Questions on TURN server in WebRTC

2
votes

I have gone through RFC 5766 which explains TURN protocol in detail. However, I have some fundamental questions that I am not able to figure after downloading and installing COTURN the opensource TURN server.

What is a client for a TURN server? Is it the first browser that initiates a WebRTC call? TURN servers create an allocation for the client, targeted for a specific peer. Now in WebRTC, we talk about peer to peer communication. In the RFC it talks about client-server-peer communication. All requests/responses between the client and the server are TURN-driven while those between the peer and the TURN server are just UDP data messages relayed to/from the client.

My second question is more specific to COTURN. What is the "value" field in "turn_secret" table and where/when is it used? Does the "credential" property of iceservers correspond to hmackey in the turnusers_lt table by using HMAC over (credentials, realm and username)? Where does the "value" field of "turn_secret" table figure in all this?

1
webrtcturncoturn
You do understand that TURN servers facilitate communication as a middleman when peer to peer communication is not possible? So it becomes peer-server-peer communication, or in other words a pair of client-server communications.deceze♦
@deceze I understand that part, of course. So, the client referred to in the RFC is the first browser that initiates the webrtc "call"? Also, I am not understanding the complete _lt (long-term) authentication process/hand-shakes... and when/where the "value" field in the "turn_secret" is used in this process.Sunny

1 Answers

2
votes

tl;dr: TURN secret is used to restrict the leakage of TURN credentials, it is part of TURN authentication using REST api(doc)

from coturn docs:

In WebRTC, the browser obtains the TURN connection information from the web server. This information is a secure information - because it contains the necessary TURN credentials. As these credentials are transmitted over the public networks, we have a potential security problem.

If we have to transmit a valuable information over the public network, then this information has to have a limited lifetime. Then the guy who obtains this information without permission will be able to perform only limited damage.

This is how the idea of time-limited TURN credentials appeared. This security mechanism is based upon the long-term credentials mechanism. The main idea is that the web server provides the credentials to the client, but those credentials can be used only limited time by an application that has to create a TURN server connection.

you can take a look at this answer TURN secret usage example.