-
Notifications
You must be signed in to change notification settings - Fork 4
/
Copy pathrestund.txt
372 lines (251 loc) · 13.5 KB
/
restund.txt
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
Restund Functionality and Architecture
1. Introduction
This document describes the overall functionality and architecture
of the Restund STUN [RFC5389] server. The server is designed around
the principle of a lightweight core using server modules to extend
its functionality. First we will have a detailed look at the server
core. We will then describe the various modules.
2. Server Core
This section gives an overview of the functionality provided by the
server core. It describes how the server is configured and defines
the generic baseline functionality provided to help the modules
extend its feature set in a flexible fashion.
2.1. Command Line Options
Restund recognizes the following command line options:
-d Turn on debugging. In debug mode the server will increase the
verbosity of its output in order to help debug potential issues.
-h Show summary of options. This option will list all available
command line options with a brief description.
-n Run in foreground. When this option is enabled the server will
avoid auto back-grounding into a daemon when starting up.
-f Configuration file. By default Restund expects to find a
configuration file at /etc/restund.conf. An alternative
configuration file can be specified using this command line
option.
2.2. Configuration File
Most of the configuration options is provided through a configuration
file. The server core is responsible for loading the configuration
file and providing access to all configuration options for the
modules. Some configuration options is used by the server core
itself. This section provides a description of all the available
configuration options recognized by the server core:
daemon <yes|no>
This parameter control if the server should auto background into
a daemon when started. The -n command line option overrides this
setting. Default value is yes.
debug <yes|no>
This option controls the default debug setting. The -d command
line option overrides this setting. Default value is no.
realm <realm-value>
This option set the realm used for authentication.
syncinterval <n>
The syncinterval option sets the database sync interval (in
seconds). Every n seconds the core database will issue a database
query in order to synchronize its local database against the
master database.
udp_listen <IP-address>:<port>
This parameter defines the listen address for the local UDP socket.
The default port is 3478, which is the "well known" STUN port as
defined in [RFC5389]. Multiple directives can be specified,
and Restund will create one UDP socket for each directive.
udp_sockbuf_size <n>
This option controls the transmit and receive kernel buffer size
for the UDP socket.
tcp_listen <IP-address>:<port>
This parameter defines the listen address for the local TCP socket.
The default port is 3478, which is the "well known" STUN port as
defined in [RFC5389]. Multiple directives can be specified,
and Restund will create one UDP socket for each directive.
module_path <path>
This option is used to specify the path to the modules.
module <filename>
This option is used to load a dynamically linked module, and the
argument specifies its filename. The core accepts multiple module
parameters.
2.3. Database Interface
In order to provide user authentication and to log relay traffic the
Restund server needs to access a database back-end.
The server core implements a generic database interface. This
interface provides a layer of abstraction between modules processing
database data (e.g., get password) and modules implementing a
specific database back-end (e.g., mysql_ser). This layer makes it
possible to change the database back-end without impacting modules
that needs to access database data.
Since Restund handles all packets using one server process and deals
with relaying of real time media packets (e.g., TURN
[RFC5766]), it is important that database calls does not
block the relaying operation. In order to achieve fast database
access, the database interface stores a copy of the entire user
database in a local hash table. A stand-alone database thread is
responsible for keeping this local authentication database up to date
by periodically querying the master database using a database module.
To avoid write blocking, relay traffic records are written to a FIFO,
and the database thread is taking care of writing relay records from
the FIFO to the master database through a back-end module.
The database layer also provide redundancy against master database
outage. As a local copy of the authentication data is kept in
memory, the server will be fully functional even when the database
is down. When the master database is unaccessible, the log FIFO will
enqueue relay records. These records will be written to the database
as soon as the database becomes available again.
2.4. Log Interface
A generic log interface is implemented in the server core. All log
messages are issued through this interface. This interface provides
a layer of abstraction between modules sending log messages and
modules implementing a specific log back-end (e.g., syslog). This
layer makes it possible to change the log back-end without impacting
code that issue log messages. Multiple log back-end modules can
subscribe to log messages by registering a log handler.
2.5. Status Interface
The server core implements a generic server status interface. This
interface provides a layer of abstraction between modules producing
status information (e.g. the TURN [RFC5766] module) and modules
implementing presentation of server status (e.g., through HTTP).
2.6. STUN Interface
STUN [RFC5389] messages are initially processed by a basic STUN
interface in the server core. This interface is responsible for
allocating UDP and TCP sockets and parsing incoming STUN messages.
The actual message processing is handled in server modules. Using
this interface, a module can subscribe to incoming STUN messages
by registering a message handler.
3. Modules
In order to extend the servers feature set in a structured way, the
Restund server supports dynamic module loading at runtime. Modules
are loaded through the module option in the configuration file
(section 2.2). This section gives an overview of the functionality
provided by the various server modules. It describes how the modules
are configured and the functionality they provide.
3.1. Binding
The binding module implements the basic STUN feature set as defined
in [RFC5389]. The module accepts BINDING requests and issues
BINDING responses. The BINDING method can be used to determine the
particular "binding" a NAT has allocated to a STUN client.
When used in either request/response or in indication transactions,
the BINDING method can also be used to keep these "bindings" alive.
This module also implements NAT behavior discovery using STUN as defined in
[RFC5780]. This specification defines an experimental usage of the STUN
protocol that discovers the presence and current behavior of NATs and
firewalls between the STUN client and the STUN server. This module requires
two different IP-addresses available on the host running the STUN
server. A secondary address is needed by the NAT discovery
mechanism, and requires at least three udp_listen or tcp_listen
directives.
3.2. MySQL SER
The mysql_ser module implements the database interface specified in
section 2.3 for queries against a MySQL database server. Functions
are provided for fetching user account data. The following
configuration options is recognized by the mysql_ser module:
mysql_host <hostname>
Name or IP-address of the host running the MySQL database server.
mysql_user <user-name>
Login user-name for the MySQL database client.
mysql_pass <password>
Login password for the MySQL database client.
mysql_db <database-name>
Name of the database instance in which user account data are
stored.
3.3. Stat
The stat module collects statistics about received STUN messages.
A separate counter is kept for each STUN message type. The
statistics data is made available through the status interface
described in section 2.5.
3.4. Status
The status module uses the status interface defined in section 2.5
to convey server status information over plain UDP or over HTTP.
When requesting server status over UDP (e.g., using netcat) or over
HTTP (using a web browser) a list of keywords (with description)
identifying various subsystems is provided. To obtain status about
a specific subsystem, the keyword is entered into netcat or appended
to the URL in the web browser. Automatic update every N seconds is
available using HTTP by appending '?r=N' to the status URL. The
example below requests status for the TURN subsystem every fifth
second:
http://<server-host>:<status-port>/turn?r=5
Additionally, information about server version, build date and uptime
are available when using HTTP. The following configuration options
is recognized by the status module:
status_udp_addr <IP-address>
This option specifies the the local UDP listen address (interface)
on which status requests are accepted. Default value is
127.0.0.1.
status_udp_port <n>
This option specifies the the local UDP listen port on which
status requests are accepted. Default value is 33000.
status_http_addr <IP-address>
This option specifies the the local TCP listen address (interface)
on which status HTTP requests are accepted. Default value is
127.0.0.1.
status_http_port <n>
This option specifies the the local TCP listen port on which
status HTTP requests are accepted. Default value is 8080.
3.5. Syslog
The syslog module implements standard unix syslog using the log
interface described in section 2.4. When this module is loaded all
server events will be logged using unix syslog. The following
configuration options is recognized by the syslog module:
syslog_facility <n>
This option specifies the default syslog facility to be assigned
to all messages. Default value is 24 (LOG_DAEMON).
3.6. Turn
The turn module implements Traversal Using Relays around NAT (TURN)
as defined in [RFC5766]. The protocol, which is a relay
extension to STUN, allows hosts to control the operation of the relay
and to exchange packets with its peers using the relay. In addition
to Allocate, Refresh, CreatePermission and ChannelBind requests the
module handles Send and Data indications and channel data.
The turn module supports the long term authentication mechanism
as defined in [RFC5389].
User account data is provided through the database interface
described in section 2.3. The following configuration options is
recognized by the turn module:
turn_max_allocations <n>
This option specifies the maximum number of simultaneous turn
allocations on the server. Default value is 512.
turn_max_lifetime <n>
This option specifies the maximum lifetime (in seconds) allowed
for TURN allocations. Default value is 600.
turn_relay_addr <IP-address>
This option specifies the IP-address (interface) on which data
should be relayed.
turn_relay_addr6 <IPv6-address>
This option specifies the IPv6-address (interface) on which data
should be relayed.
3.7. Filedb
The filedb module implements the database interface specified in
section 2.3 for loading user credentials from a file. Traffic logging
is not supported by this module. The following configuration options
is recognized by the filedb module:
filedb_path <filename>
Absolute path to file containing user credentials. The default
filename is /etc/restund.auth
3.8. Restauth
The restauth module implements the REST-based authentication as defined
in draft-uberti-behave-turn-rest-00 [REST]. Multiple shared secrets can be
configured, and stored in one of the Database backends.
The script util/genrest.sh can be used to generated REST username
and password.
Example with filedb.so backend:
user = test
realm = myrealm
pass = secret
$ echo -n "test:myrealm:secret" | md5
8bee32d57ceffaa4cad79064e1264a17
add this entry to /etc/restund.auth:
test:8bee32d57ceffaa4cad79064e1264a17
$ ./util/genrest.sh myrealm test 3600 secret
username = 1415180577:test
password = u8E4rTThLqLYFDi/uRTYU4wtTaM=
(your output will be different as the time is different)
This username/password is valid for 1 hour and can then be passed
to the TURN Client.
4. References
[RFC5389] Rosenberg, J., Mahy, R., Matthews, P., and D. Wing,
"Session Traversal Utilities for NAT (STUN)", RFC 5389,
October 2008.
[RFC5766] Mahy, R., Matthews, P., and J. Rosenberg, "Traversal Using
Relays around NAT (TURN): Relay Extensions to Session
Traversal Utilities for NAT (STUN)", RFC 5766, April 2010.
[RFC5780] NAT Behavior Discovery Using Session Traversal Utilities for NAT
(STUN). D. MacDonald, B. Lowekamp. May 2010.
[REST] A REST API For Access To TURN Services
draft-uberti-behave-turn-rest-00