IETF Logo Mail Archive

Re: [pntaw] TURN over websockets

<Markus.Isomaki@nokia.com> Fri, 30 August 2013 12:53 UTC

Return-Path: <Markus.Isomaki@nokia.com>
X-Original-To: pntaw@ietfa.amsl.com
Delivered-To: pntaw@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id F2C2E21F9EBE for <pntaw@ietfa.amsl.com>; Fri, 30 Aug 2013 05:53:03 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.454
X-Spam-Level:
X-Spam-Status: No, score=-6.454 tagged_above=-999 required=5 tests=[AWL=0.145, BAYES_00=-2.599, RCVD_IN_DNSWL_MED=-4]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id pKCX+sUt5Og4 for <pntaw@ietfa.amsl.com>; Fri, 30 Aug 2013 05:52:59 -0700 (PDT)
Received: from mgw-da01.nokia.com (smtp.nokia.com [147.243.128.24]) by ietfa.amsl.com (Postfix) with ESMTP id B0C0E21F9EDA for <pntaw@ietf.org>; Fri, 30 Aug 2013 05:52:58 -0700 (PDT)
Received: from smtp.mgd.nokia.com ([65.54.30.49]) by mgw-da01.nokia.com (Sentrion-MTA-4.2.2/Sentrion-MTA-4.2.2) with ESMTP id r7UCqs5E032418 (version=TLSv1/SSLv3 cipher=AES128-SHA bits=128 verify=OK); Fri, 30 Aug 2013 15:52:55 +0300
Received: from 008-AM1MPN1-041.mgdnok.nokia.com ([169.254.1.88]) by 008-AM1MMR2-015.mgdnok.nokia.com ([65.54.30.49]) with mapi id 14.03.0136.001; Fri, 30 Aug 2013 12:52:53 +0000
From: Markus.Isomaki@nokia.com
To: thomas.stach@siemens-enterprise.com, sergio.garcia.murillo@gmail.com, pntaw@ietf.org
Thread-Topic: [pntaw] TURN over websockets
Thread-Index: AQHOpVzYQo/k4hTeV0+AGm8aLH5XBJmtr/AAgAACHhA=
Date: Fri, 30 Aug 2013 12:52:53 +0000
Message-ID: <E44893DD4E290745BB608EB23FDDB7620A092563@008-AM1MPN1-041.mgdnok.nokia.com>
References: <52205AE1.9010807@gmail.com> <F81CEE99482EFE438DAE2A652361EE12179BF94B@MCHP04MSX.global-ad.net>
In-Reply-To: <F81CEE99482EFE438DAE2A652361EE12179BF94B@MCHP04MSX.global-ad.net>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-tituslabs-classifications-30: TLPropertyRoot=Nokia; Confidentiality=Nokia Internal Use Only; Project=None;
x-titus-version: 3.5.9.3
x-headerinfofordlp: None
x-tituslabs-classificationhash-30: VgNFIFU9Hx+/nZJb9Kg7IgC3RfpT360Wbh6Q8tif6x4XQRPwZRviPCUbwaw11cFKjbsScP07csiUIg9YWTUGorTrZaXDcR82/ckJ5rb+gt5KN9lpBV6pcDddCrfH8vucFLFBIJnhkWFrLXKKGAKakNRTDj7fp/mIdB8APRupHn+bMrFWHhyRKzr7qfMMbpA4sDhQPLbGqEGDe6zmGRE47HmA0bDQYJvKCD82mbvZXVlH9BTnoi1cc5TetWLF4AsJ
x-originating-ip: [172.21.80.83]
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
X-Nokia-AV: Clean
Subject: Re: [pntaw] TURN over websockets
X-BeenThere: pntaw@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: "Discussion list for practices related to proxies, NATs, TURN, and WebRTC" <pntaw.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/pntaw>, <mailto:pntaw-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/pntaw>
List-Post: <mailto:pntaw@ietf.org>
List-Help: <mailto:pntaw-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/pntaw>, <mailto:pntaw-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 30 Aug 2013 12:53:04 -0000

Hi Sergio, Thomas,

I also assume that we should run TURN over TLS directly, or by establishing that connection via a proxy using HTTP CONNECT. The first method would work in networks that allow outbound TLS/TCP connections, while the other would work even in networks that only allow outbound communication via a proxy.

As Thomas says, the benefit of TURN/TLS instead of TURN/WS/TLS is that no changes would need to be applied to existing TURN servers. Only the client side establishment (by the browser) would need to include the use of HTTP CONNECT. 

But is there some advantage why Websockets should be used? WS does have the explicit HTTP based handshake, which is supposed to make it somehow middlebox "friendlier". But I don't know how that is better than HTTP CONNECT in that sense.

Regards,
	Markus


> -----Original Message-----
> From: pntaw-bounces@ietf.org [mailto:pntaw-bounces@ietf.org] On Behalf
> Of ext Stach, Thomas
> Sent: 30 August, 2013 15:35
> To: Sergio Garcia Murillo; pntaw@ietf.org
> Subject: Re: [pntaw] TURN over websockets
> 
> Sergio,
> 
> Some comments inline
> 
> > -----Original Message-----
> > From: pntaw-bounces@ietf.org [mailto:pntaw-bounces@ietf.org] On
> Behalf
> > Of Sergio Garcia Murillo
> > Sent: Freitag, 30. August 2013 10:42
> > To: pntaw@ietf.org
> > Subject: [pntaw] TURN over websockets
> >
> > Hi all,
> >
> > I will shoot first.
> >
> > It is great to finally see some real interest in what I consider to be
> > the blocking point for webrtc in order to run business on top of it,
> > which is the ability to be able to connect through corporate firewalls.
> >
> > I have seen some people arguing that with just TURN over TCP on port
> > 443
> > the problem will be solved, but I seriously doubt it. Neither TURN
> > over SSL would do, as most web filters do DPI and will not enable the
> > connection. Also, I have heard lots of voices that says we are trying
> > to override network admin policies with dirty tricks. With whom, I
> > could agree.
> [TS] I'm not sure if you are referencing draft-hutton-rtcweb-nat-firewall-
> considerations here.
> Nevertheless the draft mentions TURN over TCP to port 443.
> The goal behind this is certainly not to sneak WEBRTC media streams through
> heavily fortified networks that have DPI deployed.
> The goal rather to address a scenario e.g. at a small hotel with a not-so-skilled
> network admin, that opened his firewall on TCP port 80/443 to allow its
> guests to do some web browsing, but is afraid of opening its firewall for UDP
> traffic.
> If we want to deploy WEBRTC in such an environment TURN over TLS to port
> 443 would do the job.
> 
> >
> > So, the only way I see to move forward and overcome this issues is by
> > playing according to the WEB rules, and use HTTP standards to enable
> > media connectivity in WebRTC that would play nicely with current
> > corporate HTTP proxies and web filters.
> [TS] Playing nicely with HTTP proxies is also a use case draft-hutton-rtcweb-
> nat-firewall-considerations.
> Usage of the HTTP CONNECT method is proposed here. The request URI
> would include the TURN server (preferably even to the well-known STUN
> port). If the network admin put the TURN server into its whitelist, that could
> hardly be considered as sneaking unwanted traffic through.
> >
> > And,  for me the most viable solution would be to enable TURN over
> > websockets.
> [TS] This would require updates to the TURN protocol and the TURN
> software, whereas the proposals in draft-hutton-rtcweb-nat-firewall-
> considerations use the original transports.
> As most WebRTC services relay on websockets in one way or
> > another for signaling, we could assume that media would work on 100%
> > of the cases where signaling is working today.
> > Also, as it is an http based solution, network administrators could
> > apply corporate policies and block connections to not-trusted TURN
> > servers.
> [TS] which could also be done by white-listing the TURN server address via
> TCP without any further intermediate HTTP/Websocket layers.
> 
> Regards
> Thomas
> 
> >
> > Best regards
> > Sergio
> > _______________________________________________
> > pntaw mailing list
> > pntaw@ietf.org
> > https://www.ietf.org/mailman/listinfo/pntaw
> _______________________________________________
> pntaw mailing list
> pntaw@ietf.org
> https://www.ietf.org/mailman/listinfo/pntaw

v2.23.0 | Report a Bug | By Email