From mboxrd@z Thu Jan  1 00:00:00 1970
Authentication-Results: mail.toke.dk; spf=pass (mailfrom) smtp.mailfrom=irif.fr (client-ip=2001:660:3301:8000::1:2; helo=korolev.univ-paris7.fr; envelope-from=jch@irif.fr; receiver=<UNKNOWN>)
Received: from korolev.univ-paris7.fr (korolev.univ-paris7.fr [IPv6:2001:660:3301:8000::1:2])
	by mail.toke.dk (Postfix) with ESMTPS id A7E557C6901
	for <galene@lists.galene.org>; Thu,  7 Jan 2021 14:27:51 +0100 (CET)
Received: from mailhub.math.univ-paris-diderot.fr (mailhub.math.univ-paris-diderot.fr [81.194.30.253])
	by korolev.univ-paris7.fr (8.14.4/8.14.4/relay1/82085) with ESMTP id 107DRls8002482;
	Thu, 7 Jan 2021 14:27:47 +0100
Received: from mailhub.math.univ-paris-diderot.fr (localhost [127.0.0.1])
	by mailhub.math.univ-paris-diderot.fr (Postfix) with ESMTP id 09F9BE0251;
	Thu,  7 Jan 2021 14:27:47 +0100 (CET)
X-Virus-Scanned: amavisd-new at math.univ-paris-diderot.fr
Received: from mailhub.math.univ-paris-diderot.fr ([127.0.0.1])
	by mailhub.math.univ-paris-diderot.fr (mailhub.math.univ-paris-diderot.fr [127.0.0.1]) (amavisd-new, port 10023)
	with ESMTP id 0n0jJvSZtV7x; Thu,  7 Jan 2021 14:27:45 +0100 (CET)
Received: from pirx.irif.fr (unknown [78.194.40.74])
	(Authenticated sender: jch)
	by mailhub.math.univ-paris-diderot.fr (Postfix) with ESMTPSA id 9F41DE024F;
	Thu,  7 Jan 2021 14:27:44 +0100 (CET)
Date: Thu, 07 Jan 2021 14:27:44 +0100
Message-ID: <87ble0dghb.wl-jch@irif.fr>
From: Juliusz Chroboczek <jch@irif.fr>
To: Michael =?ISO-8859-1?Q?Str=F6der?= <michael@stroeder.com>
In-Reply-To: <43734076-b64d-a4ad-bd44-2e3266aa8d07@stroeder.com>
References: <1082cfcde178ddb72b51bcd03ee6770a@kn1ght.org>
	<87zh1zt6ip.wl-jch@irif.fr>
	<87y2hjt5fx.wl-jch@irif.fr>
	<87y2hjxa64.fsf@toke.dk>
	<87r1nau8v0.wl-jch@irif.fr>
	<87sg7qyaj2.fsf@toke.dk>
	<87a6tx7olm.wl-jch@irif.fr>
	<8735zpya4m.fsf@toke.dk>
	<87r1n4uv0r.wl-jch@irif.fr>
	<43734076-b64d-a4ad-bd44-2e3266aa8d07@stroeder.com>
User-Agent: Wanderlust/2.15.9 (Almost Unreal) Emacs/27.1 Mule/6.0
MIME-Version: 1.0 (generated by SEMI-EPG 1.14.7 - "Harue")
Content-Type: text/plain; charset=ISO-8859-1
X-Greylist: Sender IP whitelisted, not delayed by milter-greylist-4.2.7 (korolev.univ-paris7.fr [194.254.61.138]); Thu, 07 Jan 2021 14:27:47 +0100 (CET)
X-Miltered: at korolev with ID 5FF70C53.001 by Joe's j-chkmail (http : // j-chkmail dot ensmp dot fr)!
X-j-chkmail-Enveloppe: 5FF70C53.001 from mailhub.math.univ-paris-diderot.fr/mailhub.math.univ-paris-diderot.fr/null/mailhub.math.univ-paris-diderot.fr/<jch@irif.fr>
X-j-chkmail-Score: MSGID : 5FF70C53.001 on korolev.univ-paris7.fr : j-chkmail score : . : R=. U=. O=. B=0.000 -> S=0.000
X-j-chkmail-Status: Ham
Content-Transfer-Encoding: quoted-printable
Message-ID-Hash: IAHT43C73MRNP3JHQMTP3OHIAGLNGXEL
X-Message-ID-Hash: IAHT43C73MRNP3JHQMTP3OHIAGLNGXEL
X-MailFrom: jch@irif.fr
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; suspicious-header
CC: galene@lists.galene.org
X-Mailman-Version: 3.3.2
Precedence: list
Subject: [Galene] Re: coturn config
List-Id: =?utf-8?q?Gal=C3=A8ne_videoconferencing_server_discussion_list?= <galene.lists.galene.org>
Archived-At: <https://lists.galene.org/galene/87ble0dghb.wl-jch@irif.fr/>
List-Archive: <https://lists.galene.org/galene/>
List-Help: <mailto:galene-request@lists.galene.org?subject=help>
List-Post: <mailto:galene@lists.galene.org>
List-Subscribe: <mailto:galene-join@lists.galene.org>
List-Unsubscribe: <mailto:galene-leave@lists.galene.org>

> I'm already using this (with git revision d2f7010) since 2+ days. No
> issues so far.

Excellent.

> How to ensure that it survived key rotation?

Keep Gal=E8ne running for more than 24h after the initial key is generate=
d
(which happens the first time a client joins).  If the group is still
accessible, then key rotation was successful.

I've got unit tests for key rotation, but not for key rotation.  See
ice/ice_test.go.

> Does key rotation affect existing TURN sessions?

No.  It doesn't even affect existing client sessions, you need to leave
the group and re-join in order to get a new key.  The protocol supports
rotating a joined client's keys, but doing that properly would require
maintaining key age for each client, so I didn't bother for now.

A new key is generated every 2 to 5 minutes, and it has a validity of 24h=
,
so you'll only run into the issue if you remain connected for (24h - 5min=
).

In case anyone wants to hack on it, here's what's needed:

  - maintain credential age somewhere in the client structure;
  - at the right time, launch a goroutine to send
    { type: "join", kind: "changed"} to all clients nearing expiration;
  - for extra credit, trigger an ICE restart for all streams to and from
    affected clients so that existing streams pick up the new TURN
    credentials; not sure if that's better done in the client or in the
    server (either side can trigger a restart).

> Maybe some logging would be good.

Yeah.

-- Juliusz