2

I have gone through RFC 5766 which explains TURN protocol in detail. However, I have some fundamental questions that I am not able to figure after downloading and installing COTURN the opensource TURN server.

What is a client for a TURN server? Is it the first browser that initiates a WebRTC call? TURN servers create an allocation for the client, targeted for a specific peer. Now in WebRTC, we talk about peer to peer communication. In the RFC it talks about client-server-peer communication. All requests/responses between the client and the server are TURN-driven while those between the peer and the TURN server are just UDP data messages relayed to/from the client.

My second question is more specific to COTURN. What is the "value" field in "turn_secret" table and where/when is it used? Does the "credential" property of iceservers correspond to hmackey in the turnusers_lt table by using HMAC over (credentials, realm and username)? Where does the "value" field of "turn_secret" table figure in all this?

Sunny
  • 9,245
  • 10
  • 49
  • 79
  • 2
    You do understand that TURN servers facilitate communication as a middleman when peer to peer communication is not possible? So it becomes peer-server-peer communication, or in other words a pair of client-server communications. – deceze Apr 07 '16 at 12:23
  • @deceze I understand that part, of course. So, the client referred to in the RFC is the first browser that initiates the webrtc "call"? Also, I am not understanding the complete _lt (long-term) authentication process/hand-shakes... and when/where the "value" field in the "turn_secret" is used in this process. – Sunny Apr 07 '16 at 12:35

1 Answers1

2

tl;dr: TURN secret is used to restrict the leakage of TURN credentials, it is part of TURN authentication using REST api(doc)

from coturn docs:

In WebRTC, the browser obtains the TURN connection information from the web server. This information is a secure information - because it contains the necessary TURN credentials. As these credentials are transmitted over the public networks, we have a potential security problem.

If we have to transmit a valuable information over the public network, then this information has to have a limited lifetime. Then the guy who obtains this information without permission will be able to perform only limited damage.

This is how the idea of time-limited TURN credentials appeared. This security mechanism is based upon the long-term credentials mechanism. The main idea is that the web server provides the credentials to the client, but those credentials can be used only limited time by an application that has to create a TURN server connection.

you can take a look at this answer TURN secret usage example.

Community
  • 1
  • 1
mido
  • 24,198
  • 15
  • 92
  • 117
  • Thanks. Useful info and answer accepted. I later read on the topic but the best I found outside the COTURN doc was a proposed RFC by Uberti(Google) et al. The TURN REST API is not standardized. Is that correct? So, can the TURN secret be used today? If so, how, if the browsers do not support it? – Sunny Apr 08 '16 at 03:57
  • 1
    OK... get it. It is the application server not the browser that fetches/uses the secret... Did not read the referenced answer before commenting. – Sunny Apr 08 '16 at 04:03
  • Just one final question if you have the time... What I asked in my post anyway... "What is a client for a TURN server? Is it the first browser that initiates a WebRTC call?" and why would a server need support for ICE? See https://www.doubango.org/webrtc2sip/, "For example, if your server doesn't support ICE..." You seem to be well-versed in this area. A couple of lines from you will save me a tonne of my time! Thanks – Sunny Apr 08 '16 at 06:11
  • 1
    @Sam I think they are talking about using media servers( MCU/ SFU) instead of direct browser-to-browser communication, useful when you try broadcasting a video, you send data to server and it forwards to watchers instead of your browsers sending data directly to each peer, if number of watchers are high, you ll kill your bandwidth and crash your browser – mido Apr 08 '16 at 06:21