Presentation on theme: "TURN for webRTC Dr. Alex Gouaillard CTO, temasys Communications Singapore | Mountain view."— Presentation transcript:
TURN for webRTC Dr. Alex Gouaillard CTO, temasys Communications Singapore | Mountain view
webRTC – default For connection, NAT and firewall traversal, webRTC supports ICE/STUN/TURN BUT webRTC does NOT include the server/code Statistics show that around 15% of the call need to be relayed in general case, and more in enterprise environement
apprtc - the reference implementation by google Apprtc let you pass a turn server address and password by URL with ts and tp respectively Note: the username needs to be included in ts &tp=mypassword &tp=mypassword It is passed as a configuration ot the PeerConnection API and webrtc handles communication with the turn server
How to make it better Dynamic credential – Credential are created on demand by the webserver and provided to the webapp Time limited credentials – Credential can only be used to connect a certain amount of time This is done using a shared secret between the webserver and the turn server, and by inserting a timestamp in the turn username
How to make it better use shared secret to not provide plain text password WS TS App 1. User connects to a webpage 2. WebServer computes a temp username: _ and the password base64(hmac-sha1(shared_secret, username) 0. Both webserver and Turn Server are configured with a static shared secret. Turn server is configured with a time limit. 3. Webserver serves a page to the user which includes the TURN credentials 4. Webrtc takes care of the connection with TURN 5. The TURN server extract the timestamps and checks that the credential did not expire. It computes a password using the shared secret, and check against the password provided by the user.
limitations Static shared secret (hacking target) Single TURN server with address hardcoded in the web server (hacking target and no load balancing)
Static to Dynamic Shared secret For higher security, shared secrets are stored in a DB, and can be accessed by external apps. You can revoke shared secrets, add new shared secrets and so on In our case, webserver and turn server need to be synchronized when this happen.
Load balancing by CEOD Pools of turn servers depending on location Each turn server report load and shared secret Each pool as an active turn server accepting users On user request, the webserver fetch the active turn server in the same area as the user, compute credential and embed it in the webpage served to the user.
How to make it better COED load balancing WS TS App Asia TS EU TS USA TS … Active 1 Always report In asia 2. Choose pool depending on location, Compute credentials 3 4 5
How to make it better CEOD load balancing, the apprtc way WS COED TS App Asia TS EU TS USA TS … Active 1 http Always report In asia 5. Choose pool depending on location, Compute credentials WS apprtc 2. Gives CEOD URL (and key …) 4. Ajax 6