SlideShare a Scribd company logo

Stun turn poc_pilot

Mihály Mészáros
Mihály Mészáros

Proof of Concept STUN/TURN service

Technology
1 of 61
Download to read offline
ICE, STUN, TURN Federated STUN/TURN service PoC/Pilot experiences Mészáros Mihály NIIF Institute 4th TF-WEBRTC meeting - DFN Berlin 2016
STUN, TURN, ICE · STUN „Classic” - RFC 3489 (2003 March) · Simple Traversal of UDP Through NATs · STUN - „New” - RFC 5389 (2008 October) · Session Traversal Utilities for NAT · TURN - RFC 5766 (2010 April) · Traversal Using Relays around NAT (Relay Extensions to STUN) · ICE – RFC 5245 (2010 April) · Interactive Connectivity Establishment
Table of Contents · Overview: Firewall vs. Real Time Communication (RTC) · WebRTC and ICE/STUN/TURN · Types of NAT and NAT behavior Discovery · ICE, STUN, TURN · Auth Methods and implementation overview. · GÉANT 4 SA8 T2 Proof of Concept STUN/TURN experiences · Lessons learned · Symposium demos · Summary
WebRTC
WebRTC & Firewall / NAT Traversal
WebRTC 10% 68% 13% 7%2% Direct STUN/NAT TURN/UDP TURN/TCP TURN/TLS Datasource:callstats.io · WebRTC transport draft · ICE is mandatory · ICE depend on STUN/TURN service · WebRTC is not only Web · Mobil, Native application · WebRTC isn't only Video Call · WebRTC in every browser and beyond..
Firewall vs RTC
Firewall keeps the unwanted traffic Outside
But also adds barriers to RTC
The Goal: Standard based solution that solves RTC Firewall/NAT traversal
Firewall Traversal · Traversal is getting more and more complicated · Moving target · Today Internet: · NAT (different types), · Firewall (packet filters), · IPv4 => IPv6 transition, · Multi homing, etc. · TCP not ideal for RTC
NAT
NAT types (RFC 3489) · Full-cone NAT · Address-restricted-cone NAT · Port-restricted cone NAT · Symmetric NAT Server 1 Server 2 Client NAT "Full Cone" NAT Server 1 Server 2 Client NAT "Restricted Cone" NAT Server 1 Server 2 Client NAT "Port Restricted Cone" NAT
Symmetric NAT Server 1 Server 2 Client NAT "Symmetric" NAT https://upload.wikimedia.org/wikipedia/commons/7/73/Symmetric_NAT.svg
RFC 4787 and RFC 5780 vs RFC 3489 · Mapping · EIM · ADM · APDM · Filtering · EIF · ADF · APDF Source: http://www.netmanias.com/en/?m=view&id=techdocs&no=6065
Map Detection Image Source: http://www.netmanias.com/en/post/techdocs/6067/nat-stun/nat-behavior-discovery-using-stun-rfc-5780 · TEST I · Primary IP, Primary Port · TEST II · Alternate IP, Primary Port · TEST III · Alternate IP, Alternate Port
Filtering Detection Image Source: http://www.netmanias.com/en/post/techdocs/6067/nat-stun/nat-behavior-discovery-using-stun-rfc-5780 · TEST I · Primary IP, Primary Port · TEST II · Change Request IP and Port · TEST III · Change Request Port
Linux NAT · Allow IP forwarding sysctl net.ipv4.ip_forward=1 · Symmetric NAT · Address and Port dependent Mapping · Address and Port dependent Filtering · iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE --random · Port restricted Cone NAT · Endpoint Independent Mapping · Address and Port dependent Filtering · iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
RFC5780 and coTURN · NAT behavior is not always constant in time! · NAT could change characteristics during attacks, or high load, etc. · Still worth to understand the current behavior. · RFC 4787 - NAT Behavioral Requirements for Unicast UDP · coTURN provides a brilliant stun client library · Based on it I created a utility to detect NAT type according RFC5780 · bin/turnutils_natdiscovery -f -m 193.224.47.74
Example symmetric NAT output misi@csiga:~/work/coturn$ bin/turnutils_natdiscovery -f -m 193.224.47.74 … ======================================== NAT with Address and Port Dependent Mapping! ======================================== … ======================================== NAT with Address and Port Dependent Filtering! ======================================== misi@csiga:~/work/coturn$
ICE, STUN, TURN
ICE step by step · Discovery and Candidate gathering · Allocation · Prioritisation · Exchange · Connectivity Check · Frozen Algorithm · Coordination · Communication
IP address, and port discovery · Candidate pair · IP address, port, protocol · Types · Relayed · Reflexive · Server, Peer · Host TURN Server NAT UA Y:y X':x' X:x Public Internet
Why cause problem gathering all addresses? · ICE gathers ALL(!) · „By Design” · to find the best way · IP address leakage · expose your IP addresses · Private, Public, VPN etc. · Solution: · Limit candidate discovery · Limit interface and address gathering · Fix is under way · draft-ietf-rtcweb-ip-handling · Chrome · Opt-In: Network limiter extension · Step two: build in the core, and make it default · Firefox · New UI tools to restrict candidates · https://wiki.mozilla.org/Media/WebRTC/Privacy
Trickle ICE Slide from: trickle-ice-iet86-orlando.pptx STUN Server STUN Server BobAlice disco disco offer and candidates … connectivity checks … answer and candidates Vanilla ICE as per RFC 5245 STUN Server STUN Server BobAlice disco disco O/A with host or no cands … more cands & conn checks …
RETURN ____________ inside network || outside network / || NAT/FW | host O ________||________ | | / || | srflx|.............|..................O ___________ | | | || | / | relay|- - - - - - -|- - - - - - - - - |- - -|- - - - - -O | | | _____||_____ | | | | | | / || | | | | relay2|-------------|--|------------| -|- - -|- - - - - -O | | | | || | | ___________/ | srflx2|- - - - - - -|- |- - - - - - O | | | | | || | | Application TURN | host2 |- - - - - - -|- |- - - - - - O | server | | | _____||_____/ | ____________/ ________||________/ || Browser Border TURN Proxy || server || KEY O Candidate ..... Non encapsulated - - - TURN encapsulated ----- Double TURN encapsulated || Network edge · RETURN · Recursively Encapsulated · DNS „Auto-Discovery” · Corporate Border Proxy · Corporate and Application · Leakiness · Leaky: Use all possible · Sealed: force only enterprise TURN Proxy-t
STUN Auth Methods
Long Term vs Short Term · STUN (RFC5389) define to Credential Auth Mechanism · Short-term Credential mechanism · Use once · Every-time new encryption key · ICE using it for connection check · sdp (a=ice-ufrag and a=ice-pwd) · Long-term Credential mechanism · Credential is not limited in time. · Main Usage STUN reflexive address detection and TURN relay allocation · Stored in a User Database (HA1)
Long Term Credential · User, Realm, Password · „Origin” based REALM (draft-ietf-tram-stun-origin) /WebRTC/ · User Database stores HA1 · HA1=MD5(”user:example.com:mysecret”) · Message Integrity Algorithm (SHA1) · HMAC(M, MD5(”user:example.com:mysecret”)) · Protection against reply based attacks · It is the base auth method for STUN
WebRTC & LTC = not perfect match · Long Term Credential · Summary of problems: draft-reddy-behave-turn-auth · Keeping password in secret is difficulty for Web Apps · Message Integrity is not protected against Off-line dictionary attacks. · The Server makes lookup in the User Database for the credential. · The username is not encrypted in STUN message and this way could be used for tracking. · Short Term Credential (only for one connection) · No protection against reply attacks · Designed for short term
STUN auth for WebRTC = REST API (Time Limited Long Term Credential) · draft-uberti-rtcweb-turn-rest-00 · REST API and STUN/TURN server shared secret. · The Service Provider Identified by an api_key and get on behalf the end-user request and get a time limited credential. · The web application transfer this credential to the end-user browser JS API. · username = timestamp and an application specific data seperated by a „:”.
REST API Operation Overview (Time Limited Long Term Credential) REST API Web App Turn Server Shared Secret
OAuth RFC 7635
Proof of Concept
PoC Overview · Web Frontend · After AAI: eduGAIN · get (LTC) usr/pwd credential · get key to REST API · Distributed service · NIIF, UNINETT, FCT/FCCN · Closest Server (GeoIP) · Auth methods · LTC,REST API, · OAuth (coming soon)
Ansible · Automated install central · OS (firewall,ntp,fail2ban,etc.) · Web Server and PHP · EduGAIN privacy statement · MySQL master · Automated install slaves · OS (firewall,ntp,fail2ban,etc.) · MySQL slave · coTURN · Configure even more · Certs · Configure SimpleSAMLPHP · Install Composer · Update php libs · Checkout git · Frontend · REST API · Setup replication · Master and Slave sides
Design Goals · Only Open Source components (Debian Jessie, etc.) · Supporting all possible Authentication methods · LTC, REST, OAuth · AAI enabled eduGAIN front-end site · Distributed back-end database · Secure Communication, IPv6, DNSSEC · Support wide range of STUN/TURN transport protocols · Automated deployment
Security Design Principles · LTC user password is generated to avoid any Offline dictionary attacks. · According STUN RFC recommendation “the password SHOULD have at least 128 bits of randomness” · We use 32 alphanumeric ~190 bit (hackzilla/password-generator) · REST · API_KEY is generated random key and has one year expiration · 32 alphanumeric char ~190 bit (hackzilla/password-generator) · Shared Secret between API and coTURN is rotated daily
TURN servers Technology Scouting · Open source implementations: · http://sourceforge.net/projects/stun/ · http://turnserver.sourceforge.net/ · https://github.com/jitsi/turnserver · https://www.resiprocate.org/ · http://www.creytiv.com/restund.html · https://github.com/coTURN/rfc5766- turn-server/ · https://github.com/coTURN/coTURN · Commercial implementations: · http://www.eyeball.com/products/ stun-turn-server/ · http://help.estos.com/help/en-US /procall/5/erestunservice/dokume ntation/index.htm · Etc. · Commercial Services: · http://numb.viagenie.ca/ · http://xirsys.com/ · https://www.twilio.com/stun-turn · Etc.
coTURN TURN with co-location of multiple realms · coturn.net - https://github.com/coturn/coturn · Open Source STUN/TURN implementation · Written in C, Rock Solid and, low HW intensity · It follows IETF TRAM WG works very closely. · Supports multiple backend database types (5) · STUN over UDP/TCP/TLS/DTLS/SCTP · TCP/UDP (Relay) · Auth methods: LTC, REST (Time limited LTC), OAuth · IPv4 and IPv6
User Frontend · Landing Web Page · SimpleSAMLphp, eduGAIN Auth, we request 4 attributes · Bootstrapzero design · Quick&Dirty PoC level implementation · REST API · "slim/slim": "^2.6" · "zircote/swagger-php": "^2.0" · "geoip/geoip": "~1.14" (IPv6) · mjaschen/phpgeo": "^0.3.0"
Live Demo: https://brain.lab.vvc.niif.hu
Pick the closest STUN/TURN · LTC · DNS GeoIP based Views · Based on Location of DNS resolver not the client (!) · OpenDNSSEC not yet supporting views! Issue: OPENDNSSEC-232 · AnyCast · Provider independent · IPv4 /24 · IPv6 /64 · REST · Input the user IP address the web server side application · Local GeoIP database · IP => Coordinate · Vincenty's formulae · Coordinates => Distance
Auth methods · LTC and REST · client behavior is not changed. · Only Server side differs. · coTURN doesn't support both mechanism in one daemon · We used that simple design approach to separate auth methods VM level. · Avoiding repackaging · Multiple deamon could also work on the same VM. · Drawback: normal Debian package designed to run on daemon on one host. · To exploit the latest coTURN implementation features we deciced to use jessie- backports repository
IPv6 Ready service smooth IPv6 transition · All service IPv6 READY and works in dual stack · STUN/TURN services · Dual Allocation · MySQL · NTP · SSH · DNS Resolvers · Web Server · Frontend, REST API
MySQL · Separated DB for different auth methods · MySQL Replication · Encrypted · netfilter protects ports · IP address based access controll · Generated passwords · Replication filtered based on DB (auth method) · MySQL Events: · LTC · Revoking LTC back after a year · REST · Generating daily new shared secrets · Revoking API token after a year. · Shared Key aging · Cause a limited problem if a REST TURN server is compromised.
MySQL DB Schemas
STUN & Long Term Credential · STUN LTC authentication is optional according the RFC · Pros: · Use the same Auth policy for STUN and TURN · Avoid attacks and server discovery. Avoid crawler robots that tracking Internet for vulnerable open STUN/TURN services. (Version) · Avoid detect STUN server topology alternate address and port. · Contra · Work involved in authenticating the request is more than the work in simply processing it. · Reality: Lack of Browser implementation
STUN & LTC chrome · Log [1:12:0418/145114:ERROR:stunport.cc(79)] Binding error response: class=4 number=1 reason='Unauthorized' [1:12:0418/145114:ERROR:stunport.cc(79)] Binding error response: class=4 number=1 reason='Unauthorized' [1:12:0418/145114:ERROR:stunport.cc(79)] Binding error response: class=4 number=1 reason='Unauthorized' [1:12:0418/145114:ERROR:stunport.cc(79)] Binding error response: class=4 number=1 reason='Unauthorized' [1:12:0418/145114:ERROR:stunport.cc(79)] Binding error response: class=4 number=1 reason='Unauthorized' · Turned out from source · Not handled of STUN auth challenge in stunport.cc
nICEr: TODO src/stun/stun_client_ctx.c
OAuth Browser Implementation Status · Chrome · Open Issue 4907: https://goo.gl/Z69q6I · Not happen in Q1 · Firefox · Open Bug 1247616: https://goo.gl/6n78rL · Not implemented warning for App Devs from Mozilla 47
OAuth & TURN · No PHP library that supports the Authenticated-Encryption with Associated-Data (AEAD) · OpenSSL samples: https://goo.gl/UfuqTr · CoTURN · self-contained OAuth token validation implemented · src/client/ns_turn_msg.c · Function: int encode_oauth_token(const u08bits *server_name, encoded_oauth_token *etoken, const oauth_key *key, const oauth_token *dtoken, const u08bits *nonce)
Built in STUN · Chrome · stun.l.google.com:19302 · Firefox · media.peerconnection.default_iceservers;[] · media.peerconnection.ice.tcp;false · stun.services.mozilla.com · Default stun server removed from ver 41 · Bug: 1167922, 1143827 · No Service Agreement about service long term availability · It is up to Browser vendor · Built-in STUN SLA is not well defined
Lesson Learned · STUN binding with LTC is not supported in Browsers. · Port numbers · Standard ports · Standard Alternate port · 80, 443 for strict firewalls · NAT discovery · Multiple IP addresses required · Decisions & Lessons · LTC · GeoIP vs Anycast · OpenDNSSEC is not supporting views. · REST API · GeoIP and Vincenty vs · Google Maps API · OAuth (coming soon..) · Wait for Browser support.
Future directions · Utilize untapped coTURN features · STUN origin · Quotas · Bandwidth, Session · Admin interface · Monitoring · Improve User interface · Frontend, REST API · coTURN Logging file central collection · Analytics, Anomaly detection · Support, Helpdesk · App developer API examples · Investigation problems · Service Monitoring (SLA) · VM, OS, DB, coTURN · Alerts
Make or Buy? · We in place Infrastructure · Virtual/Physical Machine · Small instance required · Networking Service · High bandwidth capacity · IPv6 · Secure and encrypted · updated · Open Source · From Public Money · Non technical reasons · Trust · Transparency · Time spent following market players offerings (moving) · Time spent negotiate price · Procurement fees · NREN & Commercial market different priorities · Education market is not big enough to implement feature
Symposium Demos
GN4 Symposium Demo · WebTut · Teacher <=> Student · Symmetric NAT · Tablet and PC · What happens · 1. Without STUN/TURN · 2. With STUN/TURN · 3. Two endpoints in the same LAN segment
In practice
Summary · ICE if possible provides E2E communication (lowest latency) · Standard based NAT Firewall Traversal and smooth IPv6 transition · According WebRTC transport draft ICE is MUST. · “ ICE [RFC5245] MUST be supported.” · ICE needs STUN/TURN server infrastructure. · A GÉANT4 PoC service is up and running. Next step? Pilot... · „Leading edge” collaboration technologies serving the NREN community communications needs.
Questions ? misi@niif.hu CONTACT:

Recommended

OAuth and STUN, TURN in WebRTC context RFC7635
OAuth and STUN, TURN in WebRTC context RFC7635OAuth and STUN, TURN in WebRTC context RFC7635
OAuth and STUN, TURN in WebRTC context RFC7635Mihály Mészáros
 
It's Time To Stop Using Lambda Architecture
It's Time To Stop Using Lambda ArchitectureIt's Time To Stop Using Lambda Architecture
It's Time To Stop Using Lambda ArchitectureYaroslav Tkachenko
 
TRex Traffic Generator - Hanoch Haim
TRex Traffic Generator - Hanoch HaimTRex Traffic Generator - Hanoch Haim
TRex Traffic Generator - Hanoch Haimharryvanhaaren
 
(2013 DEVIEW) 멀티쓰레드 프로그래밍이 왜이리 힘드나요?
(2013 DEVIEW) 멀티쓰레드 프로그래밍이 왜이리 힘드나요? (2013 DEVIEW) 멀티쓰레드 프로그래밍이 왜이리 힘드나요?
(2013 DEVIEW) 멀티쓰레드 프로그래밍이 왜이리 힘드나요? 내훈 정
 
10GbE時代のネットワークI/O高速化
10GbE時代のネットワークI/O高速化10GbE時代のネットワークI/O高速化
10GbE時代のネットワークI/O高速化Takuya ASADA
 
[C++ Korea 3rd Seminar] 새 C++은 새 Visual Studio에, 좌충우돌 마이그레이션 이야기
[C++ Korea 3rd Seminar] 새 C++은 새 Visual Studio에, 좌충우돌 마이그레이션 이야기[C++ Korea 3rd Seminar] 새 C++은 새 Visual Studio에, 좌충우돌 마이그레이션 이야기
[C++ Korea 3rd Seminar] 새 C++은 새 Visual Studio에, 좌충우돌 마이그레이션 이야기Chris Ohk
 
Building a World in the Clouds: MMO Architecture on AWS (MBL304) | AWS re:Inv...
Building a World in the Clouds: MMO Architecture on AWS (MBL304) | AWS re:Inv...Building a World in the Clouds: MMO Architecture on AWS (MBL304) | AWS re:Inv...
Building a World in the Clouds: MMO Architecture on AWS (MBL304) | AWS re:Inv...Amazon Web Services
 
EOIP Deep Dive
EOIP Deep DiveEOIP Deep Dive
EOIP Deep DiveGLC Networks
 

Recommended

OAuth and STUN, TURN in WebRTC context RFC7635
OAuth and STUN, TURN in WebRTC context RFC7635OAuth and STUN, TURN in WebRTC context RFC7635
OAuth and STUN, TURN in WebRTC context RFC7635Mihály Mészáros
 
It's Time To Stop Using Lambda Architecture
It's Time To Stop Using Lambda ArchitectureIt's Time To Stop Using Lambda Architecture
It's Time To Stop Using Lambda ArchitectureYaroslav Tkachenko
 
TRex Traffic Generator - Hanoch Haim
TRex Traffic Generator - Hanoch HaimTRex Traffic Generator - Hanoch Haim
TRex Traffic Generator - Hanoch Haimharryvanhaaren
 
(2013 DEVIEW) 멀티쓰레드 프로그래밍이 왜이리 힘드나요?
(2013 DEVIEW) 멀티쓰레드 프로그래밍이 왜이리 힘드나요? (2013 DEVIEW) 멀티쓰레드 프로그래밍이 왜이리 힘드나요?
(2013 DEVIEW) 멀티쓰레드 프로그래밍이 왜이리 힘드나요? 내훈 정
 
10GbE時代のネットワークI/O高速化
10GbE時代のネットワークI/O高速化10GbE時代のネットワークI/O高速化
10GbE時代のネットワークI/O高速化Takuya ASADA
 
[C++ Korea 3rd Seminar] 새 C++은 새 Visual Studio에, 좌충우돌 마이그레이션 이야기
[C++ Korea 3rd Seminar] 새 C++은 새 Visual Studio에, 좌충우돌 마이그레이션 이야기[C++ Korea 3rd Seminar] 새 C++은 새 Visual Studio에, 좌충우돌 마이그레이션 이야기
[C++ Korea 3rd Seminar] 새 C++은 새 Visual Studio에, 좌충우돌 마이그레이션 이야기Chris Ohk
 
Building a World in the Clouds: MMO Architecture on AWS (MBL304) | AWS re:Inv...
Building a World in the Clouds: MMO Architecture on AWS (MBL304) | AWS re:Inv...Building a World in the Clouds: MMO Architecture on AWS (MBL304) | AWS re:Inv...
Building a World in the Clouds: MMO Architecture on AWS (MBL304) | AWS re:Inv...Amazon Web Services
 
EOIP Deep Dive
EOIP Deep DiveEOIP Deep Dive
EOIP Deep DiveGLC Networks
 
Linux Networking Explained
Linux Networking ExplainedLinux Networking Explained
Linux Networking ExplainedThomas Graf
 
Janus RTP forwarders @ FOSDEM 2020
Janus RTP forwarders @ FOSDEM 2020Janus RTP forwarders @ FOSDEM 2020
Janus RTP forwarders @ FOSDEM 2020Lorenzo Miniero
 
06_게임엔진구성
06_게임엔진구성06_게임엔진구성
06_게임엔진구성noerror
 
ICE: The ultimate way of beating NAT in SIP
ICE: The ultimate way of beating NAT in SIPICE: The ultimate way of beating NAT in SIP
ICE: The ultimate way of beating NAT in SIPSaúl Ibarra Corretgé
 
Cloud arch patterns
Cloud arch patternsCloud arch patterns
Cloud arch patternsCorey Huinker
 
Online game server on Akka.NET (NDC2016)
Online game server on Akka.NET (NDC2016)Online game server on Akka.NET (NDC2016)
Online game server on Akka.NET (NDC2016)Esun Kim
 
検証環境をGoBGPで極力仮想化してみた
検証環境をGoBGPで極力仮想化してみた検証環境をGoBGPで極力仮想化してみた
検証環境をGoBGPで極力仮想化してみたToshiya Mabuchi
 
mTCP使ってみた
mTCP使ってみたmTCP使ってみた
mTCP使ってみたHajime Tazaki
 
High-speed Database Throughput Using Apache Arrow Flight SQL
High-speed Database Throughput Using Apache Arrow Flight SQLHigh-speed Database Throughput Using Apache Arrow Flight SQL
High-speed Database Throughput Using Apache Arrow Flight SQLScyllaDB
 
Linux Network Stack
Linux Network StackLinux Network Stack
Linux Network StackAdrien Mahieux
 
Cfgmgmtcamp 2023 — eBPF Superpowers
Cfgmgmtcamp 2023 — eBPF SuperpowersCfgmgmtcamp 2023 — eBPF Superpowers
Cfgmgmtcamp 2023 — eBPF SuperpowersRaphaël PINSON
 
dbt 101
dbt 101dbt 101
dbt 101건 손
 
Accelerating Virtual Machine Access with the Storage Performance Development ...
Accelerating Virtual Machine Access with the Storage Performance Development ...Accelerating Virtual Machine Access with the Storage Performance Development ...
Accelerating Virtual Machine Access with the Storage Performance Development ...Michelle Holley
 
introduction to linux kernel tcp/ip ptocotol stack
introduction to linux kernel tcp/ip ptocotol stack introduction to linux kernel tcp/ip ptocotol stack
introduction to linux kernel tcp/ip ptocotol stack monad bobo
 
DPDK In Depth
DPDK In DepthDPDK In Depth
DPDK In DepthKernel TLV
 
[2019] 게임 서버 대규모 부하 테스트와 모니터링 이렇게 해보자
[2019] 게임 서버 대규모 부하 테스트와 모니터링 이렇게 해보자[2019] 게임 서버 대규모 부하 테스트와 모니터링 이렇게 해보자
[2019] 게임 서버 대규모 부하 테스트와 모니터링 이렇게 해보자NHN FORWARD
 
JANOG43 Forefront of SRv6, Open Source Implementations
JANOG43 Forefront of SRv6, Open Source ImplementationsJANOG43 Forefront of SRv6, Open Source Implementations
JANOG43 Forefront of SRv6, Open Source ImplementationsKentaro Ebisawa
 
eBPF/XDP
eBPF/XDP eBPF/XDP
eBPF/XDP Netronome
 
Qt 5 - C++ and Widgets
Qt 5 - C++ and WidgetsQt 5 - C++ and Widgets
Qt 5 - C++ and WidgetsJuha Peltomäki
 
DirectStroage프로그래밍소개
DirectStroage프로그래밍소개DirectStroage프로그래밍소개
DirectStroage프로그래밍소개YEONG-CHEON YOU
 
Webrtc puzzle
Webrtc puzzleWebrtc puzzle
Webrtc puzzleMihály Mészáros
 
GÉANT TURN pilot
GÉANT TURN pilotGÉANT TURN pilot
GÉANT TURN pilotMihály Mészáros
 

More Related Content

What's hot

Linux Networking Explained
Linux Networking ExplainedLinux Networking Explained
Linux Networking ExplainedThomas Graf
 
Janus RTP forwarders @ FOSDEM 2020
Janus RTP forwarders @ FOSDEM 2020Janus RTP forwarders @ FOSDEM 2020
Janus RTP forwarders @ FOSDEM 2020Lorenzo Miniero
 
06_게임엔진구성
06_게임엔진구성06_게임엔진구성
06_게임엔진구성noerror
 
ICE: The ultimate way of beating NAT in SIP
ICE: The ultimate way of beating NAT in SIPICE: The ultimate way of beating NAT in SIP
ICE: The ultimate way of beating NAT in SIPSaúl Ibarra Corretgé
 
Online game server on Akka.NET (NDC2016)
Online game server on Akka.NET (NDC2016)Online game server on Akka.NET (NDC2016)
Online game server on Akka.NET (NDC2016)Esun Kim
 
検証環境をGoBGPで極力仮想化してみた
検証環境をGoBGPで極力仮想化してみた検証環境をGoBGPで極力仮想化してみた
検証環境をGoBGPで極力仮想化してみたToshiya Mabuchi
 
High-speed Database Throughput Using Apache Arrow Flight SQL
High-speed Database Throughput Using Apache Arrow Flight SQLHigh-speed Database Throughput Using Apache Arrow Flight SQL
High-speed Database Throughput Using Apache Arrow Flight SQLScyllaDB
 
Cfgmgmtcamp 2023 — eBPF Superpowers
Cfgmgmtcamp 2023 — eBPF SuperpowersCfgmgmtcamp 2023 — eBPF Superpowers
Cfgmgmtcamp 2023 — eBPF SuperpowersRaphaël PINSON
 
Accelerating Virtual Machine Access with the Storage Performance Development ...
Accelerating Virtual Machine Access with the Storage Performance Development ...Accelerating Virtual Machine Access with the Storage Performance Development ...
Accelerating Virtual Machine Access with the Storage Performance Development ...Michelle Holley
 
introduction to linux kernel tcp/ip ptocotol stack
introduction to linux kernel tcp/ip ptocotol stack introduction to linux kernel tcp/ip ptocotol stack
introduction to linux kernel tcp/ip ptocotol stack monad bobo
 
[2019] 게임 서버 대규모 부하 테스트와 모니터링 이렇게 해보자
[2019] 게임 서버 대규모 부하 테스트와 모니터링 이렇게 해보자[2019] 게임 서버 대규모 부하 테스트와 모니터링 이렇게 해보자
[2019] 게임 서버 대규모 부하 테스트와 모니터링 이렇게 해보자NHN FORWARD
 
JANOG43 Forefront of SRv6, Open Source Implementations
JANOG43 Forefront of SRv6, Open Source ImplementationsJANOG43 Forefront of SRv6, Open Source Implementations
JANOG43 Forefront of SRv6, Open Source ImplementationsKentaro Ebisawa
 
DirectStroage프로그래밍소개
DirectStroage프로그래밍소개DirectStroage프로그래밍소개
DirectStroage프로그래밍소개YEONG-CHEON YOU
 

What's hot (20)

Linux Networking Explained
Linux Networking ExplainedLinux Networking Explained
Linux Networking Explained
 
Janus RTP forwarders @ FOSDEM 2020
Janus RTP forwarders @ FOSDEM 2020Janus RTP forwarders @ FOSDEM 2020
Janus RTP forwarders @ FOSDEM 2020
 
06_게임엔진구성
06_게임엔진구성06_게임엔진구성
06_게임엔진구성
 
ICE: The ultimate way of beating NAT in SIP
ICE: The ultimate way of beating NAT in SIPICE: The ultimate way of beating NAT in SIP
ICE: The ultimate way of beating NAT in SIP
 
Cloud arch patterns
Cloud arch patternsCloud arch patterns
Cloud arch patterns
 
Online game server on Akka.NET (NDC2016)
Online game server on Akka.NET (NDC2016)Online game server on Akka.NET (NDC2016)
Online game server on Akka.NET (NDC2016)
 
検証環境をGoBGPで極力仮想化してみた
検証環境をGoBGPで極力仮想化してみた検証環境をGoBGPで極力仮想化してみた
検証環境をGoBGPで極力仮想化してみた
 
mTCP使ってみた
mTCP使ってみたmTCP使ってみた
mTCP使ってみた
 
High-speed Database Throughput Using Apache Arrow Flight SQL
High-speed Database Throughput Using Apache Arrow Flight SQLHigh-speed Database Throughput Using Apache Arrow Flight SQL
High-speed Database Throughput Using Apache Arrow Flight SQL
 
Linux Network Stack
Linux Network StackLinux Network Stack
Linux Network Stack
 
Cfgmgmtcamp 2023 — eBPF Superpowers
Cfgmgmtcamp 2023 — eBPF SuperpowersCfgmgmtcamp 2023 — eBPF Superpowers
Cfgmgmtcamp 2023 — eBPF Superpowers
 
dbt 101
dbt 101dbt 101
dbt 101
 
Accelerating Virtual Machine Access with the Storage Performance Development ...
Accelerating Virtual Machine Access with the Storage Performance Development ...Accelerating Virtual Machine Access with the Storage Performance Development ...
Accelerating Virtual Machine Access with the Storage Performance Development ...
 
introduction to linux kernel tcp/ip ptocotol stack
introduction to linux kernel tcp/ip ptocotol stack introduction to linux kernel tcp/ip ptocotol stack
introduction to linux kernel tcp/ip ptocotol stack
 
DPDK In Depth
DPDK In DepthDPDK In Depth
DPDK In Depth
 
[2019] 게임 서버 대규모 부하 테스트와 모니터링 이렇게 해보자
[2019] 게임 서버 대규모 부하 테스트와 모니터링 이렇게 해보자[2019] 게임 서버 대규모 부하 테스트와 모니터링 이렇게 해보자
[2019] 게임 서버 대규모 부하 테스트와 모니터링 이렇게 해보자
 
JANOG43 Forefront of SRv6, Open Source Implementations
JANOG43 Forefront of SRv6, Open Source ImplementationsJANOG43 Forefront of SRv6, Open Source Implementations
JANOG43 Forefront of SRv6, Open Source Implementations
 
eBPF/XDP
eBPF/XDP eBPF/XDP
eBPF/XDP
 
Qt 5 - C++ and Widgets
Qt 5 - C++ and WidgetsQt 5 - C++ and Widgets
Qt 5 - C++ and Widgets
 
DirectStroage프로그래밍소개
DirectStroage프로그래밍소개DirectStroage프로그래밍소개
DirectStroage프로그래밍소개
 

Similar to Stun turn poc_pilot

From NAT to NAT Traversal
From NAT to NAT TraversalFrom NAT to NAT Traversal
From NAT to NAT TraversalLi-Wei Yao
 
Primer to Browser Netwroking
Primer to Browser NetwrokingPrimer to Browser Netwroking
Primer to Browser NetwrokingShuya Osaki
 
6lowpan 110828234426-phpapp01
6lowpan 110828234426-phpapp016lowpan 110828234426-phpapp01
6lowpan 110828234426-phpapp01mrmr2010i
 
Protocol and Integration Challenges for SDN
Protocol and Integration Challenges for SDNProtocol and Integration Challenges for SDN
Protocol and Integration Challenges for SDNGerardo Pardo-Castellote
 
Krzysztof Mazepa - Netflow/cflow - ulubionym narzędziem operatorów SP
Krzysztof Mazepa - Netflow/cflow - ulubionym narzędziem operatorów SPKrzysztof Mazepa - Netflow/cflow - ulubionym narzędziem operatorów SP
Krzysztof Mazepa - Netflow/cflow - ulubionym narzędziem operatorów SPPROIDEA
 
IRATI: an open source RINA implementation for Linux/OS
IRATI: an open source RINA implementation for Linux/OSIRATI: an open source RINA implementation for Linux/OS
IRATI: an open source RINA implementation for Linux/OSICT PRISTINE
 
Cotopaxi - IoT testing toolkit (Black Hat Asia 2019 Arsenal)
Cotopaxi - IoT testing toolkit (Black Hat Asia 2019 Arsenal)Cotopaxi - IoT testing toolkit (Black Hat Asia 2019 Arsenal)
Cotopaxi - IoT testing toolkit (Black Hat Asia 2019 Arsenal)Jakub Botwicz
 
Osnug meetup-tungsten fabric - overview.pptx
Osnug meetup-tungsten fabric - overview.pptxOsnug meetup-tungsten fabric - overview.pptx
Osnug meetup-tungsten fabric - overview.pptxM.Qasim Arham
 
Hands on with CoAP and Californium
Hands on with CoAP and CaliforniumHands on with CoAP and Californium
Hands on with CoAP and CaliforniumJulien Vermillard
 
WebRTC overview
WebRTC overviewWebRTC overview
WebRTC overviewRouyun Pan
 
AusNOG 2016 - The Trouble with NAT
AusNOG 2016 - The Trouble with NATAusNOG 2016 - The Trouble with NAT
AusNOG 2016 - The Trouble with NATMark Smith
 
H2020 finsec-ibm- aidan-shribman-finsec-skydive 260820
H2020 finsec-ibm- aidan-shribman-finsec-skydive 260820H2020 finsec-ibm- aidan-shribman-finsec-skydive 260820
H2020 finsec-ibm- aidan-shribman-finsec-skydive 260820innov-acts-ltd
 
SDN/OpenFlow #lspe
SDN/OpenFlow #lspeSDN/OpenFlow #lspe
SDN/OpenFlow #lspeChris Westin
 
Network tunneling techniques
Network tunneling techniquesNetwork tunneling techniques
Network tunneling techniquesinbroker
 
DCUS17 : Docker networking deep dive
DCUS17 : Docker networking deep diveDCUS17 : Docker networking deep dive
DCUS17 : Docker networking deep diveMadhu Venugopal
 

Similar to Stun turn poc_pilot (20)

Webrtc puzzle
Webrtc puzzleWebrtc puzzle
Webrtc puzzle
 
GÉANT TURN pilot
GÉANT TURN pilotGÉANT TURN pilot
GÉANT TURN pilot
 
From NAT to NAT Traversal
From NAT to NAT TraversalFrom NAT to NAT Traversal
From NAT to NAT Traversal
 
Primer to Browser Netwroking
Primer to Browser NetwrokingPrimer to Browser Netwroking
Primer to Browser Netwroking
 
6lowpan 110828234426-phpapp01
6lowpan 110828234426-phpapp016lowpan 110828234426-phpapp01
6lowpan 110828234426-phpapp01
 
Protocol and Integration Challenges for SDN
Protocol and Integration Challenges for SDNProtocol and Integration Challenges for SDN
Protocol and Integration Challenges for SDN
 
Krzysztof Mazepa - Netflow/cflow - ulubionym narzędziem operatorów SP
Krzysztof Mazepa - Netflow/cflow - ulubionym narzędziem operatorów SPKrzysztof Mazepa - Netflow/cflow - ulubionym narzędziem operatorów SP
Krzysztof Mazepa - Netflow/cflow - ulubionym narzędziem operatorów SP
 
IRATI: an open source RINA implementation for Linux/OS
IRATI: an open source RINA implementation for Linux/OSIRATI: an open source RINA implementation for Linux/OS
IRATI: an open source RINA implementation for Linux/OS
 
Cotopaxi - IoT testing toolkit (Black Hat Asia 2019 Arsenal)
Cotopaxi - IoT testing toolkit (Black Hat Asia 2019 Arsenal)Cotopaxi - IoT testing toolkit (Black Hat Asia 2019 Arsenal)
Cotopaxi - IoT testing toolkit (Black Hat Asia 2019 Arsenal)
 
Astricon 10 (October 2013) - SIP over WebSocket on Kamailio
Astricon 10 (October 2013) - SIP over WebSocket on KamailioAstricon 10 (October 2013) - SIP over WebSocket on Kamailio
Astricon 10 (October 2013) - SIP over WebSocket on Kamailio
 
Osnug meetup-tungsten fabric - overview.pptx
Osnug meetup-tungsten fabric - overview.pptxOsnug meetup-tungsten fabric - overview.pptx
Osnug meetup-tungsten fabric - overview.pptx
 
W4 profinet frame analysis, peter thomas
W4 profinet frame analysis, peter thomasW4 profinet frame analysis, peter thomas
W4 profinet frame analysis, peter thomas
 
Hands on with CoAP and Californium
Hands on with CoAP and CaliforniumHands on with CoAP and Californium
Hands on with CoAP and Californium
 
WebRTC overview
WebRTC overviewWebRTC overview
WebRTC overview
 
AusNOG 2016 - The Trouble with NAT
AusNOG 2016 - The Trouble with NATAusNOG 2016 - The Trouble with NAT
AusNOG 2016 - The Trouble with NAT
 
H2020 finsec-ibm- aidan-shribman-finsec-skydive 260820
H2020 finsec-ibm- aidan-shribman-finsec-skydive 260820H2020 finsec-ibm- aidan-shribman-finsec-skydive 260820
H2020 finsec-ibm- aidan-shribman-finsec-skydive 260820
 
SDN/OpenFlow #lspe
SDN/OpenFlow #lspeSDN/OpenFlow #lspe
SDN/OpenFlow #lspe
 
PROFIBUS frame analysis - Peter Thomas of Control Specialists
PROFIBUS frame analysis - Peter Thomas of Control SpecialistsPROFIBUS frame analysis - Peter Thomas of Control Specialists
PROFIBUS frame analysis - Peter Thomas of Control Specialists
 
Network tunneling techniques
Network tunneling techniquesNetwork tunneling techniques
Network tunneling techniques
 
DCUS17 : Docker networking deep dive
DCUS17 : Docker networking deep diveDCUS17 : Docker networking deep dive
DCUS17 : Docker networking deep dive
 

More from Mihály Mészáros

GN4-UP2U update - Moodlemoot19
GN4-UP2U update - Moodlemoot19GN4-UP2U update - Moodlemoot19
GN4-UP2U update - Moodlemoot19Mihály Mészáros
 
Nyílt forráskódú VideoKonferencia mindenkinek! (A GÉANT4 JRA4 T4 és T5 eredmé...
Nyílt forráskódú VideoKonferencia mindenkinek! (A GÉANT4 JRA4 T4 és T5 eredmé...Nyílt forráskódú VideoKonferencia mindenkinek! (A GÉANT4 JRA4 T4 és T5 eredmé...
Nyílt forráskódú VideoKonferencia mindenkinek! (A GÉANT4 JRA4 T4 és T5 eredmé...Mihály Mészáros
 
A jég (ICE), a kanyar (TURN), a bódulat (STUN) és a kijózanító tűzfal (Firewall)
A jég (ICE), a kanyar (TURN), a bódulat (STUN) és a kijózanító tűzfal (Firewall)A jég (ICE), a kanyar (TURN), a bódulat (STUN) és a kijózanító tűzfal (Firewall)
A jég (ICE), a kanyar (TURN), a bódulat (STUN) és a kijózanító tűzfal (Firewall)Mihály Mészáros
 
WebRTC Identity in SAML Federations
WebRTC Identity in SAML FederationsWebRTC Identity in SAML Federations
WebRTC Identity in SAML FederationsMihály Mészáros
 

More from Mihály Mészáros (14)

GN4-UP2U update - Moodlemoot19
GN4-UP2U update - Moodlemoot19GN4-UP2U update - Moodlemoot19
GN4-UP2U update - Moodlemoot19
 
Nyílt forráskódú VideoKonferencia mindenkinek! (A GÉANT4 JRA4 T4 és T5 eredmé...
Nyílt forráskódú VideoKonferencia mindenkinek! (A GÉANT4 JRA4 T4 és T5 eredmé...Nyílt forráskódú VideoKonferencia mindenkinek! (A GÉANT4 JRA4 T4 és T5 eredmé...
Nyílt forráskódú VideoKonferencia mindenkinek! (A GÉANT4 JRA4 T4 és T5 eredmé...
 
WebRTC - Hol tartunk ma?
WebRTC - Hol tartunk ma?WebRTC - Hol tartunk ma?
WebRTC - Hol tartunk ma?
 
A jég (ICE), a kanyar (TURN), a bódulat (STUN) és a kijózanító tűzfal (Firewall)
A jég (ICE), a kanyar (TURN), a bódulat (STUN) és a kijózanító tűzfal (Firewall)A jég (ICE), a kanyar (TURN), a bódulat (STUN) és a kijózanító tűzfal (Firewall)
A jég (ICE), a kanyar (TURN), a bódulat (STUN) és a kijózanító tűzfal (Firewall)
 
WebRTC - Hol tartunk ma?
WebRTC - Hol tartunk ma?WebRTC - Hol tartunk ma?
WebRTC - Hol tartunk ma?
 
SIP Tutorial/Workshop 0
SIP Tutorial/Workshop 0SIP Tutorial/Workshop 0
SIP Tutorial/Workshop 0
 
SIP Tutorial/Workshop 3
SIP Tutorial/Workshop 3SIP Tutorial/Workshop 3
SIP Tutorial/Workshop 3
 
SIP Tutorial/Workshop 2
SIP Tutorial/Workshop 2SIP Tutorial/Workshop 2
SIP Tutorial/Workshop 2
 
SIP Tutorial/Workshop 4
SIP Tutorial/Workshop 4SIP Tutorial/Workshop 4
SIP Tutorial/Workshop 4
 
SIP Tutorial/Workshop 1
SIP Tutorial/Workshop 1SIP Tutorial/Workshop 1
SIP Tutorial/Workshop 1
 
5th tf webrtc-welcome
5th tf webrtc-welcome5th tf webrtc-welcome
5th tf webrtc-welcome
 
WebRTC Identity in SAML Federations
WebRTC Identity in SAML FederationsWebRTC Identity in SAML Federations
WebRTC Identity in SAML Federations
 
WebRTC eduCONF
WebRTC eduCONFWebRTC eduCONF
WebRTC eduCONF
 
Webrtc
WebrtcWebrtc
Webrtc
 

Recently uploaded

TeamStation AI System Report LATAM IT Salaries 2024
TeamStation AI System Report LATAM IT Salaries 2024TeamStation AI System Report LATAM IT Salaries 2024
TeamStation AI System Report LATAM IT Salaries 2024Lonnie McRorey
 
Advanced Computer Architecture – An Introduction
Advanced Computer Architecture – An IntroductionAdvanced Computer Architecture – An Introduction
Advanced Computer Architecture – An IntroductionDilum Bandara
 
Hyperautomation and AI/ML: A Strategy for Digital Transformation Success.pdf
Hyperautomation and AI/ML: A Strategy for Digital Transformation Success.pdfHyperautomation and AI/ML: A Strategy for Digital Transformation Success.pdf
Hyperautomation and AI/ML: A Strategy for Digital Transformation Success.pdfPrecisely
 
What's New in Teams Calling, Meetings and Devices March 2024
What's New in Teams Calling, Meetings and Devices March 2024What's New in Teams Calling, Meetings and Devices March 2024
What's New in Teams Calling, Meetings and Devices March 2024Stephanie Beckett
 
SALESFORCE EDUCATION CLOUD | FEXLE SERVICES
SALESFORCE EDUCATION CLOUD | FEXLE SERVICESSALESFORCE EDUCATION CLOUD | FEXLE SERVICES
SALESFORCE EDUCATION CLOUD | FEXLE SERVICESmohitsingh558521
 
Connect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck PresentationConnect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck PresentationSlibray Presentation
 
How AI, OpenAI, and ChatGPT impact business and software.
How AI, OpenAI, and ChatGPT impact business and software.How AI, OpenAI, and ChatGPT impact business and software.
How AI, OpenAI, and ChatGPT impact business and software.Curtis Poe
 
"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii Soldatenko"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii SoldatenkoFwdays
 
Generative AI for Technical Writer or Information Developers
Generative AI for Technical Writer or Information DevelopersGenerative AI for Technical Writer or Information Developers
Generative AI for Technical Writer or Information DevelopersRaghuram Pandurangan
 
Passkey Providers and Enabling Portability: FIDO Paris Seminar.pptx
Passkey Providers and Enabling Portability: FIDO Paris Seminar.pptxPasskey Providers and Enabling Portability: FIDO Paris Seminar.pptx
Passkey Providers and Enabling Portability: FIDO Paris Seminar.pptxLoriGlavin3
 
A Deep Dive on Passkeys: FIDO Paris Seminar.pptx
A Deep Dive on Passkeys: FIDO Paris Seminar.pptxA Deep Dive on Passkeys: FIDO Paris Seminar.pptx
A Deep Dive on Passkeys: FIDO Paris Seminar.pptxLoriGlavin3
 
From Family Reminiscence to Scholarly Archive .
From Family Reminiscence to Scholarly Archive .From Family Reminiscence to Scholarly Archive .
From Family Reminiscence to Scholarly Archive .Alan Dix
 
The Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptx
The Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptxThe Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptx
The Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptxLoriGlavin3
 
Streamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project SetupStreamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project SetupFlorian Wilhelm
 
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)Mark Simos
 
Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024BookNet Canada
 
Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?Mattias Andersson
 
The Ultimate Guide to Choosing WordPress Pros and Cons
The Ultimate Guide to Choosing WordPress Pros and ConsThe Ultimate Guide to Choosing WordPress Pros and Cons
The Ultimate Guide to Choosing WordPress Pros and ConsPixlogix Infotech
 
DevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platformsDevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platformsSergiu Bodiu
 
Unleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding ClubUnleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding ClubKalema Edgar
 

Recently uploaded (20)

TeamStation AI System Report LATAM IT Salaries 2024
TeamStation AI System Report LATAM IT Salaries 2024TeamStation AI System Report LATAM IT Salaries 2024
TeamStation AI System Report LATAM IT Salaries 2024
 
Advanced Computer Architecture – An Introduction
Advanced Computer Architecture – An IntroductionAdvanced Computer Architecture – An Introduction
Advanced Computer Architecture – An Introduction
 
Hyperautomation and AI/ML: A Strategy for Digital Transformation Success.pdf
Hyperautomation and AI/ML: A Strategy for Digital Transformation Success.pdfHyperautomation and AI/ML: A Strategy for Digital Transformation Success.pdf
Hyperautomation and AI/ML: A Strategy for Digital Transformation Success.pdf
 
What's New in Teams Calling, Meetings and Devices March 2024
What's New in Teams Calling, Meetings and Devices March 2024What's New in Teams Calling, Meetings and Devices March 2024
What's New in Teams Calling, Meetings and Devices March 2024
 
SALESFORCE EDUCATION CLOUD | FEXLE SERVICES
SALESFORCE EDUCATION CLOUD | FEXLE SERVICESSALESFORCE EDUCATION CLOUD | FEXLE SERVICES
SALESFORCE EDUCATION CLOUD | FEXLE SERVICES
 
Connect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck PresentationConnect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck Presentation
 
How AI, OpenAI, and ChatGPT impact business and software.
How AI, OpenAI, and ChatGPT impact business and software.How AI, OpenAI, and ChatGPT impact business and software.
How AI, OpenAI, and ChatGPT impact business and software.
 
"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii Soldatenko"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii Soldatenko
 
Generative AI for Technical Writer or Information Developers
Generative AI for Technical Writer or Information DevelopersGenerative AI for Technical Writer or Information Developers
Generative AI for Technical Writer or Information Developers
 
Passkey Providers and Enabling Portability: FIDO Paris Seminar.pptx
Passkey Providers and Enabling Portability: FIDO Paris Seminar.pptxPasskey Providers and Enabling Portability: FIDO Paris Seminar.pptx
Passkey Providers and Enabling Portability: FIDO Paris Seminar.pptx
 
A Deep Dive on Passkeys: FIDO Paris Seminar.pptx
A Deep Dive on Passkeys: FIDO Paris Seminar.pptxA Deep Dive on Passkeys: FIDO Paris Seminar.pptx
A Deep Dive on Passkeys: FIDO Paris Seminar.pptx
 
From Family Reminiscence to Scholarly Archive .
From Family Reminiscence to Scholarly Archive .From Family Reminiscence to Scholarly Archive .
From Family Reminiscence to Scholarly Archive .
 
The Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptx
The Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptxThe Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptx
The Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptx
 
Streamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project SetupStreamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project Setup
 
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
 
Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
 
Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?
 
The Ultimate Guide to Choosing WordPress Pros and Cons
The Ultimate Guide to Choosing WordPress Pros and ConsThe Ultimate Guide to Choosing WordPress Pros and Cons
The Ultimate Guide to Choosing WordPress Pros and Cons
 
DevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platformsDevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platforms
 
Unleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding ClubUnleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding Club
 

Stun turn poc_pilot

  • 1. ICE, STUN, TURN Federated STUN/TURN service PoC/Pilot experiences Mészáros Mihály NIIF Institute 4th TF-WEBRTC meeting - DFN Berlin 2016
  • 2. STUN, TURN, ICE · STUN „Classic” - RFC 3489 (2003 March) · Simple Traversal of UDP Through NATs · STUN - „New” - RFC 5389 (2008 October) · Session Traversal Utilities for NAT · TURN - RFC 5766 (2010 April) · Traversal Using Relays around NAT (Relay Extensions to STUN) · ICE – RFC 5245 (2010 April) · Interactive Connectivity Establishment
  • 3. Table of Contents · Overview: Firewall vs. Real Time Communication (RTC) · WebRTC and ICE/STUN/TURN · Types of NAT and NAT behavior Discovery · ICE, STUN, TURN · Auth Methods and implementation overview. · GÉANT 4 SA8 T2 Proof of Concept STUN/TURN experiences · Lessons learned · Symposium demos · Summary
  • 5. WebRTC & Firewall / NAT Traversal
  • 6. WebRTC 10% 68% 13% 7%2% Direct STUN/NAT TURN/UDP TURN/TCP TURN/TLS Datasource:callstats.io · WebRTC transport draft · ICE is mandatory · ICE depend on STUN/TURN service · WebRTC is not only Web · Mobil, Native application · WebRTC isn't only Video Call · WebRTC in every browser and beyond..
  • 8. Firewall keeps the unwanted traffic Outside
  • 9. But also adds barriers to RTC
  • 10. The Goal: Standard based solution that solves RTC Firewall/NAT traversal
  • 11. Firewall Traversal · Traversal is getting more and more complicated · Moving target · Today Internet: · NAT (different types), · Firewall (packet filters), · IPv4 => IPv6 transition, · Multi homing, etc. · TCP not ideal for RTC
  • 12. NAT
  • 13. NAT types (RFC 3489) · Full-cone NAT · Address-restricted-cone NAT · Port-restricted cone NAT · Symmetric NAT Server 1 Server 2 Client NAT "Full Cone" NAT Server 1 Server 2 Client NAT "Restricted Cone" NAT Server 1 Server 2 Client NAT "Port Restricted Cone" NAT
  • 15. RFC 4787 and RFC 5780 vs RFC 3489 · Mapping · EIM · ADM · APDM · Filtering · EIF · ADF · APDF Source: http://www.netmanias.com/en/?m=view&id=techdocs&no=6065
  • 16. Map Detection Image Source: http://www.netmanias.com/en/post/techdocs/6067/nat-stun/nat-behavior-discovery-using-stun-rfc-5780 · TEST I · Primary IP, Primary Port · TEST II · Alternate IP, Primary Port · TEST III · Alternate IP, Alternate Port
  • 17. Filtering Detection Image Source: http://www.netmanias.com/en/post/techdocs/6067/nat-stun/nat-behavior-discovery-using-stun-rfc-5780 · TEST I · Primary IP, Primary Port · TEST II · Change Request IP and Port · TEST III · Change Request Port
  • 18. Linux NAT · Allow IP forwarding sysctl net.ipv4.ip_forward=1 · Symmetric NAT · Address and Port dependent Mapping · Address and Port dependent Filtering · iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE --random · Port restricted Cone NAT · Endpoint Independent Mapping · Address and Port dependent Filtering · iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
  • 19. RFC5780 and coTURN · NAT behavior is not always constant in time! · NAT could change characteristics during attacks, or high load, etc. · Still worth to understand the current behavior. · RFC 4787 - NAT Behavioral Requirements for Unicast UDP · coTURN provides a brilliant stun client library · Based on it I created a utility to detect NAT type according RFC5780 · bin/turnutils_natdiscovery -f -m 193.224.47.74
  • 20. Example symmetric NAT output misi@csiga:~/work/coturn$ bin/turnutils_natdiscovery -f -m 193.224.47.74 … ======================================== NAT with Address and Port Dependent Mapping! ======================================== … ======================================== NAT with Address and Port Dependent Filtering! ======================================== misi@csiga:~/work/coturn$
  • 22. ICE step by step · Discovery and Candidate gathering · Allocation · Prioritisation · Exchange · Connectivity Check · Frozen Algorithm · Coordination · Communication
  • 23. IP address, and port discovery · Candidate pair · IP address, port, protocol · Types · Relayed · Reflexive · Server, Peer · Host TURN Server NAT UA Y:y X':x' X:x Public Internet
  • 24. Why cause problem gathering all addresses? · ICE gathers ALL(!) · „By Design” · to find the best way · IP address leakage · expose your IP addresses · Private, Public, VPN etc. · Solution: · Limit candidate discovery · Limit interface and address gathering · Fix is under way · draft-ietf-rtcweb-ip-handling · Chrome · Opt-In: Network limiter extension · Step two: build in the core, and make it default · Firefox · New UI tools to restrict candidates · https://wiki.mozilla.org/Media/WebRTC/Privacy
  • 25. Trickle ICE Slide from: trickle-ice-iet86-orlando.pptx STUN Server STUN Server BobAlice disco disco offer and candidates … connectivity checks … answer and candidates Vanilla ICE as per RFC 5245 STUN Server STUN Server BobAlice disco disco O/A with host or no cands … more cands & conn checks …
  • 26. RETURN ____________ inside network || outside network / || NAT/FW | host O ________||________ | | / || | srflx|.............|..................O ___________ | | | || | / | relay|- - - - - - -|- - - - - - - - - |- - -|- - - - - -O | | | _____||_____ | | | | | | / || | | | | relay2|-------------|--|------------| -|- - -|- - - - - -O | | | | || | | ___________/ | srflx2|- - - - - - -|- |- - - - - - O | | | | | || | | Application TURN | host2 |- - - - - - -|- |- - - - - - O | server | | | _____||_____/ | ____________/ ________||________/ || Browser Border TURN Proxy || server || KEY O Candidate ..... Non encapsulated - - - TURN encapsulated ----- Double TURN encapsulated || Network edge · RETURN · Recursively Encapsulated · DNS „Auto-Discovery” · Corporate Border Proxy · Corporate and Application · Leakiness · Leaky: Use all possible · Sealed: force only enterprise TURN Proxy-t
  • 28. Long Term vs Short Term · STUN (RFC5389) define to Credential Auth Mechanism · Short-term Credential mechanism · Use once · Every-time new encryption key · ICE using it for connection check · sdp (a=ice-ufrag and a=ice-pwd) · Long-term Credential mechanism · Credential is not limited in time. · Main Usage STUN reflexive address detection and TURN relay allocation · Stored in a User Database (HA1)
  • 29. Long Term Credential · User, Realm, Password · „Origin” based REALM (draft-ietf-tram-stun-origin) /WebRTC/ · User Database stores HA1 · HA1=MD5(”user:example.com:mysecret”) · Message Integrity Algorithm (SHA1) · HMAC(M, MD5(”user:example.com:mysecret”)) · Protection against reply based attacks · It is the base auth method for STUN
  • 30. WebRTC & LTC = not perfect match · Long Term Credential · Summary of problems: draft-reddy-behave-turn-auth · Keeping password in secret is difficulty for Web Apps · Message Integrity is not protected against Off-line dictionary attacks. · The Server makes lookup in the User Database for the credential. · The username is not encrypted in STUN message and this way could be used for tracking. · Short Term Credential (only for one connection) · No protection against reply attacks · Designed for short term
  • 31. STUN auth for WebRTC = REST API (Time Limited Long Term Credential) · draft-uberti-rtcweb-turn-rest-00 · REST API and STUN/TURN server shared secret. · The Service Provider Identified by an api_key and get on behalf the end-user request and get a time limited credential. · The web application transfer this credential to the end-user browser JS API. · username = timestamp and an application specific data seperated by a „:”.
  • 32. REST API Operation Overview (Time Limited Long Term Credential) REST API Web App Turn Server Shared Secret
  • 35. PoC Overview · Web Frontend · After AAI: eduGAIN · get (LTC) usr/pwd credential · get key to REST API · Distributed service · NIIF, UNINETT, FCT/FCCN · Closest Server (GeoIP) · Auth methods · LTC,REST API, · OAuth (coming soon)
  • 36. Ansible · Automated install central · OS (firewall,ntp,fail2ban,etc.) · Web Server and PHP · EduGAIN privacy statement · MySQL master · Automated install slaves · OS (firewall,ntp,fail2ban,etc.) · MySQL slave · coTURN · Configure even more · Certs · Configure SimpleSAMLPHP · Install Composer · Update php libs · Checkout git · Frontend · REST API · Setup replication · Master and Slave sides
  • 37. Design Goals · Only Open Source components (Debian Jessie, etc.) · Supporting all possible Authentication methods · LTC, REST, OAuth · AAI enabled eduGAIN front-end site · Distributed back-end database · Secure Communication, IPv6, DNSSEC · Support wide range of STUN/TURN transport protocols · Automated deployment
  • 38. Security Design Principles · LTC user password is generated to avoid any Offline dictionary attacks. · According STUN RFC recommendation “the password SHOULD have at least 128 bits of randomness” · We use 32 alphanumeric ~190 bit (hackzilla/password-generator) · REST · API_KEY is generated random key and has one year expiration · 32 alphanumeric char ~190 bit (hackzilla/password-generator) · Shared Secret between API and coTURN is rotated daily
  • 39. TURN servers Technology Scouting · Open source implementations: · http://sourceforge.net/projects/stun/ · http://turnserver.sourceforge.net/ · https://github.com/jitsi/turnserver · https://www.resiprocate.org/ · http://www.creytiv.com/restund.html · https://github.com/coTURN/rfc5766- turn-server/ · https://github.com/coTURN/coTURN · Commercial implementations: · http://www.eyeball.com/products/ stun-turn-server/ · http://help.estos.com/help/en-US /procall/5/erestunservice/dokume ntation/index.htm · Etc. · Commercial Services: · http://numb.viagenie.ca/ · http://xirsys.com/ · https://www.twilio.com/stun-turn · Etc.
  • 40. coTURN TURN with co-location of multiple realms · coturn.net - https://github.com/coturn/coturn · Open Source STUN/TURN implementation · Written in C, Rock Solid and, low HW intensity · It follows IETF TRAM WG works very closely. · Supports multiple backend database types (5) · STUN over UDP/TCP/TLS/DTLS/SCTP · TCP/UDP (Relay) · Auth methods: LTC, REST (Time limited LTC), OAuth · IPv4 and IPv6
  • 41. User Frontend · Landing Web Page · SimpleSAMLphp, eduGAIN Auth, we request 4 attributes · Bootstrapzero design · Quick&Dirty PoC level implementation · REST API · "slim/slim": "^2.6" · "zircote/swagger-php": "^2.0" · "geoip/geoip": "~1.14" (IPv6) · mjaschen/phpgeo": "^0.3.0"
  • 43. Pick the closest STUN/TURN · LTC · DNS GeoIP based Views · Based on Location of DNS resolver not the client (!) · OpenDNSSEC not yet supporting views! Issue: OPENDNSSEC-232 · AnyCast · Provider independent · IPv4 /24 · IPv6 /64 · REST · Input the user IP address the web server side application · Local GeoIP database · IP => Coordinate · Vincenty's formulae · Coordinates => Distance
  • 44. Auth methods · LTC and REST · client behavior is not changed. · Only Server side differs. · coTURN doesn't support both mechanism in one daemon · We used that simple design approach to separate auth methods VM level. · Avoiding repackaging · Multiple deamon could also work on the same VM. · Drawback: normal Debian package designed to run on daemon on one host. · To exploit the latest coTURN implementation features we deciced to use jessie- backports repository
  • 45. IPv6 Ready service smooth IPv6 transition · All service IPv6 READY and works in dual stack · STUN/TURN services · Dual Allocation · MySQL · NTP · SSH · DNS Resolvers · Web Server · Frontend, REST API
  • 46. MySQL · Separated DB for different auth methods · MySQL Replication · Encrypted · netfilter protects ports · IP address based access controll · Generated passwords · Replication filtered based on DB (auth method) · MySQL Events: · LTC · Revoking LTC back after a year · REST · Generating daily new shared secrets · Revoking API token after a year. · Shared Key aging · Cause a limited problem if a REST TURN server is compromised.
  • 48. STUN & Long Term Credential · STUN LTC authentication is optional according the RFC · Pros: · Use the same Auth policy for STUN and TURN · Avoid attacks and server discovery. Avoid crawler robots that tracking Internet for vulnerable open STUN/TURN services. (Version) · Avoid detect STUN server topology alternate address and port. · Contra · Work involved in authenticating the request is more than the work in simply processing it. · Reality: Lack of Browser implementation
  • 49. STUN & LTC chrome · Log [1:12:0418/145114:ERROR:stunport.cc(79)] Binding error response: class=4 number=1 reason='Unauthorized' [1:12:0418/145114:ERROR:stunport.cc(79)] Binding error response: class=4 number=1 reason='Unauthorized' [1:12:0418/145114:ERROR:stunport.cc(79)] Binding error response: class=4 number=1 reason='Unauthorized' [1:12:0418/145114:ERROR:stunport.cc(79)] Binding error response: class=4 number=1 reason='Unauthorized' [1:12:0418/145114:ERROR:stunport.cc(79)] Binding error response: class=4 number=1 reason='Unauthorized' · Turned out from source · Not handled of STUN auth challenge in stunport.cc
  • 51. OAuth Browser Implementation Status · Chrome · Open Issue 4907: https://goo.gl/Z69q6I · Not happen in Q1 · Firefox · Open Bug 1247616: https://goo.gl/6n78rL · Not implemented warning for App Devs from Mozilla 47
  • 52. OAuth & TURN · No PHP library that supports the Authenticated-Encryption with Associated-Data (AEAD) · OpenSSL samples: https://goo.gl/UfuqTr · CoTURN · self-contained OAuth token validation implemented · src/client/ns_turn_msg.c · Function: int encode_oauth_token(const u08bits *server_name, encoded_oauth_token *etoken, const oauth_key *key, const oauth_token *dtoken, const u08bits *nonce)
  • 53. Built in STUN · Chrome · stun.l.google.com:19302 · Firefox · media.peerconnection.default_iceservers;[] · media.peerconnection.ice.tcp;false · stun.services.mozilla.com · Default stun server removed from ver 41 · Bug: 1167922, 1143827 · No Service Agreement about service long term availability · It is up to Browser vendor · Built-in STUN SLA is not well defined
  • 54. Lesson Learned · STUN binding with LTC is not supported in Browsers. · Port numbers · Standard ports · Standard Alternate port · 80, 443 for strict firewalls · NAT discovery · Multiple IP addresses required · Decisions & Lessons · LTC · GeoIP vs Anycast · OpenDNSSEC is not supporting views. · REST API · GeoIP and Vincenty vs · Google Maps API · OAuth (coming soon..) · Wait for Browser support.
  • 55. Future directions · Utilize untapped coTURN features · STUN origin · Quotas · Bandwidth, Session · Admin interface · Monitoring · Improve User interface · Frontend, REST API · coTURN Logging file central collection · Analytics, Anomaly detection · Support, Helpdesk · App developer API examples · Investigation problems · Service Monitoring (SLA) · VM, OS, DB, coTURN · Alerts
  • 56. Make or Buy? · We in place Infrastructure · Virtual/Physical Machine · Small instance required · Networking Service · High bandwidth capacity · IPv6 · Secure and encrypted · updated · Open Source · From Public Money · Non technical reasons · Trust · Transparency · Time spent following market players offerings (moving) · Time spent negotiate price · Procurement fees · NREN & Commercial market different priorities · Education market is not big enough to implement feature
  • 58. GN4 Symposium Demo · WebTut · Teacher <=> Student · Symmetric NAT · Tablet and PC · What happens · 1. Without STUN/TURN · 2. With STUN/TURN · 3. Two endpoints in the same LAN segment
  • 60. Summary · ICE if possible provides E2E communication (lowest latency) · Standard based NAT Firewall Traversal and smooth IPv6 transition · According WebRTC transport draft ICE is MUST. · “ ICE [RFC5245] MUST be supported.” · ICE needs STUN/TURN server infrastructure. · A GÉANT4 PoC service is up and running. Next step? Pilot... · „Leading edge” collaboration technologies serving the NREN community communications needs.