Re: [hybi] Working over existing firewalls and proxies
Mario Balibrera <mario.balibrera@gmail.com> Tue, 14 April 2009 17:17 UTC
Return-Path: <mario.balibrera@gmail.com>
X-Original-To: hybi@core3.amsl.com
Delivered-To: hybi@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id E2B5E3A6E33 for <hybi@core3.amsl.com>; Tue, 14 Apr 2009 10:17:17 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.298
X-Spam-Level:
X-Spam-Status: No, score=-2.298 tagged_above=-999 required=5 tests=[AWL=-0.300, BAYES_00=-2.599, HTML_MESSAGE=0.001, J_CHICKENPOX_22=0.6]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id AP41sqRUGYFO for <hybi@core3.amsl.com>; Tue, 14 Apr 2009 10:17:16 -0700 (PDT)
Received: from rv-out-0506.google.com (rv-out-0506.google.com [209.85.198.230]) by core3.amsl.com (Postfix) with ESMTP id 90C8B3A68B0 for <hybi@ietf.org>; Tue, 14 Apr 2009 10:17:16 -0700 (PDT)
Received: by rv-out-0506.google.com with SMTP id k40so2318636rvb.49 for <hybi@ietf.org>; Tue, 14 Apr 2009 10:18:28 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:mime-version:received:in-reply-to:references :date:message-id:subject:from:to:cc:content-type; bh=zDoqcId754JiQi9eW7wQPT1S6m8+ZpwvXCTyZ94TsHY=; b=uyWTWXZ84f3gaEcaslQ02rfCLPaekkz946upoSMdrJVAt0XQegS+HG9FQXKxPhyZg4 jkLwT2R1OrIgUIuYuFhGQwnwatb0TzSCoa+lLG0FelERC3ixVNNUakhPvNRl+wcuxyux 7XbHIPukk8o+z2uUeIxGS6OWIKUXzx6XxcCfo=
DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type; b=m18WhZulHSZdPpSsJShPtqhNO2c00P7FLEQv3cH62uhYfWKrX7H3KyPi0g1Ao2AeSs uB8+phbMtp43+PhUrtz1qGF8ODj8EfggE0SWn4YdRPSIVqPhHQNZOlU90EBjEJTjINhP qalacqsinCMoteFg0EMaihQ0uuVle0AelRZOM=
MIME-Version: 1.0
Received: by 10.114.181.6 with SMTP id d6mr3793420waf.8.1239729505460; Tue, 14 Apr 2009 10:18:25 -0700 (PDT)
In-Reply-To: <20090414153243.GD26621@shareable.org>
References: <49E3D363.8030803@mozilla.com> <49E3D937.5020009@webtide.com> <20090414153243.GD26621@shareable.org>
Date: Tue, 14 Apr 2009 10:18:25 -0700
Message-ID: <79ea848f0904141018j59659f21n82944f3723409991@mail.gmail.com>
From: Mario Balibrera <mario.balibrera@gmail.com>
To: Jamie Lokier <jamie@shareable.org>
Content-Type: multipart/alternative; boundary="00163646d987ca62ae0467870499"
Cc: hybi@ietf.org
Subject: Re: [hybi] Working over existing firewalls and proxies
X-BeenThere: hybi@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: Server-Initiated HTTP <hybi.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/hybi>, <mailto:hybi-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/hybi>
List-Post: <mailto:hybi@ietf.org>
List-Help: <mailto:hybi-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/hybi>, <mailto:hybi-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 14 Apr 2009 17:17:18 -0000
- Can you make it tunnel over HTTP when needed? - How easily? - What are the problems and other issues when doing that? Currently, js.io works that way with WebSocket. If there is a native browser implementation available (none yet, obviousy), it uses that to connect directly to the targeted WS server. Otherwise, it speaks WebSocket protocol on top of a TCPConnection object (from Orbited, APE, or any other project imported into the global scope that implements the API), which connects to its own TCP proxy that in turn connects to the WebSocket server. Easy Peasy. It would be trivial to add a graceful fallback mechanism, so that it tries the native WebSocket (as soon as we get one...) and in case of timeout or immediate connection closure, falls back to HTTP tunneling. Mario Balibrera On Tue, Apr 14, 2009 at 8:32 AM, Jamie Lokier <jamie@shareable.org> wrote: > Greg Wilkins wrote: > > For example, XMPP has great market share - except when it comes to > > webchat - where there are now a plethora of alternative protocols > > for chat - all trying to work out there own way to tunnel through > > firewalls/gateways and get into the browser DOM. > > > > But fundamentally the issue we face is not *what* protocol to use, > > but how to get it through the internet and into the browser DOM. > > I foresee WebSocket in its current form will hit the same problem. > How to get past firewalls and transparent HTTP proxies. > > So will any other proposal, including rHTTP and mine for > bidirectional/async HTTP. > > "The problem of firewalls and transparent proxies in the existing > infrastructure" is an important topic to address and I think it > deserves analysis _independent_ of API and low-level protocol. > > Here are a few things to consider: > > Corporate firewalls sometimes block all TCP connections, > except for port 80 and 443. > > Some firewalls sniff HTTP URLs, HTTP headers and even the content > (e.g. checking for viruses), and block based on those. > > Transparent HTTP proxies and proxy-caches on port 80 are common > both in corporate settings and home internet connections. Maybe > not the majority of connections (I have no figures), but enough to > matter. > > Explicit HTTP proxies which pass HTTP CONNECT requests often > limit that to port 443. > > I would be surprised if any widely deployed HTTP proxies, explicit > or transparent, currently work with HTTP UPGRADE. > > The Bayeaux people seem to have decided that long-GET is more > reliable than slow-streaming-GET, because some HTTP proxies don't > forward any of the response until they have received the whole > response. (Is that right?) > > Any apparently-binary protocol which is opaque to intermediate > firewalls/proxies is likely to be blocked at many sites who are > currently able to use protocols which tunnel over HTTP. I suspect > blanket blocking is more likely when there's no distinguishing > metadata in the protocol for a firewall to match on. > > > But I think there will only be 1 opportunity this decade to make > > significant changes to the firewalls/gateways of the internet. > > If that is true, then is websocket the best change to make? > > I think there is 0 opportunity to change the whole internet quickly. > > We need to at least _talk about_ whether we care about a new protocol > interoperating with the existing firewalls/gateways, and if we want to > provide an upgrade path to help those work with new protocols better. > > Issues for specific protocols to consider which might be of concern: > > - Can you make it tunnel over HTTP when needed? > - How easily? > - What are the problems and other issues when doing that? > > It's always possible to tunnel over HTTP, because you can tunnel TCP > over HTTP, even without CONNECT or UPGRADE), but for some protocols > it's a poor fit (TCP!), and some fit tunnelling relatively well. Some > are even reasonable candidates for firewalls to filter selectively and > proxies to intercept and cache. > > -- Jamie > _______________________________________________ > hybi mailing list > hybi@ietf.org > https://www.ietf.org/mailman/listinfo/hybi >
- [hybi] BEEP Rob Sayre
- Re: [hybi] BEEP Greg Wilkins
- Re: [hybi] BEEP Rob Sayre
- Re: [hybi] BEEP Ian Hickson
- Re: [hybi] BEEP Greg Wilkins
- Re: [hybi] BEEP Ian Hickson
- Re: [hybi] BEEP Mark Baker
- [hybi] Working over existing firewalls and proxies Jamie Lokier
- Re: [hybi] Working over existing firewalls and pr… Mario Balibrera
- Re: [hybi] Working over existing firewalls and pr… Greg Wilkins
- Re: [hybi] Working over existing firewalls and pr… Greg Wilkins
- Re: [hybi] Working over existing firewalls and pr… Maciej Stachowiak
- Re: [hybi] Working over existing firewalls and pr… Frank Salim