BRKCOL-2986
ICE / TURN / STUN Tutorial
Kristof Van Coillie, Technical Leader, Services Cisco Spark
Questions? Use Cisco Spark to communicate with the speaker after the session
How 1. Find this session in the Cisco Live Mobile App 2. Click “Join the Discussion” 3. Install Spark or go directly to the space 4. Enter messages/questions in the space
cs.co/ciscolivebot#BRKCOL-2986
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public Abstract This session will provide technical background and insights on Traversal Using Relay NAT (TURN) and Interactive Connectivity Establishment (ICE) and cover how these are used in the Collaboration Portfolio. Participants will learn why TURN is needed and how ICE finds the optimal media path. Troubleshooting guidance will be discussed demonstrating the serviceability tools available together with best practices.
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public Agenda
• Why do we need TURN & ICE?
• TURN & ICE explained
• TURN & ICE in Cisco Collaboration
• Collaboration Solutions Analyzer Why do we need TURN & ICE ? Why do we need TURN & ICE? Media negotiation
10.10.10.10 SIP Registrar 10.10.10.20
INVITE INVITE Content-Type: application/sdp Content-Type: application/sdp c=IN IP4 10.10.10.10 c=IN IP4 10.10.10.10 m=audio 30000 RTP/SAVP … m=audio 30000 RTP/SAVP … … … 200 OK 200 OK Content-Type: application/sdp Content-Type: application/sdp c=IN IP4 10.10.10.20 c=IN IP4 10.10.10.20 m=audio 40000 RTP/SAVP … m=audio 40000 RTP/SAVP … Media 10.10.10.10: 30000 10.10.10.20: 40000
BRKCOL-2986 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 7 Why do we need TURN & ICE? Connectivity
10.10.10.10 SIP Registrar
Media
10.10.10.20
BRKCOL-2986 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 8 Why do we need TURN & ICE? Connectivity
10.10.10.10 173.38.154.85
Media 10.10.10.10:30000 Internet
SIP Registrar
BRKCOL-2986 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 9 Why do we need TURN & ICE? Relaying the media 72.163.4.161
10.10.10.10 173.38.154.85
Media Media Internet
SIP Registrar
BRKCOL-2986 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 10 Why do we need TURN & ICE? Relaying the media
10.10.10.10 SIP Registrar 173.38.154.85 = TURN Client
INVITE INVITE Content-Type: application/sdp Content-Type: application/sdp c=IN IP4 72.163.4.161 c=IN IP4 72.163.4.161 m=audio 24000 RTP/SAVP … m=audio 24000 RTP/SAVP … 200 OK 200 OK Content-Type: application/sdp Content-Type: application/sdp c=IN IP4 173.38.154.85 c=IN IP4 173.38.154.85 m=audio 40000 RTP/SAVP … m=audio 40000 RTP/SAVP … 72.163.4.161 Media :24000 Media 10.10.10.10 173.38.154.85:40000 = TURN Server BRKCOL-2986 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 11 Why do we need TURN & ICE Relaying the media, sometimes 72.163.4.161
10.10.10.10 173.38.154.85
Media Media Media Internet
10.10.10.20 Finding the best, working media path = ICE SIP Registrar
BRKCOL-2986 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 12 Why do we need TURN & ICE? 72.163.4.161 Candidates TURN Server 10.10.10.10 SIP Registrar
INVITE
Content-Type: application/sdp c=IN IP4 10.10.10.10 m=audio 30000 RTP/SAVP … a=candidate:1 1 UDP 2130706431 10.10.10.10 30000 typ host a=candidate:1 2 UDP 2130706430 10.10.10.10 30001 typ host a=candidate:3 1 UDP 352321535 72.163.4.161 24000 typ relay raddr 10.10.10.10 rport 30000 a=candidate:3 2 UDP 352321534 72.163.4.161 24001 typ relay raddr 10.10.10.10 rport 30001
BRKCOL-2986 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 13 Why do we need TURN & ICE What about STUN?
• STUN is the protocol used between TURN Client and TURN Server (for most messages)
• ICE leverages STUN protocol
BRKCOL-2986 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 14 Why do we need TURN & ICE What do the abbreviations mean
• TURN • Traversal Using Relays around NAT • Media Relay • RFC 5766
• ICE • Interactive Connectivity Establishment • Finds the best, working media path • RFC 5245
• STUN • Session Traversal Utilities for NAT • Protocol used by TURN & ICE • RFC 5389
BRKCOL-2986 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 15 TURN & ICE explained Setup Used O365 TURN Microsoft interop call
= TURN Server CUCM Expr-E Endpoint Expr-C Media Internet
CMS
Office 365 = TURN Client
BRKCOL-2986 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 17 Setup Used O365 TURN
Expr-E 192.168.0.200 173.38.154.85 TURN Internet Server Office 365 CMS
TURN Client
192.168.0.71 INVITE
Content-Type: application/sdp c=IN IP4 192.168.0.71 m=audio 30000 RTP/SAVP … a=candidate:1 1 UDP 2130706431 192.168.0.71 30000 typ host a=candidate:1 2 UDP 2130706430 192.168.0.71 30001 typ host a=candidate:3 1 UDP 352321535 173.38.154.85 24000 typ relay raddr 192.168.0.71 rport 30000 a=candidate:3 2 UDP 352321534 173.38.154.85 24001 typ relay raddr 192.168.0.71 rport 30001
BRKCOL-2986 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 18 Steps in TURN / ICE negotiation
• Collecting candidates Step 1
• Exchanging candidates Step 2
• Connectivity checks Step 3
• Deciding candidate pair to use Step 4
BRKCOL-2986 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 19 Step 1: Collecting candidates TURN CMS Server TURN 192.168.0.200 173.38.154.85 Client
192.168.0.71 :3478 Allocate Request
Allocate Error Response: 401 Unauthorized nonce realm: ciscotac.net STUN Allocate Request Messages user: turnuser, realm: ciscotac.net, nonce: 9ae6…de7
Allocate Success Response XOR-RELAYED-ADDRESS 173.38.154.85:24000 XOR-MAPPED-ADDRESS 192.168.0.71:58952 Relay candidate
BRKCOL-2986 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 20 192.168.0.71 192.168.0.200 173.38.154.85
STUN RTP Step 1: Collecting candidates :58952 :3478 :24000 Allocations
Relayed transport • Relayed transport address 173.38.154.85:24000 address
• Client’s IP address & port 192.168.0.71:58952 5-tuple • Server IP address & port 192.168.0.200:3478 • Transport protocol UDP
Authentication • Username, realm, password, nonce turnuser, password, …
Time to expiry • How long allocation is still valid 600 seconds
• Initially empty Permissions • See later
Channel to peer • Initially empty bindings • See later
BRKCOL-2986 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 21 Step 1: Collecting candidates Deeper look at allocation request
Authentication
BRKCOL-2986 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 22 Step 1: Collecting candidates Deeper look at allocation request
BRKCOL-2986 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 23 Step 1: Collecting candidates Wireshark
BRKCOL-2986 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 24 Step 1: Collecting candidates Collaboration Solutions Analyzer Result
Attributes of the allocation
Purpose of allocation
BRKCOL-2986 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 25 Step 1: Collecting candidates Some notes
• An allocation is needed per stream: • Audio RTP / RTCP • Video RTP / RTCP • Content
• TURN service discovery possible (SRV) • Depends on product support
• Messages between TURN client and TURN server can be UDP, TCP or TLS over TCP • Depend on product support
BRKCOL-2986 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 26 Different types of candidates TURN 173.38.154.83 Server
TURN Client PAT (NAT) 192.168.0.71 173.38.154.85
192.168.0.71:50000 Allocate Request 173.38.154.83:50000 Allocate Request :3478
Allocate Success Response Allocate Success Response
XOR-RELAYED-ADDRESS 173.38.154.85:24000 XOR-RELAYED-ADDRESS 173.38.154.85:24000 XOR-MAPPED-ADDRESS 173.38.154.83:50000 XOR-MAPPED-ADDRESS 173.38.154.83:50000
BRKCOL-2986 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 27 Different types of candidates
TURN TURN Client 173.38.154.83 Server Relay Host Server reflexive candidate candidate candidate 192.168.0.71 173.38.154.85
192.168.0.71:50000
173.38.154.85:24000
173.38.154.83:50000
BRKCOL-2986 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 28 Steps in TURN / ICE negotiation
• Collecting candidates Step 1
• Exchanging candidates Step 2
• Connectivity checks Step 3
• Deciding candidate pair to use Step 4
BRKCOL-2986 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 29 Step 2: Exchanging candidates Sending offer after collecting candidates 173.38.154.85 TURN CMS Server
TURN Client
192.168.0.71 INVITE
Content-Type: application/sdp Default candidate c=IN IP4 192.168.0.71 m=audio 30000 RTP/SAVP … Host candidate a=candidate:1 1 UDP 2130706431 192.168.0.71 58952 typ host a=candidate:1 2 UDP 2130706430 192.168.0.71 58953 typ host a=candidate:3 1 UDP 352321535 173.38.154.85 24000 typ relay raddr 192.168.0.71 rport 58952 a=candidate:3 2 UDP 352321534 173.38.154.85 24001 typ relay raddr 192.168.0.71 rport 58953 Relay candidate
BRKCOL-2986 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 30 Office 365 52.112.132.17 Step 2: Exchanging candidates TURN Server Receiving answer
CMS Office 365 Internet TURN Client
192.168.0.71 178.119.234.102 192.168.1.30 200 OK
Content-Type: application/sdp Default candidate c=IN IP4 52.112.132.17 m=audio 59229 RTP/SAVP … Host candidate a=candidate:1 1 UDP 2130706431 192.168.1.30 50012 typ host a=candidate:1 2 UDP 2130705918 192.168.1.30 50013 typ host a=candidate:4 1 UDP 184547839 52.112.132.17 59229 typ relay raddr 178.119.234.102 rport 50010 Relay candidate a=candidate:4 2 UDP 184547326 52.112.132.17 59365 typ relay raddr 178.119.234 a=candidate:10 1 UDP 1694232063 178.119.234.102 50010 typ srflx raddr 192.168.1.30 rport 50010 a=candidate:10 2 UDP 1694231550 178.119.234.102 50011 typ srflx raddr 192.168.1.30 rport 50011 Server reflexive candidate
BRKCOL-2986 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 31 Step 2: Exchanging candidates Some notes
• The agent that generated the offer which started ICE processing = CONTROLLING AGENT
• The other agent = CONTROLLED AGENT
• Controlling agent is responsible for the choice of the final candidate pair for communication
BRKCOL-2986 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 32 Step 2: Exchanging candidates Troubleshooting tip
If no candidates are seen in the offer/answer -> allocations of that party failed
BRKCOL-2986 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 33 Steps in TURN / ICE negotiation
• Collecting candidates Step 1
• Exchanging candidates Step 2
• Connectivity checks Step 3
• Deciding candidate pair to use Step 4
BRKCOL-2986 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 34 Step 3: Connectivity checks Building pairs Remote candidates
192.168.1.30:50012 (host) Local 192.168.0.71:58952 (host) candidates 52.112.132.17:59229 (relay) 173.38.154.85:24000 (relay) 178.119.234.102:50010 (srflx)
host 192.168.0.71:58952 ← → 192.168.1.30:50012 host
host 192.168.0.71:58952 ← → 52.112.132.17:59229 relay
host 192.168.0.71:58952 ← → 178.119.234.102:50010 srflx
relay 173.38.154.85:24000 ← → 192.168.1.30:50012 host
relay 173.38.154.85:24000 ← → 52.112.132.17:59229 relay
relay 173.38.154.85:24000 ← → 178.119.234.102:50010 srflx
BRKCOL-2986 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 35 Step 3: Connectivity checks Testing each pair
• Check is generated by sending a STUN binding request from a local candidate to remote candidate
• Check is considered successful if: • Success response received • Src ip:src port of response = dst ip:dst port of request • Dst ip:dst port of response = src ip:src port of request
• First we need to understand how relaying packet works
BRKCOL-2986 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 36 Allocation 192.168.0.71:58952 192.168.0.200:3478 5-tuple Relaying packets UDP 173.38.154.85:24000 Relayed transport address Expr-E CMS STUN Data 192.168.0.200 173.38.154.85 Data TURN Client :58952 Where to send data to :3478 :24000 dst ip: port 192.168.0.71 STUN Data TURN Data Server :24000 Where data comes from
• What about security • Can anyone send data and it will be relayed?
BRKCOL-2986 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 37 Allocation 192.168.0.71:58952 192.168.0.200:3478 5-tuple Creating permissions UDP
173.38.154.85:24000 Relayed transport address Expr-E CMS :58952 :3478 192.168.1.30 Permission 192.168.0.200 173.38.154.85 TURN Create Permission Request Client XOR-PEER-ADDRESS: 192.168.1.30:50012 192.168.0.71 Remote candidate Create Permission Success TURN Server
• Using this allocation packets can be send to / received from 192.168.1.30 now
• This is one method to create permissions
BRKCOL-2986 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 38 Allocation 192.168.0.71:58952 Relaying packets 192.168.0.200:3478 5-tuple Method 1: outgoing packets (send indication) UDP 173.38.154.85:24000 Relayed transport address 192.168.1.30 Permission
CMS :58952 :3478 Expr-E :24000 192.168.1.30:50012 192.168.0.200 173.38.154.85 Data TURN Send indication Client XOR-PEER-ADDRESS: 192.168.1.30:50012 DATA: Application data 192.168.0.71 TURN Server
* Check for . Permission . Relayed transport address
BRKCOL-2986 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 39 Allocation 192.168.0.71:58952 Relaying packets 192.168.0.200:3478 5-tuple Method 1: incoming packets (data indication) UDP 173.38.154.85:24000 Relayed transport address 192.168.1.30 Permission
CMS :58952 :3478 Expr-E :24000 192.168.1.30:50012 192.168.0.200 173.38.154.85 Data TURN Data indication Client XOR-PEER-ADDRESS: 192.168.1.30:50012 DATA: Application data 192.168.0.71 TURN Server
* Check for . Permission . 5-tuple
BRKCOL-2986 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 40 Allocation 192.168.0.71:58952 Relaying packets 192.168.0.200:3478 5-tuple Method 1 UDP 173.38.154.85:24000 Relayed transport address • Drawback 192.168.1.30 Permission • Overhead (especially for small audio packets) Channel to peer bindings
Msg Type (2 bytes) Msg Length (2 bytes) Msg Cookie (4 bytes)
Msg Transaction ID (12 bytes)
XOR-PEER-ADDRESS (12 bytes)
DATA (96 bytes) …
BRKCOL-2986 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 41 Allocation 192.168.0.71:58952 Relaying packets 192.168.0.200:3478 5-tuple Method 2: Channels UDP 173.38.154.85:24000 Relayed transport address • Goal: less overhead 192.168.1.30 Permission
• Channel binding to be created by TURN client Channel to peer • Channel-number (0x4000 – 0x7FFF) bindings • Transport address (of the peer) • Time to expiry timer
BRKCOL-2986 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 42 Allocation 192.168.0.71:58952 Relaying packets 192.168.0.200:3478 5-tuple Method 2: Channel Bind Request UDP 173.38.154.85:24000 Relayed transport address 192.168.1.30 Permissions
0x4000 Channel to peer CMS :3478 Expr-E bindings :58952 192.168.1.30:50012 192.168.0.200 173.38.154.85 TURN Channel-Bind Request time-to-expiry Client XOR-PEER-ADDRESS: 192.168.1.30:50012 CHANNEL-NUMBER: 0x4000 … 192.168.0.71 TURN Server Channel-Bind Success Response
• Channel-Bind Request creates permission as well • This is the 2nd method to create permissions
• Multiple channel to peer bindings possible per allocation (all peer candidates)
BRKCOL-2986 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 43 Allocation 192.168.0.71:58952 Relaying packets 192.168.0.200:3478 5-tuple Method 2: outgoing packets (channel) UDP 173.38.154.85:24000 Relayed transport address 192.168.1.30 Permissions
0x4000 Channel to peer bindings 192.168.1.30:50012 time-to-expiry
CMS :58952 :3478 Expr-E :24000 192.168.1.30:50012 ChannelData 192.168.0.200 173.38.154.85 Data TURN Client Channel number: 0x4000 DATA: Application data 192.168.0.71 TURN Server
* Check for . Channel binding . Relayed transport address
BRKCOL-2986 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 44 Allocation 192.168.0.71:58952 Relaying packets 192.168.0.200:3478 5-tuple Method 2: incoming packets (channel) UDP 173.38.154.85:24000 Relayed transport address 192.168.1.30 Permissions
0x4000 Channel to peer bindings 192.168.1.30:50012 time-to-expiry
CMS :58952 :3478 Expr-E :24000 192.168.1.30:50012 ChannelData 192.168.0.200 173.38.154.85 Data TURN Client Channel number: 0x4000 DATA: Application data 192.168.0.71 TURN Server
* Check for . Permission . Channel binding . 5-tuple
BRKCOL-2986 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 45 Allocation 192.168.0.71:58952 Relaying packets 192.168.0.200:3478 5-tuple Method 2: ChannelData UDP 173.38.154.85:24000 Relayed transport address 192.168.1.30 Permissions
0x4000 Channel to peer • Less overhead (4 bytes vs 32 bytes) bindings 192.168.1.30:50012 • ChannelData message time-to-expiry
Channel Nr (2 bytes) Msg Length (2 bytes)
DATA (96 bytes) …
BRKCOL-2986 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 46 Office 365 52.112.132.17 Step 3: Connectivity checks TURN Server Host-Host
Expr-E Office 365 192.168.0.200 173.38.154.85 Internet TURN Server
CMS 178.119.234.102 192.168.1.30
192.168.0.71 STUN Binding request
192.168.0.71:58952 192.168.1.30:50012 STUN Binding request
192.168.0.71:58952 192.168.1.30:50012
host 192.168.0.71:58952 ← → 192.168.1.30:50012 host
BRKCOL-2986 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 47 Step 3: Connectivity checks Host-Host
Used to correlate request/response Used to order connectivity checks and relative preference for candidate
Controlling agent is responsible for choosing final candidate pair used for communication
Checks are authenticated using short-term credential mechanism for STUN
BRKCOL-2986 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 48 Step 3: Connectivity checks Relay-Host: method 1
Expr-E CMS :58952 :3478 :24000 192.168.1.30:50012 TURN Send Indication 192.168.0.200 173.38.154.85 STUN Binding request Client XOR-PEER-ADDRESS: 192.168.1.30:50012 DATA: STUN Binding request 192.168.0.71 TURN Server • Between client and server this is a Send Indication packet • Wireshark shows this as send indication • The data is a STUN Binding Request
relay 173.38.154.85:24000 ← → 192.168.1.30:50012 host
BRKCOL-2986 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 49 Step 3: Connectivity checks Relay-Host: method 2
Expr-E CMS :58952 :3478 :24000 192.168.1.30:50012 TURN ChannelData 192.168.0.200 173.38.154.85 STUN Binding request Client Channel number: 0x4000 DATA: STUN Binding request 192.168.0.71 TURN Server • Between client and server this is a ChannelData packet • Wireshark shows this as ChannelData • The data is a STUN Binding Request
relay 173.38.154.85:24000 ← → 192.168.1.30:50012 host
BRKCOL-2986 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 50 Step 3: Connectivity checks Relay-Server Reflexive
Expr-E 178.119.234.102 CMS :58952 :3478 :24000 :50010 Office 365 TURN ChannelData 192.168.0.200 173.38.154.85 STUN Binding request Client Channel number: 0x4004 DATA: STUN Binding request 192.168.0.71 TURN 192.168.1.30 ChannelData Server STUN Binding success response Channel number: 0x4004 DATA: STUN Binding success response
ChannelData STUN Binding request Channel number: 0x4004 DATA: STUN Binding request
ChannelData STUN Binding success response Channel number: 0x4004 DATA: STUN Binding success response
relay 173.38.154.85:24000 ← → 178.119.234.102:50010 srflx Working pair
BRKCOL-2986 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 51 Step 3: Connectivity checks Recognize binding request in ChannelData (and Send/Data Indication)
BRKCOL-2986 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 52 Step 3: Connectivity checks Collaboration Solutions Analyzer Incoming bind request
Outgoing bind request
BRKCOL-2986 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 53 Step 3: Connectivity checks Collaboration Solutions Analyzer
BRKCOL-2986 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 54 Step 3: Connectivity checks Collaboration Solutions Analyzer
Encapsulated
Use-candidate
BRKCOL-2986 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 55 STUN Message type Message Type
Allocate Request 0x0003 Can be used to filter in Wireshark: stun.type == 0x0003 Allocate Success Response 0x0103 Allocate Error Response 0x0113 Create Permission Request 0x0008 Create Permission Success 0x0108 Response Channel-Bind Error Response 0x0119 Binding Request 0x0001
Bind Success Response 0x0101 Bind Error Response 0x0111
ChannelData 0x4004
Send Indication 0x0016
Data Indication 0x0017
BRKCOL-2986 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 56 Step 3: Connectivity checks Connectivity check result
host 192.168.0.71:58952 ← → 192.168.1.30:50012 host
host 192.168.0.71:58952 ← → 52.112.132.17:59229 relay
host 192.168.0.71:58952 ← → 178.119.234.102:50010 srflx
relay 173.38.154.85:24000 ← → 192.168.1.30:50012 host
relay 173.38.154.85:24000 ← → 52.112.132.17:59229 relay Working pair
relay 173.38.154.85:24000 ← → 178.119.234.102:50010 srflx Working pair
BRKCOL-2986 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 57 Steps in TURN / ICE negotiation
• Collecting candidates Step 1
• Exchanging candidates Step 2
• Connectivity checks Step 3
• Deciding candidate pair to use Step 4
BRKCOL-2986 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 58 Step 4: Deciding what candidate pair to use
• Controlling Agent nominates which (valid) candidate pair will be used • Normal nomination • Aggressive nomination
• Controlling Agent sends updated offer if selected candidates don’t match the default candidates
BRKCOL-2986 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 59 Step 4: Deciding what candidate pair to use Normal nomination
• Controlling agent picks amongst valid pairs • Send 2nd bind request, with USE-CANDIDATE flag • Both sides stop checks for this media stream • Media is now send over this pair
BRKCOL-2986 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 60 Step 4: Deciding what candidate pair to use Normal nomination
TURN 178.119.234.102 CMS :58952 :3478 Server :24000 :50010 Office 365 TURN ChannelData 192.168.0.200 173.38.154.85 STUN Binding request Client
ChannelData STUN Binding success response 192.168.0.71 192.168.1.30
ChannelData STUN Binding request
ChannelData STUN Binding success response
ChannelData STUN Binding request
Channel number: 0x4004 USE-CANDIDATE DATA: STUN Binding request USE-CANDIDATE ChannelData STUN Binding success response
BRKCOL-2986 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 61 Step 4: Deciding what candidate pair to use Aggressive nomination
• Controlling-Agent sends USE-CANDIDATE flag in every STUN Request
• Once a check succeeds, ICE processing is complete for that media stream
• Selected pair will be the highest-priority valid pair whose check succeeded.
• + Faster
• - Less flexibility
BRKCOL-2986 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 62 Step 4: Deciding what candidate pair to use Aggressive nomination
TURN 178.119.234.102 CMS Server Office 365
TURN 192.168.0.200 173.38.154.85 Client
192.168.0.71 192.168.1.30 192.168.1.30:50012 STUN Binding request :58952 USE-CANDIDATE
STUN Binding request 178.119.234.102:50010
USE-CANDIDATE ChannelData 192.168.0.200:3478
Channel number: 0x4004 DATA: STUN Binding request USE-CANDIDATE
BRKCOL-2986 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 63 Step 4: Deciding what candidate pair to use Sending updated offer INVITE CMS Content-Type: application/sdp c=IN IP4 192.168.0.71 200 OK m=audio 30000 RTP/SAVP … 192.168.0.71 Content-Type: application/sdp c=IN IP4 52.112.132.17 m=audio 59229 RTP/SAVP …
ICE Connectivity checks INVITE
Content-Type: application/sdp Selected pair c=IN IP4 173.38.154.85 200 OK m=audio 24000 RTP/SAVP … Content-Type: application/sdp c=IN IP4 178.119.234.102 m=audio 50010 RTP/SAVP …
BRKCOL-2986 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 64 Recap TURN TURN Client Server SIP Proxy
1. Allocating candidates
2. Exchanging candidates (SDP)
3a. Creating permissions, creating channel bindings
3b. Connectivity checks Peer candidates
4. Updating signaling with chosen candidates (mid-call invite)
STUN SIP
BRKCOL-2986 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 65 TURN TCP Allocations
• Everything covered so far: UDP Allocations TURN TURN client Server STUN (UDP / TCP / TLS) UDP Peer
• Some applications require TCP connection with peer to send/receive data TURN TURN client Server STUN (TCP / TLS) TCP Peer
• RFC 6062: TURN Extensions for TCP Allocations
• Example: content sharing with Microsoft
BRKCOL-2986 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 66 TURN TCP Allocations Allocate request
BRKCOL-2986 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 67 TURN TCP Allocations Offer / Answer 173.38.154.85 TURN CMS Server
TURN Client
192.168.0.71 INVITE
Content-Type: application/sdp c=IN IP4 192.168.0.71 m=applicationsharing 40463 TCP/RTP/AVP 127 a=candidate:1 1 TCP-PASS 2130706431 192.168.0.71 40463 typ host a=candidate:1 2 TCP-PASS 2130706431 192.168.0.71 40463 typ host a=candidate:3 1 TCP-PASS 352321535 173.38.154.85 24000 typ relay raddr 192.168.0.71 rport 34434 a=candidate:3 2 TCP-PASS 352321535 173.38.154.85 24000 typ relay raddr 192.168.0.71 rport 34434
TCP Candidates
BRKCOL-2986 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 68 TURN TCP Allocations Control connection which was used to allocate Receiving a connection the relay address: 173.38.154.85:24000
TURN CMS Server
TURN 192.168.0.200 173.38.154.85 Client :34434 Control connection :3478 192.168.0.71 :24000 Connection to relayed address ConnectionAttempt Indication 178.119.249.244:50058
XOR-PEER-ADDRESS 178.119.249.244:50058 CONNECTION-ID: 0x002a
:34087 New TCP Connection :3478
ConnectionBind Request Client data connection per peer candidate CONNECTION-ID: 0x002a
ConnectionBind Success Response CONNECTION-ID: 0x002a Client data connection for peer Data
BRKCOL-2986 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 69 TURN TCP Allocations Receiving a connection
CMS TURN Server TURN 192.168.0.200 Client 173.38.154.85
192.168.0.71
BRKCOL-2986 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 70 TURN TCP Allocations Control connection which was used to allocate Initiating a connection the relay address: 173.38.154.85:24000
TURN CMS Server
TURN 192.168.0.200 173.38.154.85 Client :34434 Control connection :3478 192.168.0.71 ConnectionRequest
XOR-PEER-ADDRESS 178.119.249.244:50058 :24000 Initiate outgoing TCP connection 178.119.249.244:50058 ConnectionRequest Success response
CONNECTION_ID: 0x002a :34087 New TCP Connection :3478
ConnectionBind Request Client data connection per peer candidate CONNECTION-ID: 0x002a
ConnectionBind Success Response CONNECTION-ID: 0x002a Client data connection for peer Data
BRKCOL-2986 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 71 This was only the tip of the ICEberg What we did not cover
• Sorting candidates
• Frozen candidates
• Lite implementation
• Refresh
• Peer reflexive candidates
• …
• ICE RFC
BRKCOL-2986 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 72 TURN & ICE in Cisco Collaboration Solutions that support TURN & ICE
• Microsoft Interop
• WebRTC
• Cisco Meeting Application
• MRA (coming soon)
• Expressway and Collaboration Endpoints
• Jabber Guest
BRKCOL-2986 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 74 Microsoft Business To Business Calls
CUCM Expr-E Endpoint Expr-C
Internet
SIP
CMS MS SIP STUN RTP • CMS: Turn Client
• Expr-E: Turn Server
BRKCOL-2986 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 75 WebRTC
WebRTC Expr-C Expr-E Client
Internet
HTTPS
CMS STUN
RTP
• CMS: Turn Client
• WebRTC Client: Turn Client
• Expr-E: Turn Server
BRKCOL-2986 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 76 * Server reflexive candidates are not taken into account WebRTC NAT Reflection required when using static NAT
CMS Expr-E WebRTC Client 192.168.0.71 192.168.0.200 192.168.1.200 173.38.154.85 10.10.10.10
Internet
Candidates Candidates 10.10.10.10:40000 192.168.0.71:36000 Candidate pairs 173.38.154.85:24010 173.38.154.85:24000 192.168.0.71:36000 ← → 10.10.10.10:40000
192.168.0.71:36000 ← → 173.38.154.85:24010
173.38.154.85:24000 ← → 10.10.10.10:40000
173.38.154.85:24000 ← → 173.38.154.85:24010 Working pair
BRKCOL-2986 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 77 WebRTC
NAT Reflection required when using static NAT Send to remote candidate 173.38.154.85:24000 Expr-E CMS 192.168.0.200 192.168.1.200 WebRTC Client 192.168.0.71 :3478 173.38.154.85 STUN|RTP 10.10.10.10 :24010 STUN|RTP :3478 RTP :24000 Internet
Enhancement to keep media local: CSCve37570
Selected pair
173.38.154.85:24000 ← → 173.38.154.85:24010
BRKCOL-2986 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 78 Cisco Meeting Application
CMA CMS Core CMS Edge Client
Internet
XMPP STUN RTP
• CallBridge (CMS Core): Turn Client
• CMA Client: Turn Client
• CMS Edge: Turn Server
BRKCOL-2986 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 79 Mobile and Remote Access MRA Current behavior device
CUCM Expr-C Expr-E
Internet MRA device
SIP RTP
• Media is hair pinned on Expr-C
BRKCOL-2986 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 80 Mobile and Remote Access MRA New behavior device
CUCM Expr-C Expr-E
Internet MRA device
SIP RTP
• MRA device: Turn Client
• Expr-E: Turn Server
• RTP stream can go direct if there is connectivity
BRKCOL-2986 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 81 Expressway-E as TURN Server
BRKCOL-2986 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 82 Expressway-E as TURN Server
Relayed transport address Client information Time to expiry
Permissions (for each peer candidate) Channels created
Details on created permissions Details on created channels Counters
BRKCOL-2986 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 83 Collaboration Solutions Analyzer Collaboration Solutions Analyzer https://cs.co/csa
BRKCOL-2986 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 89 Cisco Spark
Questions? Use Cisco Spark to communicate with the speaker after the session
How 1. Find this session in the Cisco Live Mobile App 2. Click “Join the Discussion” 3. Install Spark or go directly to the space 4. Enter messages/questions in the space
cs.co/ciscolivebot#BRKCOL-2986
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public • Please complete your Online Complete Your Online Session Evaluations after each session Session Evaluation • Complete 4 Session Evaluations & the Overall Conference Evaluation (available from Thursday) to receive your Cisco Live T-shirt • All surveys can be completed via the Cisco Live Mobile App or the Communication Stations
Don’t forget: Cisco Live sessions will be available for viewing on-demand after the event at www.ciscolive.com/global/on-demand-library/.
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public Continue Your Education
• Demos in the Cisco campus
• Walk-in Self-Paced Labs
• Tech Circle
• Meet the Engineer 1:1 meetings
• Related sessions
BRKCOL-2986 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 92 Thank you