RFC 8656 - Traversal Using Relays around NAT (TURN)
Relay protocol for NAT traversal when direct connection fails
What is TURN?
Traversal Using Relays around NAT (TURN) is a protocol that allows a host behind a NAT or firewall to receive incoming data over TCP or UDP connections. TURN provides a relay service when direct peer-to-peer connection is not possible due to restrictive NATs or firewalls.
Key Functions
Relay Allocation
Allocates a relay address on the TURN server for the client.
Permission Management
Controls which external peers can send data through the relay.
Channel Binding
Optimizes data transmission through numbered channels.
Data Relay
Forwards data between the client and external peers.
TURN Operation Flow
- Allocate Request: Client requests a relay address from TURN server
- Allocate Response: Server provides relay address and lifetime
- Create Permission: Client authorizes specific peers to send data
- Channel Bind: Optional optimization for frequent communication
- Data Relay: Server forwards data between client and peers
- Refresh: Client extends allocation lifetime as needed
Supported Transports
UDP Relay
Most common - relays UDP packets between client and peers.
TCP Relay
Relays TCP connections for applications requiring reliable transport.
TLS Relay
Secure relay over TLS for encrypted communication.
Security Features
- Authentication: Username/password or token-based authentication
- Authorization: Permission-based access control for peers
- Allocation Quotas: Limits on number and duration of allocations
- Bandwidth Limiting: Rate limiting to prevent abuse
- Secure Transport: TLS/DTLS for control channel encryption
When TURN is Needed
- Symmetric NATs: When ICE hole punching fails
- Corporate Firewalls: Restrictive enterprise network policies
- Mobile Networks: Carrier-grade NATs and firewalls
- WebRTC Fallback: Ensures connectivity when direct connection fails
- Gaming: Guaranteed connectivity for multiplayer games
- IoT Devices: Devices behind restrictive NATs