IETF Logo Mail Archive

Re: [Ice] TLS Candidates

Peter Thatcher <pthatcher@google.com> Tue, 24 January 2017 21:22 UTC

Return-Path: <pthatcher@google.com>
X-Original-To: ice@ietfa.amsl.com
Delivered-To: ice@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 60F351297F0 for <ice@ietfa.amsl.com>; Tue, 24 Jan 2017 13:22:07 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -5.899
X-Spam-Level:
X-Spam-Status: No, score=-5.899 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7, RP_MATCHES_RCVD=-3.199, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=google.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id LVaC_n1NRTbt for <ice@ietfa.amsl.com>; Tue, 24 Jan 2017 13:22:05 -0800 (PST)
Received: from mail-io0-x22b.google.com (mail-io0-x22b.google.com [IPv6:2607:f8b0:4001:c06::22b]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id B3E801297E9 for <ice@ietf.org>; Tue, 24 Jan 2017 13:22:05 -0800 (PST)
Received: by mail-io0-x22b.google.com with SMTP id j13so145957455iod.3 for <ice@ietf.org>; Tue, 24 Jan 2017 13:22:05 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=C8cdSzLKg1aCKJzblFwafeKnU/Db8RChC1Fi/p71d7E=; b=XeDhb0E18OzPqDaiTrjFPXBnSOE0xK+E9PDy6Ss9Xeb7udCgbdEA0s8uPj4+h2jiIV ER0ykp8BkeKY0kUn971D2QT3Hg9kOIbeZycIr+R3aUCYkV+UdprPEkrZFFQo7lTHVTWt HYa2u8D2qtxSXoRRmFX1r6fClk8VFt44V/L2Ew0+7HAquhCFQ8n19yBESmH+4yZmxLkX 2utzQHGbvSNYud1qhsn7KYB7YVn3POTgUs7gbB0ae/R6hxWH4U9LGCIGwd6CUsRfxYiF FnKO8qn+2SSovUaRwKqMsPZXOcsymXqkooRySr1uScOzoXubynL9bVk3JMjD5YmHNBL9 m+Ug==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=C8cdSzLKg1aCKJzblFwafeKnU/Db8RChC1Fi/p71d7E=; b=t6CTrbkvOusVsVYn0zFmuOSyEv9/OPx2Ad1IXh6bELvxirEPyvU5fZ9c5r55T2eiAh 8/QfVrsDb88yA2E5vaG3vxzitlbUgkuRkiNiL0jK7LJ7HjXDw8huvrlCo/3AwB5dGk3x jpo+dViUNxKFobgf2OmiFCDM5/igz1LG64PNeNJ7wDZcSKrmXZupAtqsllxmGSVeXQqH AJMndUQwSy2uITkGkSjTbYVGcOqgL6AeFDcJTH0wSMcuqhmVQSt8w+dK4lkkXp4DwPbb mKe1pNApBpRK0CJorcjYAYF1vNtApHhm6cdfKdzA65nu7r/k59xWtV90Bws0Uhp9ICk7 TrWQ==
X-Gm-Message-State: AIkVDXJ/bXoaeDt9/fZfg2j0HFXYWSEAcN1hMmcxdAkbz/66J7Lup9jJ2OWkaPIj2BuKmKDCJ8Kb+9j54KMOUak/
X-Received: by 10.107.181.200 with SMTP id e191mr26594515iof.217.1485292924741; Tue, 24 Jan 2017 13:22:04 -0800 (PST)
MIME-Version: 1.0
References: <148491768993.13355.16722423940569276403.idtracker@ietfa.amsl.com> <9731EE32-8E08-447A-B028-A9B57ADD1A99@cisco.com> <CAD5OKxv2oHX26SR6TNu1SoQnJmF2JAbento77q2Mw72ZSg7sLw@mail.gmail.com> <d3f8ccfe-4e69-1a89-bce9-0ea7dcaac976@jive.com> <C122DFC2-8E59-4796-AA75-90A6072CFA33@cisco.com>
In-Reply-To: <C122DFC2-8E59-4796-AA75-90A6072CFA33@cisco.com>
From: Peter Thatcher <pthatcher@google.com>
Date: Tue, 24 Jan 2017 21:21:53 +0000
Message-ID: <CAJrXDUEjtk=XuMo+DVo_puX8_HbZ8-vHLrKUYRyDoy4SU6AoEg@mail.gmail.com>
To: "Pal Martinsen (palmarti)" <palmarti@cisco.com>, Simon Perreault <sperreault@jive.com>
Content-Type: multipart/alternative; boundary="001a11443b722b170f0546ddb56c"
Archived-At: <https://mailarchive.ietf.org/arch/msg/ice/8z0KJlvT5THv5y_r4mqo93LxXaM>
Cc: Roman Shpount <roman@telurix.com>, "ice@ietf.org" <ice@ietf.org>
Subject: Re: [Ice] TLS Candidates
X-BeenThere: ice@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: "Interactive Connectivity Establishment \(ICE\)" <ice.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ice>, <mailto:ice-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ice/>
List-Post: <mailto:ice@ietf.org>
List-Help: <mailto:ice-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ice>, <mailto:ice-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 24 Jan 2017 21:22:07 -0000

Our implementation of ICE has a type of candidate called "SSLTCP" which
does a fake TLS handshake to get through firewalls that only allow TLS
connections.  We've been using it for years.  And I'm guessing some of our
web products would appreciate that being in other browsers as well, so we
may be interested in seeing it as part of the standard (or a less fake
version of it).  But I don't have any stats about how often those work but
normal TCP candidates don't, so I can't say for sure how useful it really
is.

On Tue, Jan 24, 2017 at 3:57 AM Pal Martinsen (palmarti) <palmarti@cisco.com>
wrote:


> On 23 Jan 2017, at 21:12, Simon Perreault <sperreault@jive.com> wrote:
>
> Le 2017-01-23 à 14:44, Roman Shpount a écrit :
>> This is something we are interested in as well. We had looked at TLS ICE
>> candidates to help traverse some of the more restrictive firewalls.
>
> Interesting!
>
> Pål-Erik, is your use case also about firewall traversal?

Yes.

Main use-case is where we terminate media at a ICE-lite node and do not
want to use a TURN relay.
(In this case we do not want the extra complexity running a set of TURN
servers gives us)

A lot of enterprises seems to lock down to TLS 443 and even a HTTP proxy.
(Proxies are briefly mentioned in the draft)

.-.
Pål-Erik

>
> --
> Simon Perreault
> Director of Engineering, Platform | Jive Communications, Inc.
> https://jive.com | +1 418 478 0989 ext. 1241 <(418)%20478-0989> |
sperreault@jive.com

_______________________________________________
Ice mailing list
Ice@ietf.org
https://www.ietf.org/mailman/listinfo/ice

v2.23.0 | Report a Bug | By Email