, 2024

You don't need single-port mode for Kubernetes per se, see here. You cannot expose a media server over a Kubernetes Service anyway since Services usually do random load-balancing over the endpoints.

@danjenkins
Copy link
Author

I used it as an example... and I never said about using k8s services...

@renandincer
Copy link

renandincer commented Mar 3, 2024

If the question is whether a TURN server can bind to a specific 2-tuple {ip, port} and communicate with TURN clients in a connection oriented way using a full 4-tuple {source ip, source port, destination ip, destination port}, the answer is yes. As you suggested, this is how some WebRTC media servers operate.

Unlike WebRTC media servers, TURN server also has to send packets to and receive packets from a third party since it acts as a UDP proxy for the TURN client. It needs a UDP socket in a connected state with a 4-tuple associated with the TURN client and a UDP socket with a 2-tuple to listen for packets from the third party. The 4-tuple and the 2-tuple forms a TURN "allocation". The ip, port for the third party peer is not part of this because this would make the TURN server more like a NAT, where it can't accept packets from unknown third parties.

So let's imagine we use a single 2-tuple for both TURN client <> TURN server and TURN server <> third party communication. When the TURN server receives a new UDP packet, it needs to tell apart:

  1. A datagram from the TURN client (which one?)
  2. A datagram from a third party (for which TURN client?)
  3. Random internet junk like port scanning

The TURN protocol allows the Server to deal with (1) but not (2) or (3), so the TURN server is required to use a unique 2-tuple to communicate with third parties for every allocation. Because of this the section about allocations, the RFC8656 says:

The relayed transport address MUST be unique across all allocations so it can be used to uniquely identify the allocation

So the answer is no, you can't use a single port for every part of a TURN server.

The RFC is a little bit confusing as it also says this:

Since SIP supports forking, TURN supports multiple peers per relayed transport address; a feature not supported by other approaches (e.g., SOCKS [RFC1928]).

"multiple peer per relayed transport address" here refers to the fact that a TURN client can re-use the same relayed IP address to talk to multiple third parties, provided that it's same TURN client doing this. This is because all TURN server cares about is that this traffic is destined for the same TURN client.


That being said, if you're alright with ignoring the RFC, maybe you could keep track of the ICE connectivity check STUN packets over the TURN server and somehow tie the third party peer into the mix. This might work well if you also have access to the server reflexive address of third parties the TURN client is sending packets to.

# for free to join this conversation on GitHub. Already have an account? # to comment
Labels
None yet
Development

No branches or pull requests

4 participants