TURN-BPF is a personal development effort aiming to reckon the feasibility
of using XDP programs to bypass the userspace for the TURN channel traffic,
without the need to tamper with the code of the TURN implementation itself.
These programs conduct NAT (client <> TURN | relay <> peer), strip/add the
TURN channel tag, update the checksums, rewrite the MAC addresses and send
the resulting packets onto the wire via interfaces chosen based on the FIB.
The tool requires no configuration from the user, except for the interface
name(s) and is supposed to snoop on relay allocations and channel bindings
by capturing the said control packet handshakes at the XDP/TC hooks on the
main network interface. For the sake of keeping the channels active in the
userspace TURN server, the tool employs a 'heartbeat' approach, spilling a
small fraction of data packets to the net stack for the server to see them.
The tool does not support IPv6, fragmentation, TCP and encrypted operation.
The use of VLAN tags, tunnels, as well as IPv4 options is also unsupported.
Albeit aiming to be aware of concurrency issues, this implementation might
still be lacking in many ways, and is thus considered wittingly unreliable.
This software was written independently as an educational proof-of-concept
during non-working hours in the author's home using only personal hardware.
It relies exclusively on publicly available technologies and does not seek
any financial gain for the author and does not fulfil a commercial purpose.
It is provided 'as-is', without any express or implied warranty of fitness
for any particular purpose or operability in production-grade environments.
The idea of accelerating TURN (RFC 8656 [1]) using eBPF has been doing the
rounds for quite a while. For example, there has been a feature request in
the issue tracker of the 'coturn' project ([2]). A research paper ([3]) on
the matter also describes initiatives to accelerate TURN services likewise.
To the author's best knowledge, such concepts have been looking to augment
the userspace code of the server with explicit snippets to manage BPF maps.
A less invasive concept would be to use 'k(ret)probe' or 'fentry/fexit' to
attach to the userspace functions that commit/retire channel bindings, but
these functions would typically be inlined, rendering this technique flaky.
Hence this humble self-development project. It seeks to snoop on exchanges
like relay port allocation and channel binding in the unencrypted IPv4 UDP
mode in order to update the fast path maps and actually do the XDP offload.
[1] https://datatracker.ietf.org/doc/html/rfc8656#name-detailed-example
[2] coturn/coturn#759 (comment)
[3] https://dl.acm.org/doi/10.1145/3609021.3609296
# (lightly tested on Debian 13.2.0 Xfce LIVE)
sudo apt update
sudo apt install --no-install-recommends --yes cargo clang git libelf-dev pkg-config
git clone https://github.com/ivanmtech/turn-bpf
cd turn-bpf
cargo build
sudo ./target/debug/turn-bpf enp2s0f0
LinkedIn: https://am.linkedin.com/in/ivanmtech
Website: https://ivanmtech.com/
E-mail: ivanmtech@outlook.com