SlideShare a Scribd company logo

Stun turn poc_pilot

Mihály Mészáros
Mihály Mészáros

Proof of Concept STUN/TURN service

Technology
1 of 61
Download to read offline
ICE, STUN, TURN Federated STUN/TURN service PoC/Pilot experiences Mészáros Mihály NIIF Institute 4th TF-WEBRTC meeting - DFN Berlin 2016
STUN, TURN, ICE · STUN „Classic” - RFC 3489 (2003 March) · Simple Traversal of UDP Through NATs · STUN - „New” - RFC 5389 (2008 October) · Session Traversal Utilities for NAT · TURN - RFC 5766 (2010 April) · Traversal Using Relays around NAT (Relay Extensions to STUN) · ICE – RFC 5245 (2010 April) · Interactive Connectivity Establishment
Table of Contents · Overview: Firewall vs. Real Time Communication (RTC) · WebRTC and ICE/STUN/TURN · Types of NAT and NAT behavior Discovery · ICE, STUN, TURN · Auth Methods and implementation overview. · GÉANT 4 SA8 T2 Proof of Concept STUN/TURN experiences · Lessons learned · Symposium demos · Summary
WebRTC
WebRTC & Firewall / NAT Traversal
WebRTC 10% 68% 13% 7%2% Direct STUN/NAT TURN/UDP TURN/TCP TURN/TLS Datasource:callstats.io · WebRTC transport draft · ICE is mandatory · ICE depend on STUN/TURN service · WebRTC is not only Web · Mobil, Native application · WebRTC isn't only Video Call · WebRTC in every browser and beyond..
Firewall vs RTC
Firewall keeps the unwanted traffic Outside
But also adds barriers to RTC
The Goal: Standard based solution that solves RTC Firewall/NAT traversal
Firewall Traversal · Traversal is getting more and more complicated · Moving target · Today Internet: · NAT (different types), · Firewall (packet filters), · IPv4 => IPv6 transition, · Multi homing, etc. · TCP not ideal for RTC
NAT
NAT types (RFC 3489) · Full-cone NAT · Address-restricted-cone NAT · Port-restricted cone NAT · Symmetric NAT Server 1 Server 2 Client NAT "Full Cone" NAT Server 1 Server 2 Client NAT "Restricted Cone" NAT Server 1 Server 2 Client NAT "Port Restricted Cone" NAT
Symmetric NAT Server 1 Server 2 Client NAT "Symmetric" NAT https://upload.wikimedia.org/wikipedia/commons/7/73/Symmetric_NAT.svg
RFC 4787 and RFC 5780 vs RFC 3489 · Mapping · EIM · ADM · APDM · Filtering · EIF · ADF · APDF Source: http://www.netmanias.com/en/?m=view&id=techdocs&no=6065
Map Detection Image Source: http://www.netmanias.com/en/post/techdocs/6067/nat-stun/nat-behavior-discovery-using-stun-rfc-5780 · TEST I · Primary IP, Primary Port · TEST II · Alternate IP, Primary Port · TEST III · Alternate IP, Alternate Port
Filtering Detection Image Source: http://www.netmanias.com/en/post/techdocs/6067/nat-stun/nat-behavior-discovery-using-stun-rfc-5780 · TEST I · Primary IP, Primary Port · TEST II · Change Request IP and Port · TEST III · Change Request Port
Linux NAT · Allow IP forwarding sysctl net.ipv4.ip_forward=1 · Symmetric NAT · Address and Port dependent Mapping · Address and Port dependent Filtering · iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE --random · Port restricted Cone NAT · Endpoint Independent Mapping · Address and Port dependent Filtering · iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
RFC5780 and coTURN · NAT behavior is not always constant in time! · NAT could change characteristics during attacks, or high load, etc. · Still worth to understand the current behavior. · RFC 4787 - NAT Behavioral Requirements for Unicast UDP · coTURN provides a brilliant stun client library · Based on it I created a utility to detect NAT type according RFC5780 · bin/turnutils_natdiscovery -f -m 193.224.47.74
Example symmetric NAT output misi@csiga:~/work/coturn$ bin/turnutils_natdiscovery -f -m 193.224.47.74 … ======================================== NAT with Address and Port Dependent Mapping! ======================================== … ======================================== NAT with Address and Port Dependent Filtering! ======================================== misi@csiga:~/work/coturn$
ICE, STUN, TURN
ICE step by step · Discovery and Candidate gathering · Allocation · Prioritisation · Exchange · Connectivity Check · Frozen Algorithm · Coordination · Communication
IP address, and port discovery · Candidate pair · IP address, port, protocol · Types · Relayed · Reflexive · Server, Peer · Host TURN Server NAT UA Y:y X':x' X:x Public Internet
Why cause problem gathering all addresses? · ICE gathers ALL(!) · „By Design” · to find the best way · IP address leakage · expose your IP addresses · Private, Public, VPN etc. · Solution: · Limit candidate discovery · Limit interface and address gathering · Fix is under way · draft-ietf-rtcweb-ip-handling · Chrome · Opt-In: Network limiter extension · Step two: build in the core, and make it default · Firefox · New UI tools to restrict candidates · https://wiki.mozilla.org/Media/WebRTC/Privacy
Trickle ICE Slide from: trickle-ice-iet86-orlando.pptx STUN Server STUN Server BobAlice disco disco offer and candidates … connectivity checks … answer and candidates Vanilla ICE as per RFC 5245 STUN Server STUN Server BobAlice disco disco O/A with host or no cands … more cands & conn checks …
RETURN ____________ inside network || outside network / || NAT/FW | host O ________||________ | | / || | srflx|.............|..................O ___________ | | | || | / | relay|- - - - - - -|- - - - - - - - - |- - -|- - - - - -O | | | _____||_____ | | | | | | / || | | | | relay2|-------------|--|------------| -|- - -|- - - - - -O | | | | || | | ___________/ | srflx2|- - - - - - -|- |- - - - - - O | | | | | || | | Application TURN | host2 |- - - - - - -|- |- - - - - - O | server | | | _____||_____/ | ____________/ ________||________/ || Browser Border TURN Proxy || server || KEY O Candidate ..... Non encapsulated - - - TURN encapsulated ----- Double TURN encapsulated || Network edge · RETURN · Recursively Encapsulated · DNS „Auto-Discovery” · Corporate Border Proxy · Corporate and Application · Leakiness · Leaky: Use all possible · Sealed: force only enterprise TURN Proxy-t
STUN Auth Methods
Long Term vs Short Term · STUN (RFC5389) define to Credential Auth Mechanism · Short-term Credential mechanism · Use once · Every-time new encryption key · ICE using it for connection check · sdp (a=ice-ufrag and a=ice-pwd) · Long-term Credential mechanism · Credential is not limited in time. · Main Usage STUN reflexive address detection and TURN relay allocation · Stored in a User Database (HA1)
Long Term Credential · User, Realm, Password · „Origin” based REALM (draft-ietf-tram-stun-origin) /WebRTC/ · User Database stores HA1 · HA1=MD5(”user:example.com:mysecret”) · Message Integrity Algorithm (SHA1) · HMAC(M, MD5(”user:example.com:mysecret”)) · Protection against reply based attacks · It is the base auth method for STUN
WebRTC & LTC = not perfect match · Long Term Credential · Summary of problems: draft-reddy-behave-turn-auth · Keeping password in secret is difficulty for Web Apps · Message Integrity is not protected against Off-line dictionary attacks. · The Server makes lookup in the User Database for the credential. · The username is not encrypted in STUN message and this way could be used for tracking. · Short Term Credential (only for one connection) · No protection against reply attacks · Designed for short term
STUN auth for WebRTC = REST API (Time Limited Long Term Credential) · draft-uberti-rtcweb-turn-rest-00 · REST API and STUN/TURN server shared secret. · The Service Provider Identified by an api_key and get on behalf the end-user request and get a time limited credential. · The web application transfer this credential to the end-user browser JS API. · username = timestamp and an application specific data seperated by a „:”.
REST API Operation Overview (Time Limited Long Term Credential) REST API Web App Turn Server Shared Secret
OAuth RFC 7635
Proof of Concept
PoC Overview · Web Frontend · After AAI: eduGAIN · get (LTC) usr/pwd credential · get key to REST API · Distributed service · NIIF, UNINETT, FCT/FCCN · Closest Server (GeoIP) · Auth methods · LTC,REST API, · OAuth (coming soon)
Ansible · Automated install central · OS (firewall,ntp,fail2ban,etc.) · Web Server and PHP · EduGAIN privacy statement · MySQL master · Automated install slaves · OS (firewall,ntp,fail2ban,etc.) · MySQL slave · coTURN · Configure even more · Certs · Configure SimpleSAMLPHP · Install Composer · Update php libs · Checkout git · Frontend · REST API · Setup replication · Master and Slave sides
Design Goals · Only Open Source components (Debian Jessie, etc.) · Supporting all possible Authentication methods · LTC, REST, OAuth · AAI enabled eduGAIN front-end site · Distributed back-end database · Secure Communication, IPv6, DNSSEC · Support wide range of STUN/TURN transport protocols · Automated deployment
Security Design Principles · LTC user password is generated to avoid any Offline dictionary attacks. · According STUN RFC recommendation “the password SHOULD have at least 128 bits of randomness” · We use 32 alphanumeric ~190 bit (hackzilla/password-generator) · REST · API_KEY is generated random key and has one year expiration · 32 alphanumeric char ~190 bit (hackzilla/password-generator) · Shared Secret between API and coTURN is rotated daily
TURN servers Technology Scouting · Open source implementations: · http://sourceforge.net/projects/stun/ · http://turnserver.sourceforge.net/ · https://github.com/jitsi/turnserver · https://www.resiprocate.org/ · http://www.creytiv.com/restund.html · https://github.com/coTURN/rfc5766- turn-server/ · https://github.com/coTURN/coTURN · Commercial implementations: · http://www.eyeball.com/products/ stun-turn-server/ · http://help.estos.com/help/en-US /procall/5/erestunservice/dokume ntation/index.htm · Etc. · Commercial Services: · http://numb.viagenie.ca/ · http://xirsys.com/ · https://www.twilio.com/stun-turn · Etc.
coTURN TURN with co-location of multiple realms · coturn.net - https://github.com/coturn/coturn · Open Source STUN/TURN implementation · Written in C, Rock Solid and, low HW intensity · It follows IETF TRAM WG works very closely. · Supports multiple backend database types (5) · STUN over UDP/TCP/TLS/DTLS/SCTP · TCP/UDP (Relay) · Auth methods: LTC, REST (Time limited LTC), OAuth · IPv4 and IPv6
User Frontend · Landing Web Page · SimpleSAMLphp, eduGAIN Auth, we request 4 attributes · Bootstrapzero design · Quick&Dirty PoC level implementation · REST API · "slim/slim": "^2.6" · "zircote/swagger-php": "^2.0" · "geoip/geoip": "~1.14" (IPv6) · mjaschen/phpgeo": "^0.3.0"
Live Demo: https://brain.lab.vvc.niif.hu
Pick the closest STUN/TURN · LTC · DNS GeoIP based Views · Based on Location of DNS resolver not the client (!) · OpenDNSSEC not yet supporting views! Issue: OPENDNSSEC-232 · AnyCast · Provider independent · IPv4 /24 · IPv6 /64 · REST · Input the user IP address the web server side application · Local GeoIP database · IP => Coordinate · Vincenty's formulae · Coordinates => Distance
Auth methods · LTC and REST · client behavior is not changed. · Only Server side differs. · coTURN doesn't support both mechanism in one daemon · We used that simple design approach to separate auth methods VM level. · Avoiding repackaging · Multiple deamon could also work on the same VM. · Drawback: normal Debian package designed to run on daemon on one host. · To exploit the latest coTURN implementation features we deciced to use jessie- backports repository
IPv6 Ready service smooth IPv6 transition · All service IPv6 READY and works in dual stack · STUN/TURN services · Dual Allocation · MySQL · NTP · SSH · DNS Resolvers · Web Server · Frontend, REST API
MySQL · Separated DB for different auth methods · MySQL Replication · Encrypted · netfilter protects ports · IP address based access controll · Generated passwords · Replication filtered based on DB (auth method) · MySQL Events: · LTC · Revoking LTC back after a year · REST · Generating daily new shared secrets · Revoking API token after a year. · Shared Key aging · Cause a limited problem if a REST TURN server is compromised.
MySQL DB Schemas
STUN & Long Term Credential · STUN LTC authentication is optional according the RFC · Pros: · Use the same Auth policy for STUN and TURN · Avoid attacks and server discovery. Avoid crawler robots that tracking Internet for vulnerable open STUN/TURN services. (Version) · Avoid detect STUN server topology alternate address and port. · Contra · Work involved in authenticating the request is more than the work in simply processing it. · Reality: Lack of Browser implementation
STUN & LTC chrome · Log [1:12:0418/145114:ERROR:stunport.cc(79)] Binding error response: class=4 number=1 reason='Unauthorized' [1:12:0418/145114:ERROR:stunport.cc(79)] Binding error response: class=4 number=1 reason='Unauthorized' [1:12:0418/145114:ERROR:stunport.cc(79)] Binding error response: class=4 number=1 reason='Unauthorized' [1:12:0418/145114:ERROR:stunport.cc(79)] Binding error response: class=4 number=1 reason='Unauthorized' [1:12:0418/145114:ERROR:stunport.cc(79)] Binding error response: class=4 number=1 reason='Unauthorized' · Turned out from source · Not handled of STUN auth challenge in stunport.cc
nICEr: TODO src/stun/stun_client_ctx.c
OAuth Browser Implementation Status · Chrome · Open Issue 4907: https://goo.gl/Z69q6I · Not happen in Q1 · Firefox · Open Bug 1247616: https://goo.gl/6n78rL · Not implemented warning for App Devs from Mozilla 47
OAuth & TURN · No PHP library that supports the Authenticated-Encryption with Associated-Data (AEAD) · OpenSSL samples: https://goo.gl/UfuqTr · CoTURN · self-contained OAuth token validation implemented · src/client/ns_turn_msg.c · Function: int encode_oauth_token(const u08bits *server_name, encoded_oauth_token *etoken, const oauth_key *key, const oauth_token *dtoken, const u08bits *nonce)
Built in STUN · Chrome · stun.l.google.com:19302 · Firefox · media.peerconnection.default_iceservers;[] · media.peerconnection.ice.tcp;false · stun.services.mozilla.com · Default stun server removed from ver 41 · Bug: 1167922, 1143827 · No Service Agreement about service long term availability · It is up to Browser vendor · Built-in STUN SLA is not well defined
Lesson Learned · STUN binding with LTC is not supported in Browsers. · Port numbers · Standard ports · Standard Alternate port · 80, 443 for strict firewalls · NAT discovery · Multiple IP addresses required · Decisions & Lessons · LTC · GeoIP vs Anycast · OpenDNSSEC is not supporting views. · REST API · GeoIP and Vincenty vs · Google Maps API · OAuth (coming soon..) · Wait for Browser support.
Future directions · Utilize untapped coTURN features · STUN origin · Quotas · Bandwidth, Session · Admin interface · Monitoring · Improve User interface · Frontend, REST API · coTURN Logging file central collection · Analytics, Anomaly detection · Support, Helpdesk · App developer API examples · Investigation problems · Service Monitoring (SLA) · VM, OS, DB, coTURN · Alerts
Make or Buy? · We in place Infrastructure · Virtual/Physical Machine · Small instance required · Networking Service · High bandwidth capacity · IPv6 · Secure and encrypted · updated · Open Source · From Public Money · Non technical reasons · Trust · Transparency · Time spent following market players offerings (moving) · Time spent negotiate price · Procurement fees · NREN & Commercial market different priorities · Education market is not big enough to implement feature
Symposium Demos
GN4 Symposium Demo · WebTut · Teacher <=> Student · Symmetric NAT · Tablet and PC · What happens · 1. Without STUN/TURN · 2. With STUN/TURN · 3. Two endpoints in the same LAN segment
In practice
Summary · ICE if possible provides E2E communication (lowest latency) · Standard based NAT Firewall Traversal and smooth IPv6 transition · According WebRTC transport draft ICE is MUST. · “ ICE [RFC5245] MUST be supported.” · ICE needs STUN/TURN server infrastructure. · A GÉANT4 PoC service is up and running. Next step? Pilot... · „Leading edge” collaboration technologies serving the NREN community communications needs.
Questions ? misi@niif.hu CONTACT:

Recommended

OAuth and STUN, TURN in WebRTC context RFC7635
OAuth and STUN, TURN in WebRTC context RFC7635OAuth and STUN, TURN in WebRTC context RFC7635
OAuth and STUN, TURN in WebRTC context RFC7635Mihály Mészáros
 
Sctp tutorial
Sctp tutorialSctp tutorial
Sctp tutorialSusant Sahani
 
Building DataCenter networks with VXLAN BGP-EVPN
Building DataCenter networks with VXLAN BGP-EVPNBuilding DataCenter networks with VXLAN BGP-EVPN
Building DataCenter networks with VXLAN BGP-EVPNCisco Canada
 
ICE: The ultimate way of beating NAT in SIP
ICE: The ultimate way of beating NAT in SIPICE: The ultimate way of beating NAT in SIP
ICE: The ultimate way of beating NAT in SIPSaúl Ibarra Corretgé
 
Cisco Live Milan 2015 - BGP advance
Cisco Live Milan 2015 - BGP advanceCisco Live Milan 2015 - BGP advance
Cisco Live Milan 2015 - BGP advanceBertrand Duvivier
 
Nat traversal in WebRTC context
Nat traversal in WebRTC contextNat traversal in WebRTC context
Nat traversal in WebRTC contextAudioCodes
 
Vxlan deep dive session rev0.5 final
Vxlan deep dive session rev0.5 finalVxlan deep dive session rev0.5 final
Vxlan deep dive session rev0.5 finalKwonSun Bae
 
IPv6 Addressing
IPv6 AddressingIPv6 Addressing
IPv6 AddressingIrsandi Hasan
 

Recommended

OAuth and STUN, TURN in WebRTC context RFC7635
OAuth and STUN, TURN in WebRTC context RFC7635OAuth and STUN, TURN in WebRTC context RFC7635
OAuth and STUN, TURN in WebRTC context RFC7635Mihály Mészáros
 
Sctp tutorial
Sctp tutorialSctp tutorial
Sctp tutorialSusant Sahani
 
Building DataCenter networks with VXLAN BGP-EVPN
Building DataCenter networks with VXLAN BGP-EVPNBuilding DataCenter networks with VXLAN BGP-EVPN
Building DataCenter networks with VXLAN BGP-EVPNCisco Canada
 
ICE: The ultimate way of beating NAT in SIP
ICE: The ultimate way of beating NAT in SIPICE: The ultimate way of beating NAT in SIP
ICE: The ultimate way of beating NAT in SIPSaúl Ibarra Corretgé
 
Cisco Live Milan 2015 - BGP advance
Cisco Live Milan 2015 - BGP advanceCisco Live Milan 2015 - BGP advance
Cisco Live Milan 2015 - BGP advanceBertrand Duvivier
 
Nat traversal in WebRTC context
Nat traversal in WebRTC contextNat traversal in WebRTC context
Nat traversal in WebRTC contextAudioCodes
 
Vxlan deep dive session rev0.5 final
Vxlan deep dive session rev0.5 finalVxlan deep dive session rev0.5 final
Vxlan deep dive session rev0.5 finalKwonSun Bae
 
IPv6 Addressing
IPv6 AddressingIPv6 Addressing
IPv6 AddressingIrsandi Hasan
 
BGP Overview
BGP OverviewBGP Overview
BGP OverviewMatt Bynum
 
NAT Traversal
NAT TraversalNAT Traversal
NAT TraversalDavide Carboni
 
Bgp
BgpBgp
BgpFebrian ‎
 
LTM essentials
LTM essentialsLTM essentials
LTM essentialsbharadwajv
 
GRE Tunnel Configuration
GRE Tunnel ConfigurationGRE Tunnel Configuration
GRE Tunnel ConfigurationNetProtocol Xpert
 
TCP - Transmission Control Protocol
TCP - Transmission Control ProtocolTCP - Transmission Control Protocol
TCP - Transmission Control ProtocolPeter R. Egli
 
Ccna rse chp7 Access Control List (ACL)
Ccna rse chp7 Access Control List (ACL)Ccna rse chp7 Access Control List (ACL)
Ccna rse chp7 Access Control List (ACL)newbie2019
 
BGP Flowspec (RFC5575) Case study and Discussion
BGP Flowspec (RFC5575) Case study and DiscussionBGP Flowspec (RFC5575) Case study and Discussion
BGP Flowspec (RFC5575) Case study and DiscussionAPNIC
 
Understanding and Troubleshooting ASA NAT
Understanding and Troubleshooting ASA NATUnderstanding and Troubleshooting ASA NAT
Understanding and Troubleshooting ASA NATCisco Russia
 
Asa packet-flow-00
Asa packet-flow-00Asa packet-flow-00
Asa packet-flow-00vinaydewangan11
 
Nmap Hacking Guide
Nmap Hacking GuideNmap Hacking Guide
Nmap Hacking GuideAryan G
 
Deploy MPLS Traffic Engineering
Deploy MPLS Traffic EngineeringDeploy MPLS Traffic Engineering
Deploy MPLS Traffic EngineeringAPNIC
 
UDP - User Datagram Protocol
UDP - User Datagram ProtocolUDP - User Datagram Protocol
UDP - User Datagram ProtocolPeter R. Egli
 
Storm-Control
Storm-ControlStorm-Control
Storm-ControlNetProtocol Xpert
 
Neighbor Discovery Deep Dive – IPv6-Networking-Referat
Neighbor Discovery Deep Dive – IPv6-Networking-ReferatNeighbor Discovery Deep Dive – IPv6-Networking-Referat
Neighbor Discovery Deep Dive – IPv6-Networking-ReferatDigicomp Academy AG
 
EVPN Introduction
EVPN IntroductionEVPN Introduction
EVPN IntroductionBangladesh Network Operators Group
 
STP (spanning tree protocol)
STP (spanning tree protocol)STP (spanning tree protocol)
STP (spanning tree protocol)Netwax Lab
 
Cisco Live! :: Introduction to IOS XR for Enterprises and Service Providers
Cisco Live! :: Introduction to IOS XR for Enterprises and Service ProvidersCisco Live! :: Introduction to IOS XR for Enterprises and Service Providers
Cisco Live! :: Introduction to IOS XR for Enterprises and Service ProvidersBruno Teixeira
 
OSPF Fundamental
OSPF FundamentalOSPF Fundamental
OSPF FundamentalReza Farahani
 
Presentation cisco iron port email & web security
Presentation cisco iron port email & web securityPresentation cisco iron port email & web security
Presentation cisco iron port email & web securityxKinAnx
 
Webrtc puzzle
Webrtc puzzleWebrtc puzzle
Webrtc puzzleMihály Mészáros
 
GÉANT TURN pilot
GÉANT TURN pilotGÉANT TURN pilot
GÉANT TURN pilotMihály Mészáros
 

More Related Content

What's hot

LTM essentials
LTM essentialsLTM essentials
LTM essentialsbharadwajv
 
TCP - Transmission Control Protocol
TCP - Transmission Control ProtocolTCP - Transmission Control Protocol
TCP - Transmission Control ProtocolPeter R. Egli
 
Ccna rse chp7 Access Control List (ACL)
Ccna rse chp7 Access Control List (ACL)Ccna rse chp7 Access Control List (ACL)
Ccna rse chp7 Access Control List (ACL)newbie2019
 
BGP Flowspec (RFC5575) Case study and Discussion
BGP Flowspec (RFC5575) Case study and DiscussionBGP Flowspec (RFC5575) Case study and Discussion
BGP Flowspec (RFC5575) Case study and DiscussionAPNIC
 
Understanding and Troubleshooting ASA NAT
Understanding and Troubleshooting ASA NATUnderstanding and Troubleshooting ASA NAT
Understanding and Troubleshooting ASA NATCisco Russia
 
Nmap Hacking Guide
Nmap Hacking GuideNmap Hacking Guide
Nmap Hacking GuideAryan G
 
Deploy MPLS Traffic Engineering
Deploy MPLS Traffic EngineeringDeploy MPLS Traffic Engineering
Deploy MPLS Traffic EngineeringAPNIC
 
UDP - User Datagram Protocol
UDP - User Datagram ProtocolUDP - User Datagram Protocol
UDP - User Datagram ProtocolPeter R. Egli
 
Neighbor Discovery Deep Dive – IPv6-Networking-Referat
Neighbor Discovery Deep Dive – IPv6-Networking-ReferatNeighbor Discovery Deep Dive – IPv6-Networking-Referat
Neighbor Discovery Deep Dive – IPv6-Networking-ReferatDigicomp Academy AG
 
STP (spanning tree protocol)
STP (spanning tree protocol)STP (spanning tree protocol)
STP (spanning tree protocol)Netwax Lab
 
Cisco Live! :: Introduction to IOS XR for Enterprises and Service Providers
Cisco Live! :: Introduction to IOS XR for Enterprises and Service ProvidersCisco Live! :: Introduction to IOS XR for Enterprises and Service Providers
Cisco Live! :: Introduction to IOS XR for Enterprises and Service ProvidersBruno Teixeira
 
Presentation cisco iron port email & web security
Presentation cisco iron port email & web securityPresentation cisco iron port email & web security
Presentation cisco iron port email & web securityxKinAnx
 

What's hot (20)

BGP Overview
BGP OverviewBGP Overview
BGP Overview
 
NAT Traversal
NAT TraversalNAT Traversal
NAT Traversal
 
Bgp
BgpBgp
Bgp
 
LTM essentials
LTM essentialsLTM essentials
LTM essentials
 
GRE Tunnel Configuration
GRE Tunnel ConfigurationGRE Tunnel Configuration
GRE Tunnel Configuration
 
TCP - Transmission Control Protocol
TCP - Transmission Control ProtocolTCP - Transmission Control Protocol
TCP - Transmission Control Protocol
 
Ccna rse chp7 Access Control List (ACL)
Ccna rse chp7 Access Control List (ACL)Ccna rse chp7 Access Control List (ACL)
Ccna rse chp7 Access Control List (ACL)
 
BGP Flowspec (RFC5575) Case study and Discussion
BGP Flowspec (RFC5575) Case study and DiscussionBGP Flowspec (RFC5575) Case study and Discussion
BGP Flowspec (RFC5575) Case study and Discussion
 
Understanding and Troubleshooting ASA NAT
Understanding and Troubleshooting ASA NATUnderstanding and Troubleshooting ASA NAT
Understanding and Troubleshooting ASA NAT
 
Asa packet-flow-00
Asa packet-flow-00Asa packet-flow-00
Asa packet-flow-00
 
Nmap Hacking Guide
Nmap Hacking GuideNmap Hacking Guide
Nmap Hacking Guide
 
Deploy MPLS Traffic Engineering
Deploy MPLS Traffic EngineeringDeploy MPLS Traffic Engineering
Deploy MPLS Traffic Engineering
 
UDP - User Datagram Protocol
UDP - User Datagram ProtocolUDP - User Datagram Protocol
UDP - User Datagram Protocol
 
Storm-Control
Storm-ControlStorm-Control
Storm-Control
 
Neighbor Discovery Deep Dive – IPv6-Networking-Referat
Neighbor Discovery Deep Dive – IPv6-Networking-ReferatNeighbor Discovery Deep Dive – IPv6-Networking-Referat
Neighbor Discovery Deep Dive – IPv6-Networking-Referat
 
EVPN Introduction
EVPN IntroductionEVPN Introduction
EVPN Introduction
 
STP (spanning tree protocol)
STP (spanning tree protocol)STP (spanning tree protocol)
STP (spanning tree protocol)
 
Cisco Live! :: Introduction to IOS XR for Enterprises and Service Providers
Cisco Live! :: Introduction to IOS XR for Enterprises and Service ProvidersCisco Live! :: Introduction to IOS XR for Enterprises and Service Providers
Cisco Live! :: Introduction to IOS XR for Enterprises and Service Providers
 
OSPF Fundamental
OSPF FundamentalOSPF Fundamental
OSPF Fundamental
 
Presentation cisco iron port email & web security
Presentation cisco iron port email & web securityPresentation cisco iron port email & web security
Presentation cisco iron port email & web security
 

Similar to Stun turn poc_pilot

From NAT to NAT Traversal
From NAT to NAT TraversalFrom NAT to NAT Traversal
From NAT to NAT TraversalLi-Wei Yao
 
Primer to Browser Netwroking
Primer to Browser NetwrokingPrimer to Browser Netwroking
Primer to Browser NetwrokingShuya Osaki
 
6lowpan 110828234426-phpapp01
6lowpan 110828234426-phpapp016lowpan 110828234426-phpapp01
6lowpan 110828234426-phpapp01mrmr2010i
 
Protocol and Integration Challenges for SDN
Protocol and Integration Challenges for SDNProtocol and Integration Challenges for SDN
Protocol and Integration Challenges for SDNGerardo Pardo-Castellote
 
Krzysztof Mazepa - Netflow/cflow - ulubionym narzędziem operatorów SP
Krzysztof Mazepa - Netflow/cflow - ulubionym narzędziem operatorów SPKrzysztof Mazepa - Netflow/cflow - ulubionym narzędziem operatorów SP
Krzysztof Mazepa - Netflow/cflow - ulubionym narzędziem operatorów SPPROIDEA
 
IRATI: an open source RINA implementation for Linux/OS
IRATI: an open source RINA implementation for Linux/OSIRATI: an open source RINA implementation for Linux/OS
IRATI: an open source RINA implementation for Linux/OSICT PRISTINE
 
Cotopaxi - IoT testing toolkit (Black Hat Asia 2019 Arsenal)
Cotopaxi - IoT testing toolkit (Black Hat Asia 2019 Arsenal)Cotopaxi - IoT testing toolkit (Black Hat Asia 2019 Arsenal)
Cotopaxi - IoT testing toolkit (Black Hat Asia 2019 Arsenal)Jakub Botwicz
 
Osnug meetup-tungsten fabric - overview.pptx
Osnug meetup-tungsten fabric - overview.pptxOsnug meetup-tungsten fabric - overview.pptx
Osnug meetup-tungsten fabric - overview.pptxM.Qasim Arham
 
Hands on with CoAP and Californium
Hands on with CoAP and CaliforniumHands on with CoAP and Californium
Hands on with CoAP and CaliforniumJulien Vermillard
 
WebRTC overview
WebRTC overviewWebRTC overview
WebRTC overviewRouyun Pan
 
AusNOG 2016 - The Trouble with NAT
AusNOG 2016 - The Trouble with NATAusNOG 2016 - The Trouble with NAT
AusNOG 2016 - The Trouble with NATMark Smith
 
H2020 finsec-ibm- aidan-shribman-finsec-skydive 260820
H2020 finsec-ibm- aidan-shribman-finsec-skydive 260820H2020 finsec-ibm- aidan-shribman-finsec-skydive 260820
H2020 finsec-ibm- aidan-shribman-finsec-skydive 260820innov-acts-ltd
 
SDN/OpenFlow #lspe
SDN/OpenFlow #lspeSDN/OpenFlow #lspe
SDN/OpenFlow #lspeChris Westin
 
Network tunneling techniques
Network tunneling techniquesNetwork tunneling techniques
Network tunneling techniquesinbroker
 
DCUS17 : Docker networking deep dive
DCUS17 : Docker networking deep diveDCUS17 : Docker networking deep dive
DCUS17 : Docker networking deep diveMadhu Venugopal
 

Similar to Stun turn poc_pilot (20)

Webrtc puzzle
Webrtc puzzleWebrtc puzzle
Webrtc puzzle
 
GÉANT TURN pilot
GÉANT TURN pilotGÉANT TURN pilot
GÉANT TURN pilot
 
From NAT to NAT Traversal
From NAT to NAT TraversalFrom NAT to NAT Traversal
From NAT to NAT Traversal
 
Primer to Browser Netwroking
Primer to Browser NetwrokingPrimer to Browser Netwroking
Primer to Browser Netwroking
 
6lowpan 110828234426-phpapp01
6lowpan 110828234426-phpapp016lowpan 110828234426-phpapp01
6lowpan 110828234426-phpapp01
 
Protocol and Integration Challenges for SDN
Protocol and Integration Challenges for SDNProtocol and Integration Challenges for SDN
Protocol and Integration Challenges for SDN
 
Krzysztof Mazepa - Netflow/cflow - ulubionym narzędziem operatorów SP
Krzysztof Mazepa - Netflow/cflow - ulubionym narzędziem operatorów SPKrzysztof Mazepa - Netflow/cflow - ulubionym narzędziem operatorów SP
Krzysztof Mazepa - Netflow/cflow - ulubionym narzędziem operatorów SP
 
IRATI: an open source RINA implementation for Linux/OS
IRATI: an open source RINA implementation for Linux/OSIRATI: an open source RINA implementation for Linux/OS
IRATI: an open source RINA implementation for Linux/OS
 
Cotopaxi - IoT testing toolkit (Black Hat Asia 2019 Arsenal)
Cotopaxi - IoT testing toolkit (Black Hat Asia 2019 Arsenal)Cotopaxi - IoT testing toolkit (Black Hat Asia 2019 Arsenal)
Cotopaxi - IoT testing toolkit (Black Hat Asia 2019 Arsenal)
 
Astricon 10 (October 2013) - SIP over WebSocket on Kamailio
Astricon 10 (October 2013) - SIP over WebSocket on KamailioAstricon 10 (October 2013) - SIP over WebSocket on Kamailio
Astricon 10 (October 2013) - SIP over WebSocket on Kamailio
 
Osnug meetup-tungsten fabric - overview.pptx
Osnug meetup-tungsten fabric - overview.pptxOsnug meetup-tungsten fabric - overview.pptx
Osnug meetup-tungsten fabric - overview.pptx
 
W4 profinet frame analysis, peter thomas
W4 profinet frame analysis, peter thomasW4 profinet frame analysis, peter thomas
W4 profinet frame analysis, peter thomas
 
Hands on with CoAP and Californium
Hands on with CoAP and CaliforniumHands on with CoAP and Californium
Hands on with CoAP and Californium
 
WebRTC overview
WebRTC overviewWebRTC overview
WebRTC overview
 
AusNOG 2016 - The Trouble with NAT
AusNOG 2016 - The Trouble with NATAusNOG 2016 - The Trouble with NAT
AusNOG 2016 - The Trouble with NAT
 
H2020 finsec-ibm- aidan-shribman-finsec-skydive 260820
H2020 finsec-ibm- aidan-shribman-finsec-skydive 260820H2020 finsec-ibm- aidan-shribman-finsec-skydive 260820
H2020 finsec-ibm- aidan-shribman-finsec-skydive 260820
 
SDN/OpenFlow #lspe
SDN/OpenFlow #lspeSDN/OpenFlow #lspe
SDN/OpenFlow #lspe
 
PROFIBUS frame analysis - Peter Thomas of Control Specialists
PROFIBUS frame analysis - Peter Thomas of Control SpecialistsPROFIBUS frame analysis - Peter Thomas of Control Specialists
PROFIBUS frame analysis - Peter Thomas of Control Specialists
 
Network tunneling techniques
Network tunneling techniquesNetwork tunneling techniques
Network tunneling techniques
 
DCUS17 : Docker networking deep dive
DCUS17 : Docker networking deep diveDCUS17 : Docker networking deep dive
DCUS17 : Docker networking deep dive
 

More from Mihály Mészáros

GN4-UP2U update - Moodlemoot19
GN4-UP2U update - Moodlemoot19GN4-UP2U update - Moodlemoot19
GN4-UP2U update - Moodlemoot19Mihály Mészáros
 
Nyílt forráskódú VideoKonferencia mindenkinek! (A GÉANT4 JRA4 T4 és T5 eredmé...
Nyílt forráskódú VideoKonferencia mindenkinek! (A GÉANT4 JRA4 T4 és T5 eredmé...Nyílt forráskódú VideoKonferencia mindenkinek! (A GÉANT4 JRA4 T4 és T5 eredmé...
Nyílt forráskódú VideoKonferencia mindenkinek! (A GÉANT4 JRA4 T4 és T5 eredmé...Mihály Mészáros
 
A jég (ICE), a kanyar (TURN), a bódulat (STUN) és a kijózanító tűzfal (Firewall)
A jég (ICE), a kanyar (TURN), a bódulat (STUN) és a kijózanító tűzfal (Firewall)A jég (ICE), a kanyar (TURN), a bódulat (STUN) és a kijózanító tűzfal (Firewall)
A jég (ICE), a kanyar (TURN), a bódulat (STUN) és a kijózanító tűzfal (Firewall)Mihály Mészáros
 
WebRTC Identity in SAML Federations
WebRTC Identity in SAML FederationsWebRTC Identity in SAML Federations
WebRTC Identity in SAML FederationsMihály Mészáros
 

More from Mihály Mészáros (14)

GN4-UP2U update - Moodlemoot19
GN4-UP2U update - Moodlemoot19GN4-UP2U update - Moodlemoot19
GN4-UP2U update - Moodlemoot19
 
Nyílt forráskódú VideoKonferencia mindenkinek! (A GÉANT4 JRA4 T4 és T5 eredmé...
Nyílt forráskódú VideoKonferencia mindenkinek! (A GÉANT4 JRA4 T4 és T5 eredmé...Nyílt forráskódú VideoKonferencia mindenkinek! (A GÉANT4 JRA4 T4 és T5 eredmé...
Nyílt forráskódú VideoKonferencia mindenkinek! (A GÉANT4 JRA4 T4 és T5 eredmé...
 
WebRTC - Hol tartunk ma?
WebRTC - Hol tartunk ma?WebRTC - Hol tartunk ma?
WebRTC - Hol tartunk ma?
 
A jég (ICE), a kanyar (TURN), a bódulat (STUN) és a kijózanító tűzfal (Firewall)
A jég (ICE), a kanyar (TURN), a bódulat (STUN) és a kijózanító tűzfal (Firewall)A jég (ICE), a kanyar (TURN), a bódulat (STUN) és a kijózanító tűzfal (Firewall)
A jég (ICE), a kanyar (TURN), a bódulat (STUN) és a kijózanító tűzfal (Firewall)
 
WebRTC - Hol tartunk ma?
WebRTC - Hol tartunk ma?WebRTC - Hol tartunk ma?
WebRTC - Hol tartunk ma?
 
SIP Tutorial/Workshop 0
SIP Tutorial/Workshop 0SIP Tutorial/Workshop 0
SIP Tutorial/Workshop 0
 
SIP Tutorial/Workshop 3
SIP Tutorial/Workshop 3SIP Tutorial/Workshop 3
SIP Tutorial/Workshop 3
 
SIP Tutorial/Workshop 2
SIP Tutorial/Workshop 2SIP Tutorial/Workshop 2
SIP Tutorial/Workshop 2
 
SIP Tutorial/Workshop 4
SIP Tutorial/Workshop 4SIP Tutorial/Workshop 4
SIP Tutorial/Workshop 4
 
SIP Tutorial/Workshop 1
SIP Tutorial/Workshop 1SIP Tutorial/Workshop 1
SIP Tutorial/Workshop 1
 
5th tf webrtc-welcome
5th tf webrtc-welcome5th tf webrtc-welcome
5th tf webrtc-welcome
 
WebRTC Identity in SAML Federations
WebRTC Identity in SAML FederationsWebRTC Identity in SAML Federations
WebRTC Identity in SAML Federations
 
WebRTC eduCONF
WebRTC eduCONFWebRTC eduCONF
WebRTC eduCONF
 
Webrtc
WebrtcWebrtc
Webrtc
 

Recently uploaded

Designing IA for AI - Information Architecture Conference 2024
Designing IA for AI - Information Architecture Conference 2024Designing IA for AI - Information Architecture Conference 2024
Designing IA for AI - Information Architecture Conference 2024Enterprise Knowledge
 
WordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your BrandWordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your Brandgvaughan
 
Powerpoint exploring the locations used in television show Time Clash
Powerpoint exploring the locations used in television show Time ClashPowerpoint exploring the locations used in television show Time Clash
Powerpoint exploring the locations used in television show Time Clashcharlottematthew16
 
Anypoint Exchange: It’s Not Just a Repo!
Anypoint Exchange: It’s Not Just a Repo!Anypoint Exchange: It’s Not Just a Repo!
Anypoint Exchange: It’s Not Just a Repo!Manik S Magar
 
Unraveling Multimodality with Large Language Models.pdf
Unraveling Multimodality with Large Language Models.pdfUnraveling Multimodality with Large Language Models.pdf
Unraveling Multimodality with Large Language Models.pdfAlex Barbosa Coqueiro
 
Vertex AI Gemini Prompt Engineering Tips
Vertex AI Gemini Prompt Engineering TipsVertex AI Gemini Prompt Engineering Tips
Vertex AI Gemini Prompt Engineering TipsMiki Katsuragi
 
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks..."LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...Fwdays
 
DevoxxFR 2024 Reproducible Builds with Apache Maven
DevoxxFR 2024 Reproducible Builds with Apache MavenDevoxxFR 2024 Reproducible Builds with Apache Maven
DevoxxFR 2024 Reproducible Builds with Apache MavenHervé Boutemy
 
Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!Commit University
 
My Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 PresentationMy Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 PresentationRidwan Fadjar
 
SIP trunking in Janus @ Kamailio World 2024
SIP trunking in Janus @ Kamailio World 2024SIP trunking in Janus @ Kamailio World 2024
SIP trunking in Janus @ Kamailio World 2024Lorenzo Miniero
 
Dev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio WebDev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio WebUiPathCommunity
 
SAP Build Work Zone - Overview L2-L3.pptx
SAP Build Work Zone - Overview L2-L3.pptxSAP Build Work Zone - Overview L2-L3.pptx
SAP Build Work Zone - Overview L2-L3.pptxNavinnSomaal
 
Vector Databases 101 - An introduction to the world of Vector Databases
Vector Databases 101 - An introduction to the world of Vector DatabasesVector Databases 101 - An introduction to the world of Vector Databases
Vector Databases 101 - An introduction to the world of Vector DatabasesZilliz
 
Install Stable Diffusion in windows machine
Install Stable Diffusion in windows machineInstall Stable Diffusion in windows machine
Install Stable Diffusion in windows machinePadma Pradeep
 
Bun (KitWorks Team Study 노별마루 발표 2024.4.22)
Bun (KitWorks Team Study 노별마루 발표 2024.4.22)Bun (KitWorks Team Study 노별마루 발표 2024.4.22)
Bun (KitWorks Team Study 노별마루 발표 2024.4.22)Wonjun Hwang
 
CloudStudio User manual (basic edition):
CloudStudio User manual (basic edition):CloudStudio User manual (basic edition):
CloudStudio User manual (basic edition):comworks
 
Unleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding ClubUnleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding ClubKalema Edgar
 
Human Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR SystemsHuman Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR SystemsMark Billinghurst
 
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)Mark Simos
 

Recently uploaded (20)

Designing IA for AI - Information Architecture Conference 2024
Designing IA for AI - Information Architecture Conference 2024Designing IA for AI - Information Architecture Conference 2024
Designing IA for AI - Information Architecture Conference 2024
 
WordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your BrandWordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your Brand
 
Powerpoint exploring the locations used in television show Time Clash
Powerpoint exploring the locations used in television show Time ClashPowerpoint exploring the locations used in television show Time Clash
Powerpoint exploring the locations used in television show Time Clash
 
Anypoint Exchange: It’s Not Just a Repo!
Anypoint Exchange: It’s Not Just a Repo!Anypoint Exchange: It’s Not Just a Repo!
Anypoint Exchange: It’s Not Just a Repo!
 
Unraveling Multimodality with Large Language Models.pdf
Unraveling Multimodality with Large Language Models.pdfUnraveling Multimodality with Large Language Models.pdf
Unraveling Multimodality with Large Language Models.pdf
 
Vertex AI Gemini Prompt Engineering Tips
Vertex AI Gemini Prompt Engineering TipsVertex AI Gemini Prompt Engineering Tips
Vertex AI Gemini Prompt Engineering Tips
 
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks..."LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
 
DevoxxFR 2024 Reproducible Builds with Apache Maven
DevoxxFR 2024 Reproducible Builds with Apache MavenDevoxxFR 2024 Reproducible Builds with Apache Maven
DevoxxFR 2024 Reproducible Builds with Apache Maven
 
Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!
 
My Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 PresentationMy Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 Presentation
 
SIP trunking in Janus @ Kamailio World 2024
SIP trunking in Janus @ Kamailio World 2024SIP trunking in Janus @ Kamailio World 2024
SIP trunking in Janus @ Kamailio World 2024
 
Dev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio WebDev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio Web
 
SAP Build Work Zone - Overview L2-L3.pptx
SAP Build Work Zone - Overview L2-L3.pptxSAP Build Work Zone - Overview L2-L3.pptx
SAP Build Work Zone - Overview L2-L3.pptx
 
Vector Databases 101 - An introduction to the world of Vector Databases
Vector Databases 101 - An introduction to the world of Vector DatabasesVector Databases 101 - An introduction to the world of Vector Databases
Vector Databases 101 - An introduction to the world of Vector Databases
 
Install Stable Diffusion in windows machine
Install Stable Diffusion in windows machineInstall Stable Diffusion in windows machine
Install Stable Diffusion in windows machine
 
Bun (KitWorks Team Study 노별마루 발표 2024.4.22)
Bun (KitWorks Team Study 노별마루 발표 2024.4.22)Bun (KitWorks Team Study 노별마루 발표 2024.4.22)
Bun (KitWorks Team Study 노별마루 발표 2024.4.22)
 
CloudStudio User manual (basic edition):
CloudStudio User manual (basic edition):CloudStudio User manual (basic edition):
CloudStudio User manual (basic edition):
 
Unleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding ClubUnleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding Club
 
Human Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR SystemsHuman Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR Systems
 
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
 

Stun turn poc_pilot

  • 1. ICE, STUN, TURN Federated STUN/TURN service PoC/Pilot experiences Mészáros Mihály NIIF Institute 4th TF-WEBRTC meeting - DFN Berlin 2016
  • 2. STUN, TURN, ICE · STUN „Classic” - RFC 3489 (2003 March) · Simple Traversal of UDP Through NATs · STUN - „New” - RFC 5389 (2008 October) · Session Traversal Utilities for NAT · TURN - RFC 5766 (2010 April) · Traversal Using Relays around NAT (Relay Extensions to STUN) · ICE – RFC 5245 (2010 April) · Interactive Connectivity Establishment
  • 3. Table of Contents · Overview: Firewall vs. Real Time Communication (RTC) · WebRTC and ICE/STUN/TURN · Types of NAT and NAT behavior Discovery · ICE, STUN, TURN · Auth Methods and implementation overview. · GÉANT 4 SA8 T2 Proof of Concept STUN/TURN experiences · Lessons learned · Symposium demos · Summary
  • 5. WebRTC & Firewall / NAT Traversal
  • 6. WebRTC 10% 68% 13% 7%2% Direct STUN/NAT TURN/UDP TURN/TCP TURN/TLS Datasource:callstats.io · WebRTC transport draft · ICE is mandatory · ICE depend on STUN/TURN service · WebRTC is not only Web · Mobil, Native application · WebRTC isn't only Video Call · WebRTC in every browser and beyond..
  • 8. Firewall keeps the unwanted traffic Outside
  • 9. But also adds barriers to RTC
  • 10. The Goal: Standard based solution that solves RTC Firewall/NAT traversal
  • 11. Firewall Traversal · Traversal is getting more and more complicated · Moving target · Today Internet: · NAT (different types), · Firewall (packet filters), · IPv4 => IPv6 transition, · Multi homing, etc. · TCP not ideal for RTC
  • 12. NAT
  • 13. NAT types (RFC 3489) · Full-cone NAT · Address-restricted-cone NAT · Port-restricted cone NAT · Symmetric NAT Server 1 Server 2 Client NAT "Full Cone" NAT Server 1 Server 2 Client NAT "Restricted Cone" NAT Server 1 Server 2 Client NAT "Port Restricted Cone" NAT
  • 15. RFC 4787 and RFC 5780 vs RFC 3489 · Mapping · EIM · ADM · APDM · Filtering · EIF · ADF · APDF Source: http://www.netmanias.com/en/?m=view&id=techdocs&no=6065
  • 16. Map Detection Image Source: http://www.netmanias.com/en/post/techdocs/6067/nat-stun/nat-behavior-discovery-using-stun-rfc-5780 · TEST I · Primary IP, Primary Port · TEST II · Alternate IP, Primary Port · TEST III · Alternate IP, Alternate Port
  • 17. Filtering Detection Image Source: http://www.netmanias.com/en/post/techdocs/6067/nat-stun/nat-behavior-discovery-using-stun-rfc-5780 · TEST I · Primary IP, Primary Port · TEST II · Change Request IP and Port · TEST III · Change Request Port
  • 18. Linux NAT · Allow IP forwarding sysctl net.ipv4.ip_forward=1 · Symmetric NAT · Address and Port dependent Mapping · Address and Port dependent Filtering · iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE --random · Port restricted Cone NAT · Endpoint Independent Mapping · Address and Port dependent Filtering · iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
  • 19. RFC5780 and coTURN · NAT behavior is not always constant in time! · NAT could change characteristics during attacks, or high load, etc. · Still worth to understand the current behavior. · RFC 4787 - NAT Behavioral Requirements for Unicast UDP · coTURN provides a brilliant stun client library · Based on it I created a utility to detect NAT type according RFC5780 · bin/turnutils_natdiscovery -f -m 193.224.47.74
  • 20. Example symmetric NAT output misi@csiga:~/work/coturn$ bin/turnutils_natdiscovery -f -m 193.224.47.74 … ======================================== NAT with Address and Port Dependent Mapping! ======================================== … ======================================== NAT with Address and Port Dependent Filtering! ======================================== misi@csiga:~/work/coturn$
  • 22. ICE step by step · Discovery and Candidate gathering · Allocation · Prioritisation · Exchange · Connectivity Check · Frozen Algorithm · Coordination · Communication
  • 23. IP address, and port discovery · Candidate pair · IP address, port, protocol · Types · Relayed · Reflexive · Server, Peer · Host TURN Server NAT UA Y:y X':x' X:x Public Internet
  • 24. Why cause problem gathering all addresses? · ICE gathers ALL(!) · „By Design” · to find the best way · IP address leakage · expose your IP addresses · Private, Public, VPN etc. · Solution: · Limit candidate discovery · Limit interface and address gathering · Fix is under way · draft-ietf-rtcweb-ip-handling · Chrome · Opt-In: Network limiter extension · Step two: build in the core, and make it default · Firefox · New UI tools to restrict candidates · https://wiki.mozilla.org/Media/WebRTC/Privacy
  • 25. Trickle ICE Slide from: trickle-ice-iet86-orlando.pptx STUN Server STUN Server BobAlice disco disco offer and candidates … connectivity checks … answer and candidates Vanilla ICE as per RFC 5245 STUN Server STUN Server BobAlice disco disco O/A with host or no cands … more cands & conn checks …
  • 26. RETURN ____________ inside network || outside network / || NAT/FW | host O ________||________ | | / || | srflx|.............|..................O ___________ | | | || | / | relay|- - - - - - -|- - - - - - - - - |- - -|- - - - - -O | | | _____||_____ | | | | | | / || | | | | relay2|-------------|--|------------| -|- - -|- - - - - -O | | | | || | | ___________/ | srflx2|- - - - - - -|- |- - - - - - O | | | | | || | | Application TURN | host2 |- - - - - - -|- |- - - - - - O | server | | | _____||_____/ | ____________/ ________||________/ || Browser Border TURN Proxy || server || KEY O Candidate ..... Non encapsulated - - - TURN encapsulated ----- Double TURN encapsulated || Network edge · RETURN · Recursively Encapsulated · DNS „Auto-Discovery” · Corporate Border Proxy · Corporate and Application · Leakiness · Leaky: Use all possible · Sealed: force only enterprise TURN Proxy-t
  • 28. Long Term vs Short Term · STUN (RFC5389) define to Credential Auth Mechanism · Short-term Credential mechanism · Use once · Every-time new encryption key · ICE using it for connection check · sdp (a=ice-ufrag and a=ice-pwd) · Long-term Credential mechanism · Credential is not limited in time. · Main Usage STUN reflexive address detection and TURN relay allocation · Stored in a User Database (HA1)
  • 29. Long Term Credential · User, Realm, Password · „Origin” based REALM (draft-ietf-tram-stun-origin) /WebRTC/ · User Database stores HA1 · HA1=MD5(”user:example.com:mysecret”) · Message Integrity Algorithm (SHA1) · HMAC(M, MD5(”user:example.com:mysecret”)) · Protection against reply based attacks · It is the base auth method for STUN
  • 30. WebRTC & LTC = not perfect match · Long Term Credential · Summary of problems: draft-reddy-behave-turn-auth · Keeping password in secret is difficulty for Web Apps · Message Integrity is not protected against Off-line dictionary attacks. · The Server makes lookup in the User Database for the credential. · The username is not encrypted in STUN message and this way could be used for tracking. · Short Term Credential (only for one connection) · No protection against reply attacks · Designed for short term
  • 31. STUN auth for WebRTC = REST API (Time Limited Long Term Credential) · draft-uberti-rtcweb-turn-rest-00 · REST API and STUN/TURN server shared secret. · The Service Provider Identified by an api_key and get on behalf the end-user request and get a time limited credential. · The web application transfer this credential to the end-user browser JS API. · username = timestamp and an application specific data seperated by a „:”.
  • 32. REST API Operation Overview (Time Limited Long Term Credential) REST API Web App Turn Server Shared Secret
  • 35. PoC Overview · Web Frontend · After AAI: eduGAIN · get (LTC) usr/pwd credential · get key to REST API · Distributed service · NIIF, UNINETT, FCT/FCCN · Closest Server (GeoIP) · Auth methods · LTC,REST API, · OAuth (coming soon)
  • 36. Ansible · Automated install central · OS (firewall,ntp,fail2ban,etc.) · Web Server and PHP · EduGAIN privacy statement · MySQL master · Automated install slaves · OS (firewall,ntp,fail2ban,etc.) · MySQL slave · coTURN · Configure even more · Certs · Configure SimpleSAMLPHP · Install Composer · Update php libs · Checkout git · Frontend · REST API · Setup replication · Master and Slave sides
  • 37. Design Goals · Only Open Source components (Debian Jessie, etc.) · Supporting all possible Authentication methods · LTC, REST, OAuth · AAI enabled eduGAIN front-end site · Distributed back-end database · Secure Communication, IPv6, DNSSEC · Support wide range of STUN/TURN transport protocols · Automated deployment
  • 38. Security Design Principles · LTC user password is generated to avoid any Offline dictionary attacks. · According STUN RFC recommendation “the password SHOULD have at least 128 bits of randomness” · We use 32 alphanumeric ~190 bit (hackzilla/password-generator) · REST · API_KEY is generated random key and has one year expiration · 32 alphanumeric char ~190 bit (hackzilla/password-generator) · Shared Secret between API and coTURN is rotated daily
  • 39. TURN servers Technology Scouting · Open source implementations: · http://sourceforge.net/projects/stun/ · http://turnserver.sourceforge.net/ · https://github.com/jitsi/turnserver · https://www.resiprocate.org/ · http://www.creytiv.com/restund.html · https://github.com/coTURN/rfc5766- turn-server/ · https://github.com/coTURN/coTURN · Commercial implementations: · http://www.eyeball.com/products/ stun-turn-server/ · http://help.estos.com/help/en-US /procall/5/erestunservice/dokume ntation/index.htm · Etc. · Commercial Services: · http://numb.viagenie.ca/ · http://xirsys.com/ · https://www.twilio.com/stun-turn · Etc.
  • 40. coTURN TURN with co-location of multiple realms · coturn.net - https://github.com/coturn/coturn · Open Source STUN/TURN implementation · Written in C, Rock Solid and, low HW intensity · It follows IETF TRAM WG works very closely. · Supports multiple backend database types (5) · STUN over UDP/TCP/TLS/DTLS/SCTP · TCP/UDP (Relay) · Auth methods: LTC, REST (Time limited LTC), OAuth · IPv4 and IPv6
  • 41. User Frontend · Landing Web Page · SimpleSAMLphp, eduGAIN Auth, we request 4 attributes · Bootstrapzero design · Quick&Dirty PoC level implementation · REST API · "slim/slim": "^2.6" · "zircote/swagger-php": "^2.0" · "geoip/geoip": "~1.14" (IPv6) · mjaschen/phpgeo": "^0.3.0"
  • 43. Pick the closest STUN/TURN · LTC · DNS GeoIP based Views · Based on Location of DNS resolver not the client (!) · OpenDNSSEC not yet supporting views! Issue: OPENDNSSEC-232 · AnyCast · Provider independent · IPv4 /24 · IPv6 /64 · REST · Input the user IP address the web server side application · Local GeoIP database · IP => Coordinate · Vincenty's formulae · Coordinates => Distance
  • 44. Auth methods · LTC and REST · client behavior is not changed. · Only Server side differs. · coTURN doesn't support both mechanism in one daemon · We used that simple design approach to separate auth methods VM level. · Avoiding repackaging · Multiple deamon could also work on the same VM. · Drawback: normal Debian package designed to run on daemon on one host. · To exploit the latest coTURN implementation features we deciced to use jessie- backports repository
  • 45. IPv6 Ready service smooth IPv6 transition · All service IPv6 READY and works in dual stack · STUN/TURN services · Dual Allocation · MySQL · NTP · SSH · DNS Resolvers · Web Server · Frontend, REST API
  • 46. MySQL · Separated DB for different auth methods · MySQL Replication · Encrypted · netfilter protects ports · IP address based access controll · Generated passwords · Replication filtered based on DB (auth method) · MySQL Events: · LTC · Revoking LTC back after a year · REST · Generating daily new shared secrets · Revoking API token after a year. · Shared Key aging · Cause a limited problem if a REST TURN server is compromised.
  • 48. STUN & Long Term Credential · STUN LTC authentication is optional according the RFC · Pros: · Use the same Auth policy for STUN and TURN · Avoid attacks and server discovery. Avoid crawler robots that tracking Internet for vulnerable open STUN/TURN services. (Version) · Avoid detect STUN server topology alternate address and port. · Contra · Work involved in authenticating the request is more than the work in simply processing it. · Reality: Lack of Browser implementation
  • 49. STUN & LTC chrome · Log [1:12:0418/145114:ERROR:stunport.cc(79)] Binding error response: class=4 number=1 reason='Unauthorized' [1:12:0418/145114:ERROR:stunport.cc(79)] Binding error response: class=4 number=1 reason='Unauthorized' [1:12:0418/145114:ERROR:stunport.cc(79)] Binding error response: class=4 number=1 reason='Unauthorized' [1:12:0418/145114:ERROR:stunport.cc(79)] Binding error response: class=4 number=1 reason='Unauthorized' [1:12:0418/145114:ERROR:stunport.cc(79)] Binding error response: class=4 number=1 reason='Unauthorized' · Turned out from source · Not handled of STUN auth challenge in stunport.cc
  • 51. OAuth Browser Implementation Status · Chrome · Open Issue 4907: https://goo.gl/Z69q6I · Not happen in Q1 · Firefox · Open Bug 1247616: https://goo.gl/6n78rL · Not implemented warning for App Devs from Mozilla 47
  • 52. OAuth & TURN · No PHP library that supports the Authenticated-Encryption with Associated-Data (AEAD) · OpenSSL samples: https://goo.gl/UfuqTr · CoTURN · self-contained OAuth token validation implemented · src/client/ns_turn_msg.c · Function: int encode_oauth_token(const u08bits *server_name, encoded_oauth_token *etoken, const oauth_key *key, const oauth_token *dtoken, const u08bits *nonce)
  • 53. Built in STUN · Chrome · stun.l.google.com:19302 · Firefox · media.peerconnection.default_iceservers;[] · media.peerconnection.ice.tcp;false · stun.services.mozilla.com · Default stun server removed from ver 41 · Bug: 1167922, 1143827 · No Service Agreement about service long term availability · It is up to Browser vendor · Built-in STUN SLA is not well defined
  • 54. Lesson Learned · STUN binding with LTC is not supported in Browsers. · Port numbers · Standard ports · Standard Alternate port · 80, 443 for strict firewalls · NAT discovery · Multiple IP addresses required · Decisions & Lessons · LTC · GeoIP vs Anycast · OpenDNSSEC is not supporting views. · REST API · GeoIP and Vincenty vs · Google Maps API · OAuth (coming soon..) · Wait for Browser support.
  • 55. Future directions · Utilize untapped coTURN features · STUN origin · Quotas · Bandwidth, Session · Admin interface · Monitoring · Improve User interface · Frontend, REST API · coTURN Logging file central collection · Analytics, Anomaly detection · Support, Helpdesk · App developer API examples · Investigation problems · Service Monitoring (SLA) · VM, OS, DB, coTURN · Alerts
  • 56. Make or Buy? · We in place Infrastructure · Virtual/Physical Machine · Small instance required · Networking Service · High bandwidth capacity · IPv6 · Secure and encrypted · updated · Open Source · From Public Money · Non technical reasons · Trust · Transparency · Time spent following market players offerings (moving) · Time spent negotiate price · Procurement fees · NREN & Commercial market different priorities · Education market is not big enough to implement feature
  • 58. GN4 Symposium Demo · WebTut · Teacher <=> Student · Symmetric NAT · Tablet and PC · What happens · 1. Without STUN/TURN · 2. With STUN/TURN · 3. Two endpoints in the same LAN segment
  • 60. Summary · ICE if possible provides E2E communication (lowest latency) · Standard based NAT Firewall Traversal and smooth IPv6 transition · According WebRTC transport draft ICE is MUST. · “ ICE [RFC5245] MUST be supported.” · ICE needs STUN/TURN server infrastructure. · A GÉANT4 PoC service is up and running. Next step? Pilot... · „Leading edge” collaboration technologies serving the NREN community communications needs.