Presentation on theme: "TURN for webRTC Dr. Alex Gouaillard CTO, temasys Communications Singapore | Mountain view."— Presentation transcript:
1TURN for webRTCDr. Alex Gouaillard CTO, temasys Communications Singapore | Mountain view
2webRTC – defaultFor connection, NAT and firewall traversal, webRTC supports ICE/STUN/TURNBUT webRTC does NOT include the server/codeStatistics show that around 15% of the call need to be relayed in general case, and more in enterprise environement
3apprtc - the reference implementation by google Apprtc let you pass a turn server address and password by URL with ts and tp respectivelyNote: the username needs to be included in tsIt is passed as a configuration ot the PeerConnection API and webrtc handles communication with the turn server
5How to make it better Dynamic credential Time limited credentials Credential are created on demand by the webserver and provided to the webappTime limited credentialsCredential can only be used to connect a certain amount of timeThis is done using a shared secret between the webserver and the turn server, and by inserting a timestamp in the turn username
6How to make it better use shared secret to not provide plain text password 2. WebServer computes a temp username: <user>_<timestamp> and the password base64(hmac-sha1(shared_secret, username)WS3. Webserver serves a page to the user which includes the TURN credentials5. The TURN server extract the timestamps and checks that the credential did not expire. It computes a password using the shared secret, and check against the password provided by the user.1. User connects to a webpage4. Webrtc takes care of the connection with TURNAppTS0. Both webserver and Turn Server are configured with a static shared secret. Turn server is configured with a time limit.
7limitations Static shared secret (hacking target) Single TURN server with address hardcoded in the web server (hacking target and no load balancing)
8Static to Dynamic Shared secret For higher security, shared secrets are stored in a DB, and can be accessed by external apps.You can revoke shared secrets, add new shared secrets and so onIn our case, webserver and turn server need to be synchronized when this happen.
9Load balancing by CEOD Pools of turn servers depending on location Each turn server report load and shared secretEach pool as an active turn server accepting usersOn user request, the webserver fetch the active turn server in the same area as the user, compute credential and embed it in the webpage served to the user.
10How to make it better COED load balancing 2. Choose pool depending on location, Compute credentialsAsiaTS5WSAlways reportActive4EU3TS1ActiveAppUSATSTS…In asiaActive
11How to make it better CEOD load balancing, the apprtc way 5. Choose pool depending on location, Compute credentialsAsiaTS52. Gives CEOD URL (and key …)WS COEDAlways reportActiveWS apprtc7EU4. Ajax6TS31 httpActiveAppUSATSTS…In asiaActive