RFC 5766, "Traversal Using Relays around NAT (TURN): Relay Extensions to Session Traversal Utilities for NAT (STUN)", April 2010Source of RFC: behave (tsv)
Errata ID: 4933
Publication Format(s) : TEXT
Reported By: shakeeb
Date Reported: 2017-02-15
Rejected by: Magnus Westerlund
Date Rejected: 2020-02-17
Section 17.3.3 says:
An attacker might attempt to disrupt service to other users of the TURN server by sending Refresh requests or CreatePermission requests that (through source address spoofing) appear to be coming from another user of the TURN server. TURN prevents this by requiring that the credentials used in CreatePermission, Refresh, and ChannelBind messages match those used to create the initial allocation. Thus, the fake requests from the attacker will be rejected.
When using short-term, credentials expire after a specific amount of time (such as 5
minutes) and clients get new credentials. The restriction imposed at section 17.3.3
prevents from refreshing allocation or permission using the new credentials.
This RFC approves RFC 5389. So one can use short-term credentials. But short-term credentials are useless if it can not be used to refresh allocation or permission.
The goal of 17.3.3 can be achieved by sending 438 with the new nonce.
So TURN does not actually specify the usage of short-term credentials. It mandates support of long-term credentials as authentication mechanism. Also RFC 7635 (STUN for Third party Authorization) specifies how to handle expire of the access token. This is clearer in the replacement of RFC 5766 that will soon be published that specifies the following in Section 7.2:
the request is authenticated, the authentication MUST be done
either using the long-term credential mechanism of
[I-D.ietf-tram-stunbis] or the STUN Extension for Third-Party
Authorization [RFC7635] unless the client and server agree to
use another mechanism through some procedure outside the scope
of this document.