What is 'realm' in TURN server?

Asked 20/5, 2019 at 19:50 Answered 17/9, 2020 at 2:31

I want to host a TURN server for my WebRTC project, but I don't know what the 'realm' attribute does. I've looked at coturn and pion and they both seem to require me to enter this. Can someone explain what it is?

Rufous answered 20/5, 2019 at 19:50 Comment(0)

It is a "key" to access a group of address that have a common "owner". It is an isolating measure: a TURN server can have one "default realms" or more "named realms" in its database. And any realm has its own users and each of them have a proper login/password couple to identify access and working sessions. Of course, computers which made a login into a "named realm" are virtually "invisible" to other which belongs to other realm. If you simply log in the "default realm" where all users use same login/passwd ( tipically with "public" TURN servers ) your machine can be reached by all computers in a easy way also from unkown machines for this reason the "realm" was a useful thing to have

... and that is all .. :)

Precincts answered 3/6, 2019 at 15:2 Comment(3)

When I tested, the realm entered in the TURN server config file did not prevent the TURN server from being used by another website that is not mentioned in the realm, is it normal? Is there no way to improve the security of the TURN server so it can only be used with WebRTC from a specific domain name? Update: the best solution I have found so far is to use temporary TURN credentials with HMAC (#35766882) but it would be great if we can filter the origin in case a temporary credential is used on another website. – Nicholasnichole 3/8, 2019 at 14:42

I still don't understand what a realm is. In the configuration file, it states that the realm name has no affect on functionality. What is the address exactly? Who is allowed to make requests? Is it just for logging? – Tavarez 20/11, 2019 at 14:4

I am no expert, but this part of the coturn turnserver.conf file: # Listener IP address of relay server. Multiple listeners can be specified. # If no IP(s) specified in the config file or in the command line options, # then all IPv4 and IPv6 system IPs will be used for listening. # #listening-ip=0.0.0.0 #listening-ip=10.207.21.238 #listening-ip=2607:f0d0:1002:51::4 seems to indicate to me that you can set it up to only listen to especific ip addresses. that shoud help you out increase your security, please let me know if I'm wrong. – Douglass 22/7, 2021 at 18:34

Realm attribute is specified in [Traversal Using Relay NAT (TURN) draft-rosenberg-midcom-turn-08 section 9.2.9. The value of the Realm attribute SHOULD be the domain name of the provider of the TURN server. This protocol uses the attribute in the digest challenge extension specified in section 3.1.12. If the protocol client includes this attribute, the TURN server SHOULD use the specified Realm value in the digest challenge extension. If the protocol client does not include this attribute in the request message, the TURN server uses a default Realm value. The TURN server MUST include this attribute in the associated response and the Realm value MUST be the value that the TURN server used in the digest challenge extension.

9.2.9 REALM
 The REALM attribute is present in Shared Secret Requests and Shared
 Secret Responses. It contains text which meets the grammar for
 "realm" as described in RFC 3261, and will thus contain a quoted
 string (including the quotes).

Reference: RFC3261

Searles answered 17/9, 2020 at 2:31 Comment(0)

Recommended topics

Hot tags