Hi, the danger of using the server-relay option is not entirely clear to me and I'm hoping someone can explain a bit more. In the README.turnserver file, it states:
-server-relay
Server relay. NON-STANDARD AND DANGEROUS OPTION.
Only for those applications when we want to run
server applications on the relay endpoints.
This option eliminates the IP permissions check
on the packets incoming to the relay endpoints.
See http://tools.ietf.org/search/rfc5766#section-17.2.3 .
Can anyone provide more clarity on the above explanation? My setup has coturn running on a cloud VM. A video streaming software service is also running on this cloud VM delivering video streams to internet users. I'm guessing the video streaming software service qualifies as a "server application", agree? ...In this case am I exposing myself (the clound VM, etc) to risk by enabling the -server-relay option?
The link given above states:
17.2.3. Running Servers on Well-Known Ports
A malicious client behind a firewall might try to
connect to a TURN server and obtain an allocation
which it then uses to run a server. For example,
a client might try to run a DNS server or FTP server.
This is not possible in TURN. A TURN server will
never accept traffic from a peer for which the client
has not installed a permission. Thus, peers cannot
just connect to the allocated port in order to obtain
the service.
So, it sounds as though enabling the -server-relay option *will* allow the TURN server to accept traffic from a peer which has not been given permission. Is that correct?
Any additional explanation would be much appreciated. Thank you.