Browse Prior Art Database

SELECTING TURN FOR PRIVACY WITHOUT USER INTERVENTION

IP.com Disclosure Number: IPCOM000237639D
Publication Date: 2014-Jun-30
Document File: 5 page(s) / 145K

Publishing Venue

The IP.com Prior Art Database

Related People

Tirumaleswar Reddy: AUTHOR [+4]

Abstract

Techniques are presented herein for improved network security. Traversal Using Relays around Network Address Translation (NAT) (TURN) can be used to solve the privacy problem by not exposing the host/server-reflexive candidate addresses to the remote peer for privacy reasons. Relayed candidates are advertised and host/server-reflexive candidates are removed from the offer/answer by the network when there could be potential privacy leakage problem. This gives the user an option to select privacy, which internally translates to advertising relayed candidates. The TURN server will rotate the relayed addresses frequently among the clients. If TURN server is IPv6-aware then it will use IPv6 privacy addresses for relayed addresses so that these addresses are frequently changed.

This text was extracted from a PDF file.
This is the abbreviated version, containing approximately 44% of the total text.

Page 01 of 5

SELECTING TURN FOR PRIVACY WITHOUT USER INTERVENTION

AUTHORS:

Tirumaleswar Reddy Prashanth Patil

 Dan Wing Pal Martinsen

CISCO SYSTEMS, INC.

ABSTRACT

    Techniques are presented herein for improved network security. Traversal Using Relays around Network Address Translation (NAT) (TURN) can be used to solve the privacy problem by not exposing the host/server-reflexive candidate addresses to the remote peer for privacy reasons. Relayed candidates are advertised and host/server- reflexive candidates are removed from the offer/answer by the network when there could be potential privacy leakage problem. This gives the user an option to select privacy, which internally translates to advertising relayed candidates. The TURN server will rotate the relayed addresses frequently among the clients. If TURN server is IPv6-aware then it will use IPv6 privacy addresses for relayed addresses so that these addresses are frequently changed.

DETAILED DESCRIPTION

    For most users, privacy over the Internet is fast becoming a desired requirement and for real-time communications, Traversal Using Relays around Network Address Translation (NAT) (TURN) can be used to solve the privacy problem by not exposing the host/server-reflexive candidate addresses to the remote peer for privacy reasons. TURN is mandatory to implement for browsers (http://tools.ietf.org/html/draft-ietf-rtcweb-use- cases-and-requirements-06) and TURN messages can be exchanged over DTLS (http://tools.ietf.org/html/draft-petithuguenin-tram-turn-dtls-00) or TLS.

This idea solves the problem of prioritizing relayed candidates for privacy.

Copyright 2014 Cisco Systems, Inc.

1


Page 02 of 5

    In Figure 1 above, an attacker (1, 2) could be doing pervasive monitoring. Unencrypted TURN message exchanges can expose metadata like username, remote peer IP address (sent in a CreatePermission Request) resulting in privacy problems. Some of these privacy problems with TURN are discussed in (http://tools.ietf.org/html/draft- reddy-behave-turn-auth-04). One potential solution to solve this problem is to use Datagram Transport Layer Security/Transport Layer Security (DTLS/TLS) as the transport protocol between the TURN client and TURN server.

    An enterprise network could leverage the services of a TURN server deployed in the cloud.

    This proposal solves the problem of prioritizing relayed candidates without user intervention to ensure privacy.

The process is as follows.

    1. An SDN controller deployed in the enterprise network would be aware of the network topology, endpoints IP addresses/location/identity details, etc. When a user initiates a call using a Session Initiation Protocol/Web Real-Time Communication

Copyright 2014 Cisco Systems, Inc.
2


Page 03 of 5

(SIP/WebRTC) server, it would communicate with the Software Defined Networking (SDN) controller to find the endpoints location. If both the endpoints are in secure networks then SIP/WebRTC server will not change the priority of relayed candidates. Asecure n...