[hybi] Working over existing firewalls and proxies
Jamie Lokier <jamie@shareable.org> Tue, 14 April 2009 15:31 UTC
Return-Path: <jamie@shareable.org>
X-Original-To: hybi@core3.amsl.com
Delivered-To: hybi@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id EE2A33A6DCC for <hybi@core3.amsl.com>; Tue, 14 Apr 2009 08:31:35 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.028
X-Spam-Level:
X-Spam-Status: No, score=-4.028 tagged_above=-999 required=5 tests=[AWL=-1.429, BAYES_00=-2.599]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id MnVE92FRKFWW for <hybi@core3.amsl.com>; Tue, 14 Apr 2009 08:31:35 -0700 (PDT)
Received: from mail2.shareable.org (mail2.shareable.org [80.68.89.115]) by core3.amsl.com (Postfix) with ESMTP id F0DF23A6E28 for <hybi@ietf.org>; Tue, 14 Apr 2009 08:31:34 -0700 (PDT)
Received: from jamie by mail2.shareable.org with local (Exim 4.63) (envelope-from <jamie@shareable.org>) id 1Ltkct-0007of-Nm; Tue, 14 Apr 2009 16:32:43 +0100
Date: Tue, 14 Apr 2009 16:32:43 +0100
From: Jamie Lokier <jamie@shareable.org>
To: Greg Wilkins <gregw@webtide.com>
Message-ID: <20090414153243.GD26621@shareable.org>
References: <49E3D363.8030803@mozilla.com> <49E3D937.5020009@webtide.com>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Disposition: inline
In-Reply-To: <49E3D937.5020009@webtide.com>
User-Agent: Mutt/1.5.13 (2006-08-11)
Cc: hybi@ietf.org
Subject: [hybi] Working over existing firewalls and proxies
X-BeenThere: hybi@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: Server-Initiated HTTP <hybi.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/hybi>, <mailto:hybi-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/hybi>
List-Post: <mailto:hybi@ietf.org>
List-Help: <mailto:hybi-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/hybi>, <mailto:hybi-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 14 Apr 2009 15:31:36 -0000
Greg Wilkins wrote:
> For example, XMPP has great market share - except when it comes to
> webchat - where there are now a plethora of alternative protocols
> for chat - all trying to work out there own way to tunnel through
> firewalls/gateways and get into the browser DOM.
>
> But fundamentally the issue we face is not *what* protocol to use,
> but how to get it through the internet and into the browser DOM.
I foresee WebSocket in its current form will hit the same problem.
How to get past firewalls and transparent HTTP proxies.
So will any other proposal, including rHTTP and mine for
bidirectional/async HTTP.
"The problem of firewalls and transparent proxies in the existing
infrastructure" is an important topic to address and I think it
deserves analysis _independent_ of API and low-level protocol.
Here are a few things to consider:
Corporate firewalls sometimes block all TCP connections,
except for port 80 and 443.
Some firewalls sniff HTTP URLs, HTTP headers and even the content
(e.g. checking for viruses), and block based on those.
Transparent HTTP proxies and proxy-caches on port 80 are common
both in corporate settings and home internet connections. Maybe
not the majority of connections (I have no figures), but enough to
matter.
Explicit HTTP proxies which pass HTTP CONNECT requests often
limit that to port 443.
I would be surprised if any widely deployed HTTP proxies, explicit
or transparent, currently work with HTTP UPGRADE.
The Bayeaux people seem to have decided that long-GET is more
reliable than slow-streaming-GET, because some HTTP proxies don't
forward any of the response until they have received the whole
response. (Is that right?)
Any apparently-binary protocol which is opaque to intermediate
firewalls/proxies is likely to be blocked at many sites who are
currently able to use protocols which tunnel over HTTP. I suspect
blanket blocking is more likely when there's no distinguishing
metadata in the protocol for a firewall to match on.
> But I think there will only be 1 opportunity this decade to make
> significant changes to the firewalls/gateways of the internet.
> If that is true, then is websocket the best change to make?
I think there is 0 opportunity to change the whole internet quickly.
We need to at least _talk about_ whether we care about a new protocol
interoperating with the existing firewalls/gateways, and if we want to
provide an upgrade path to help those work with new protocols better.
Issues for specific protocols to consider which might be of concern:
- Can you make it tunnel over HTTP when needed?
- How easily?
- What are the problems and other issues when doing that?
It's always possible to tunnel over HTTP, because you can tunnel TCP
over HTTP, even without CONNECT or UPGRADE), but for some protocols
it's a poor fit (TCP!), and some fit tunnelling relatively well. Some
are even reasonable candidates for firewalls to filter selectively and
proxies to intercept and cache.
-- Jamie
- [hybi] BEEP Rob Sayre
- Re: [hybi] BEEP Greg Wilkins
- Re: [hybi] BEEP Rob Sayre
- Re: [hybi] BEEP Ian Hickson
- Re: [hybi] BEEP Greg Wilkins
- Re: [hybi] BEEP Ian Hickson
- Re: [hybi] BEEP Mark Baker
- [hybi] Working over existing firewalls and proxies Jamie Lokier
- Re: [hybi] Working over existing firewalls and pr… Mario Balibrera
- Re: [hybi] Working over existing firewalls and pr… Greg Wilkins
- Re: [hybi] Working over existing firewalls and pr… Greg Wilkins
- Re: [hybi] Working over existing firewalls and pr… Maciej Stachowiak
- Re: [hybi] Working over existing firewalls and pr… Frank Salim