Re: [Ice] TLS Candidates
Roman Shpount <roman@telurix.com> Tue, 24 January 2017 21:56 UTC
Return-Path: <roman@telurix.com>
X-Original-To: ice@ietfa.amsl.com
Delivered-To: ice@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id E03931293F8 for <ice@ietfa.amsl.com>; Tue, 24 Jan 2017 13:56:41 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.099
X-Spam-Level:
X-Spam-Status: No, score=-2.099 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7, RCVD_IN_SORBS_SPAM=0.5] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=telurix-com.20150623.gappssmtp.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 8u015fMLs6GY for <ice@ietfa.amsl.com>; Tue, 24 Jan 2017 13:56:40 -0800 (PST)
Received: from mail-yw0-x229.google.com (mail-yw0-x229.google.com [IPv6:2607:f8b0:4002:c05::229]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 0FC8E1293FC for <ice@ietf.org>; Tue, 24 Jan 2017 13:56:39 -0800 (PST)
Received: by mail-yw0-x229.google.com with SMTP id u68so174880ywg.0 for <ice@ietf.org>; Tue, 24 Jan 2017 13:56:39 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=telurix-com.20150623.gappssmtp.com; s=20150623; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc; bh=JyCV8V+ouDzuZGw0X6eF6Fxatm7vuM6CRsTtZUXdMsI=; b=IAqquF0BIvdTwJRxz7AuNKjIe086gyN1m0OjgTQKUwah8P8CHbdLV5reoIa5xbua13 RlDrnvU6NLWNQqySa1BCAGnm2onjJUwQVWmS1QGr+HNxSMFOnpH6tsPVa4FbgY8ozSWz BFPtgkUkLCcm607TahQrYFkeP6Wg/PW+nK5GY4v7Nc4k4q1fMO4bfiCRp07qBYOtVPYC JSdyTGLyiV0csN1rnKOcZ5ENVfzSD6irRne7P75cf7DeK82K2xQz+YhzCsWmopgnwqVG k0ok3enXQA5pMdYOg38IykTP/odrh0U+ng1ZdigxnH0u91RiMdh+NRonm7GlFfqRY3fB ipow==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc; bh=JyCV8V+ouDzuZGw0X6eF6Fxatm7vuM6CRsTtZUXdMsI=; b=eq2c0dxjC2EUpKJj4CCRLeQbKblZyQLCzCaq8EZgkYK5+8o6MxXpc160SLQtBXQfiv 11Tu66MWelfDHThEzkjT9WLYPo7Pa38m6s3Au0Ctvybk8K5tby6MN5XEVmq3pwb4/lN5 qU7e/B5umaWvo1UwDs40l1jaW4BW5kMW+4LK850QTaTGJ1zFaIpNiIuWK8F2R2Mq8Vpw FNMrZEkJnEIA74sKmvv3JNIFSqMXrPdoFAO9Kwy+WdFnsvgfe54RKTkSABp68A1Wpp4M hT9NtcHq2nrgy8JzNRhQLakwBNMns6lCk+4rlzxFQ5p5/ItHeD52ncF68siSlOxGS+ML Xo/Q==
X-Gm-Message-State: AIkVDXJMmydQbMMs+ItGK3odKTbdJd0mnG49S8yKVYPwkN4gVGhYrlR8p/MxdMDPCzFY3Q==
X-Received: by 10.129.101.195 with SMTP id z186mr27704794ywb.340.1485294958775; Tue, 24 Jan 2017 13:55:58 -0800 (PST)
Received: from mail-yb0-f181.google.com (mail-yb0-f181.google.com. [209.85.213.181]) by smtp.gmail.com with ESMTPSA id h127sm1149750ywd.20.2017.01.24.13.55.58 for <ice@ietf.org> (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Tue, 24 Jan 2017 13:55:58 -0800 (PST)
Received: by mail-yb0-f181.google.com with SMTP id j82so313016ybg.1 for <ice@ietf.org>; Tue, 24 Jan 2017 13:55:58 -0800 (PST)
X-Received: by 10.55.11.13 with SMTP id 13mr33982502qkl.201.1485294952466; Tue, 24 Jan 2017 13:55:52 -0800 (PST)
MIME-Version: 1.0
Received: by 10.12.131.66 with HTTP; Tue, 24 Jan 2017 13:55:51 -0800 (PST)
In-Reply-To: <CAJrXDUEjtk=XuMo+DVo_puX8_HbZ8-vHLrKUYRyDoy4SU6AoEg@mail.gmail.com>
References: <148491768993.13355.16722423940569276403.idtracker@ietfa.amsl.com> <9731EE32-8E08-447A-B028-A9B57ADD1A99@cisco.com> <CAD5OKxv2oHX26SR6TNu1SoQnJmF2JAbento77q2Mw72ZSg7sLw@mail.gmail.com> <d3f8ccfe-4e69-1a89-bce9-0ea7dcaac976@jive.com> <C122DFC2-8E59-4796-AA75-90A6072CFA33@cisco.com> <CAJrXDUEjtk=XuMo+DVo_puX8_HbZ8-vHLrKUYRyDoy4SU6AoEg@mail.gmail.com>
From: Roman Shpount <roman@telurix.com>
Date: Tue, 24 Jan 2017 16:55:51 -0500
X-Gmail-Original-Message-ID: <CAD5OKxtaz=53gRYEd+43Esn7t9o0VUciC=stons1S0EKzAfjDw@mail.gmail.com>
Message-ID: <CAD5OKxtaz=53gRYEd+43Esn7t9o0VUciC=stons1S0EKzAfjDw@mail.gmail.com>
To: Peter Thatcher <pthatcher@google.com>
Content-Type: multipart/alternative; boundary="001a114d7c7a075a9d0546de2e0a"
Archived-At: <https://mailarchive.ietf.org/arch/msg/ice/YPUSskwAJ8FMM9FbMGBh_Eimzgs>
Cc: Simon Perreault <sperreault@jive.com>, "Pal Martinsen (palmarti)" <palmarti@cisco.com>, "ice@ietf.org" <ice@ietf.org>
Subject: Re: [Ice] TLS Candidates
X-BeenThere: ice@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: "Interactive Connectivity Establishment \(ICE\)" <ice.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ice>, <mailto:ice-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ice/>
List-Post: <mailto:ice@ietf.org>
List-Help: <mailto:ice-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ice>, <mailto:ice-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 24 Jan 2017 21:56:42 -0000
We have encountered a few large corporate installations that only allowed TLS connections to port 443. Running TURNS server on port 443 or nonstandard TLS ICE candidates was the only way to connect calls from these deployments to the outside world. These installation were few thousand seats each and belonged to Fortune 100 company. At least for us it was enough of the incentive to find a solution. Regards, _____________ Roman Shpount On Tue, Jan 24, 2017 at 4:21 PM, Peter Thatcher <pthatcher@google.com> wrote: > Our implementation of ICE has a type of candidate called "SSLTCP" which > does a fake TLS handshake to get through firewalls that only allow TLS > connections. We've been using it for years. And I'm guessing some of our > web products would appreciate that being in other browsers as well, so we > may be interested in seeing it as part of the standard (or a less fake > version of it). But I don't have any stats about how often those work but > normal TCP candidates don't, so I can't say for sure how useful it really > is. > > On Tue, Jan 24, 2017 at 3:57 AM Pal Martinsen (palmarti) < > palmarti@cisco.com> wrote: > > > > On 23 Jan 2017, at 21:12, Simon Perreault <sperreault@jive.com> wrote: > > > > Le 2017-01-23 à 14:44, Roman Shpount a écrit : > >> This is something we are interested in as well. We had looked at TLS ICE > >> candidates to help traverse some of the more restrictive firewalls. > > > > Interesting! > > > > Pål-Erik, is your use case also about firewall traversal? > > Yes. > > Main use-case is where we terminate media at a ICE-lite node and do not > want to use a TURN relay. > (In this case we do not want the extra complexity running a set of TURN > servers gives us) > > A lot of enterprises seems to lock down to TLS 443 and even a HTTP proxy. > (Proxies are briefly mentioned in the draft) > > .-. > Pål-Erik > > > > > -- > > Simon Perreault > > Director of Engineering, Platform | Jive Communications, Inc. > > https://jive.com | +1 418 478 0989 ext. 1241 <(418)%20478-0989> | > sperreault@jive.com > > _______________________________________________ > Ice mailing list > Ice@ietf.org > https://www.ietf.org/mailman/listinfo/ice > >
- [Ice] TLS Candidates Pal Martinsen (palmarti)
- Re: [Ice] TLS Candidates Roman Shpount
- Re: [Ice] TLS Candidates Simon Perreault
- Re: [Ice] TLS Candidates Pal Martinsen (palmarti)
- Re: [Ice] TLS Candidates Peter Thatcher
- Re: [Ice] TLS Candidates Roman Shpount
- Re: [Ice] TLS Candidates Bernard Aboba
- Re: [Ice] TLS Candidates Bernard Aboba
- Re: [Ice] TLS Candidates Pal Martinsen (palmarti)
- Re: [Ice] TLS Candidates Ari Keränen