Feature request: allow restricting accessible IPs

[DavidSchinazi]

From Benjamin Schwartz on the list and also Peter Thatcher on the list:

TURN has a concept of "permissions" (see RFC 5576 Sections 2.3 and 8) which is kind of like a whitelist of remote IPs that are allowed to send through the proxy to the local client. This was designed to prevent a client from using a TURN server to acts as a server (the intention was to only use TURN as a mechanism for p2p connections). If the intention of draft-schinazi-connect-udp-listen-01 is to allow for a local client to act as a server and allow arbitrary remote clients to connect to it, then you don't need such a mechanism. But if that's not the intention, you'll need something like TURN permissions to prevent it.

[asingh-g]

I think it makes sense to allow all connections through by default, i.e. let it work as a server and expose the client to any targets when CONNECT-UDP is in listener mode.

Besides, if people deem that permissions need to be built, it could be done through a separate extension.

[marten-seemann]

If you want to address this in this draft, you could add a "whitelist" and "blacklist" to the request. These fields would be mutually exclusive, and would contain a list of IP addresses (and ports, maybe?).

That said, I don't have use case for either of them, so I'd be fine with punting it to a future extension.

[DavidSchinazi]

I agree, we don't have a use case for these permissions either. Since it would be straightforward to build this as a future extension, I'm inclined to not incorporate the feature.

[asingh-g]

Tommy's idea of adding the option to block uncompressed connections may be sufficient to do this, see my latest update to the PR