STUN CHANGE REQUEST

[Joe]

Hi,

I'm trying to setup a STUN/TURN server with AWS EC2. In order to support STUN CHANGE REQUEST feature I've attached 2 Elastic IP's to the instance and validated the setup using "turnutils_uclient" and this Stun Client - http://www.codeproject.com/Articles/18492/STUN-Client . But when this client was used it displayed that the Primary Elastic IP attached is behind a symmetric NAT and the other IP i.e Secondary Elastic IP is behind RestrictedCone NAT. But as STUN won't work with servers behind Symmetric NAT, in this case will the server support STUN CHANGE REQUEST if the secondary IP is assigned as Stun server in application?

~Thanks

Joe

[Oleg Moskalenko]

An aws ec2 setup cannot support stun change request because it must be used with a single ip address and because of the nature of nat system in aws. If you do need the stun change request functionality then you must use a real public system without any nat involved.

Sent from my iPhone

--
You received this message because you are subscribed to the Google Groups "TURN Server (Open-Source project)" group.
To unsubscribe from this group and stop receiving emails from it, send an email to turn-server-project-rfc57...@googlegroups.com.
To post to this group, send email to turn-server-project...@googlegroups.com.
Visit this group at http://groups.google.com/group/turn-server-project-rfc5766-turn-server.
For more options, visit https://groups.google.com/d/optout.

[Joseph V J]

Thank you for the update Oleg.

~Regards

Joe

[Mathieu H.]

I'm not sure I understand the reason.

If the EC2 instance is set up with 2 interfaces each mapped to their own Elastic IP and the TURN server is using 2 "external-ip" configuration in the form "public-ip/private-ip", wouldn't the server be able to correctly use the 2 NATed interfaces for Change Request?

The turnserver help page mention this use case:

In more complex case when more than one IP address is involved, that option must be used several times, each entry must have form "-X <public-ip/private-ip>", to map all involved addresses. CHANGE_REQUEST NAT discovery STUN functionality will work correctly, if the addresses are mapped properly, even when the TURN server itself is behind A NAT.

On Friday, August 8, 2014 9:58:34 PM UTC-7, Oleg Moskalenko wrote:

An aws ec2 setup cannot support stun change request because it must be used with a single ip address and because of the nature of nat system in aws. If you do need the stun change request functionality then you must use a real public system without any nat involved.

Sent from my iPhone

On Aug 8, 2014, at 9:34 PM, Joe <josephv...@gmail.com> wrote:

Hi,

I'm trying to setup a STUN/TURN server with AWS EC2. In order to support STUN CHANGE REQUEST feature I've attached 2 Elastic IP's to the instance and validated the setup using "turnutils_uclient" and this Stun Client - http://www.codeproject.com/Articles/18492/STUN-Client . But when this client was used it displayed that the Primary Elastic IP attached is behind a symmetric NAT and the other IP i.e Secondary Elastic IP is behind RestrictedCone NAT. But as STUN won't work with servers behind Symmetric NAT, in this case will the server support STUN CHANGE REQUEST if the secondary IP is assigned as Stun server in application?

~Thanks

Joe

--
You received this message because you are subscribed to the Google Groups "TURN Server (Open-Source project)" group.

To unsubscribe from this group and stop receiving emails from it, send an email to turn-server-project-rfc5766-turn-server+unsubscribe@googlegroups.com.
To post to this group, send email to turn-server-project-rfc5766-turn-...@googlegroups.com.

[Mathieu H.]

Actually you should be able to do this with a single interface as EC2 supports multiple private IP / interface. Would avoid the headache of source routing traffic of the 2nd interface on the instance.

[Oleg Moskalenko]

On Tue, Aug 12, 2014 at 5:13 PM, Mathieu H. <mathieu.ho...@gmail.com> wrote:

I'm not sure I understand the reason.

If the EC2 instance is set up with 2 interfaces each mapped to their own Elastic IP and the TURN server is using 2 "external-ip" configuration in the form "public-ip/private-ip", wouldn't the server be able to correctly use the 2 NATed interfaces for Change Request?

No.

 

The turnserver help page mention this use case:

In more complex case when more than one IP address is involved, that option must be used several times, each entry must have form "-X <public-ip/private-ip>", to map all involved addresses. CHANGE_REQUEST NAT discovery STUN functionality will work correctly, if the addresses are mapped properly, even when the TURN server itself is behind A NAT.

On Friday, August 8, 2014 9:58:34 PM UTC-7, Oleg Moskalenko wrote:

An aws ec2 setup cannot support stun change request because it must be used with a single ip address and because of the nature of nat system in aws. If you do need the stun change request functionality then you must use a real public system without any nat involved.

Sent from my iPhone

On Aug 8, 2014, at 9:34 PM, Joe <josephv...@gmail.com> wrote:

Hi,

I'm trying to setup a STUN/TURN server with AWS EC2. In order to support STUN CHANGE REQUEST feature I've attached 2 Elastic IP's to the instance and validated the setup using "turnutils_uclient" and this Stun Client - http://www.codeproject.com/Articles/18492/STUN-Client . But when this client was used it displayed that the Primary Elastic IP attached is behind a symmetric NAT and the other IP i.e Secondary Elastic IP is behind RestrictedCone NAT. But as STUN won't work with servers behind Symmetric NAT, in this case will the server support STUN CHANGE REQUEST if the secondary IP is assigned as Stun server in application?

~Thanks

Joe

--
You received this message because you are subscribed to the Google Groups "TURN Server (Open-Source project)" group.
To unsubscribe from this group and stop receiving emails from it, send an email to turn-server-project-rfc5766-turn-server+unsubscribe@googlegroups.com.
To post to this group, send email to turn-server-project-rfc5766-turn-...@googlegroups.com.
Visit this group at http://groups.google.com/group/turn-server-project-rfc5766-turn-server.
For more options, visit https://groups.google.com/d/optout.

--
You received this message because you are subscribed to the Google Groups "TURN Server (Open-Source project)" group.

To unsubscribe from this group and stop receiving emails from it, send an email to turn-server-project-rfc57...@googlegroups.com.
To post to this group, send email to turn-server-project...@googlegroups.com.

[Oleg Moskalenko]

The "external interface" workaround was designed for TURN, not for STUN.

If you do need multiple interfaces, then you have an enterprise-class setup. And if you have a serious enterprise-level requirements, you have to use a separate standalone system (or a cluster of systems) in the public network, anyway. The "external interface" functionality is for small-to-middle business when you are fine with just one interface.

Oleg

To unsubscribe from this group and stop receiving emails from it, send an email to turn-server-project-rfc57...@googlegroups.com.
To post to this group, send email to turn-server-project...@googlegroups.com.

[Oleg Moskalenko]

We do support multiple external interfaces if you do need it with TURN (with -X ip/ip syntax) but we do not support them with STUN.

That may be an improvement for the future.

Oleg

On Tuesday, August 12, 2014 5:32:39 PM UTC-7, Oleg Moskalenko wrote:

The "external interface" workaround was designed for TURN, not for STUN.

If you do need multiple interfaces, then you have an enterprise-class setup. And if you have a serious enterprise-level requirements, you have to use a separate standalone system (or a cluster of systems) in the public network, anyway. The "external interface" functionality is for small-to-middle business when you are fine with just one interface.

Oleg

On Tue, Aug 12, 2014 at 5:26 PM, Mathieu H. <mathieu.hofman.citrix@gmail.com> wrote:

Actually you should be able to do this with a single interface as EC2 supports multiple private IP / interface. Would avoid the headache of source routing traffic of the 2nd interface on the instance.

On Tuesday, August 12, 2014 5:13:13 PM UTC-7, Mathieu H. wrote:

I'm not sure I understand the reason.

If the EC2 instance is set up with 2 interfaces each mapped to their own Elastic IP and the TURN server is using 2 "external-ip" configuration in the form "public-ip/private-ip", wouldn't the server be able to correctly use the 2 NATed interfaces for Change Request?

The turnserver help page mention this use case:

In more complex case when more than one IP address is involved, that option must be used several times, each entry must have form "-X <public-ip/private-ip>", to map all involved addresses. CHANGE_REQUEST NAT discovery STUN functionality will work correctly, if the addresses are mapped properly, even when the TURN server itself is behind A NAT.

On Friday, August 8, 2014 9:58:34 PM UTC-7, Oleg Moskalenko wrote:

An aws ec2 setup cannot support stun change request because it must be used with a single ip address and because of the nature of nat system in aws. If you do need the stun change request functionality then you must use a real public system without any nat involved.

Sent from my iPhone

On Aug 8, 2014, at 9:34 PM, Joe <josephv...@gmail.com> wrote:

Hi,

I'm trying to setup a STUN/TURN server with AWS EC2. In order to support STUN CHANGE REQUEST feature I've attached 2 Elastic IP's to the instance and validated the setup using "turnutils_uclient" and this Stun Client - http://www.codeproject.com/Articles/18492/STUN-Client . But when this client was used it displayed that the Primary Elastic IP attached is behind a symmetric NAT and the other IP i.e Secondary Elastic IP is behind RestrictedCone NAT. But as STUN won't work with servers behind Symmetric NAT, in this case will the server support STUN CHANGE REQUEST if the secondary IP is assigned as Stun server in application?

~Thanks

Joe

--
You received this message because you are subscribed to the Google Groups "TURN Server (Open-Source project)" group.
To unsubscribe from this group and stop receiving emails from it, send an email to turn-server-project-rfc5766-turn-server+unsubscribe@googlegroups.com.

To post to this group, send email to turn-server-project-rfc5766-turn-s...@googlegroups.com.

Visit this group at http://groups.google.com/group/turn-server-project-rfc5766-turn-server.
For more options, visit https://groups.google.com/d/optout.

[Mathieu H.]

Thanks for the clarification. I was just interested in the reason for why multiple external interfaces wouldn't work for STUN.

As far as I understand Change Request is mainly useful for detecting a restricted cone NAT or symmetric NAT during a simple STUN discovery.

If ICE is used (like in the case of WebRTC) the reflexive candidates for a restricted NAT will be punched through during the ICE handshake between clients. And if both the clients are behind a symmetric NAT, well it will fail-over to TURN candidates anyway.

[Oleg Moskalenko]

While CHANGE REQUEST is not a complex functionality, combining its implementation with a TURN server has its own challenges. This project is about the TURN server, and that is historically the main goal. The STUN part was added later and while its working just fine, the architecture of the project is more geared toward TURN, and STUN does not have the priority. So we decided NOT to support STUN CHANGE REQUEST together with external-ip option, because it would lead to unnatural complications, and it simply is not worth of it. May be later we will figure out how to support that combination without major complications.