ATTENTION: This release introduces important changes to how TURN authentication and permissions are handled. These changes make the system more secure. This release maintains backwards compatibility. However, backwards compatibility will be removed in the next release. So, please plan accordingly.

TURN permission handling changes

By default, TURN will not relay traffic to private IPs. If you need to relay traffic to private IPs, please use allow_restricted_peer_cidrs which is explained in config-sample.yaml and replicated below.

#   # list of restricted peer CIDRs (loopback, link-local (unicast, multicast), multicast, private, unspecified) to allow access to.
#   # By default (i. e. empty list), all restricted peer CIDRs are denied access.
#   # When not empty, only the specified CIDRs are allowed access.
#   # Note that this check is applied to restricted peer CIDRs only.
#   allow_restricted_peer_cidrs:
#     - 10.0.0.0/8
#     - 192.168.0.0/16

That list can be paired with a deny list which takes precedence if there is an overlap.

#   # list of peer CIDRs to deny access to.
#   # This applies to all peer CIDRs, including restricted ones.
#   # Deny list takes precedence over allow list.
#   deny_peer_cidrs:
#     - 10.0.0.0/8
#     - 192.168.0.0/16

Relevant PRs: #4505

TURN authentication handling changes

TURN credentials now have a TTL (Time-To-Live) beyond which they are not valid to join a room. We recommend rotating your TURN authentication secrets to ensure older credentials are rendered stale and not usable.

#   # TTL of the TURN credentials in seconds - defaults to 300
#   ttl_seconds: 300

Please note that the TTL is always used in constructing the credentials. So, a value of 0 will create credentials that expire immediately.

Relevant PRs: #4505, #4515, #4524, #4526

Added

• add support for client capabilities (#4461)
• Additional data tracks logging (#4489)
• Add CloseWithReason to agent SignalConn interface (#4492)
• add agent environment (#4498)
• add duration seconds reporting (#4500)
• add helper to check for agent worker endpoint (#4503)
• test: verify upstream and downstream connection stats end-to-end (#4508)
• Add TURN permission handler. (#4505)
• allow setting agent job assignment url (#4512)
• Add expiry to TURN password. (#4505, #4515)
• add AssignmentHook to AssignJob; propagate websocket write errors (#4516)
• Apply room tags from JWT grant room configuration (#4518)
• feat: auto create rooms for tokens with the RoomCreate grant (#4320)
• Add integration test for TURN auth failures (#4524)
• Support SIP auth realm for inbound. (#4522)
• Apply ttl check only when authenticate allocation creating (#4526)

Changed

• feat(pion/ice): replace deprecated NAT1To1 with SetAddressRewriteRules (#4466)
• do not log data track stats if not started (#4468)
• Consolidate RTCP packets and do RTCP callback outside lock. (#4469)
• Keep a shadow copy of tracks for use by different stream allocator state (#4470)
• Avoid stream allocator event data cast to interface and back. (#4471)
• Convert sort.Slice -> slices.SortFunc (#4472)
• Turn off transceiver re-use on Safari. (#4474)
• reduce some heap use in packet path by (#4478)
• Close peer connection unconditionally to unblock set local/remote (#4485)
• Misc optimisations. (#4490)
• report all simulcast layers (#4491)
• Use mediatransportutil/codec package, no functional change (#4497)
• rename agent environment to deployment (#4506)
• Update protocol to support SIP media config. (#4509)
• update protocol for protojson (#4510)
• Populate data track loggers with context (#4514)
• Log large packets receive/send. (#4521)
• Log details of RTCP packets. (#4525)
• Create NACK tracker only once. (#4527)

Fixed

• fix: wrap IPv6 addresses in brackets in UDP TURN URLs (RFC 3986) (#4476)
• Legacy TrackInfo.Simulcast flag. (#4493)
• Fix publish-only limitations being incorrectly applied to receivers (#4495)
• Include reception reoprts in receiver report callback. (#4496)
• Fix sense check in DeltaInfo gathering (#4507)
• Fix SIP media config upgrade. (#4511)