Re: [pntaw] Indicating that the TLS connection is for PeerConnection? (RE: New version of draft-hutton-rtcweb-nat-firewall-considerations)
"Hutton, Andrew" <andrew.hutton@siemens-enterprise.com> Tue, 24 September 2013 17:39 UTC
Return-Path: <andrew.hutton@siemens-enterprise.com>
X-Original-To: pntaw@ietfa.amsl.com
Delivered-To: pntaw@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix)
with ESMTP id 1EC7A21F9CE9 for <pntaw@ietfa.amsl.com>;
Tue, 24 Sep 2013 10:39:21 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.486
X-Spam-Level:
X-Spam-Status: No, score=-2.486 tagged_above=-999 required=5 tests=[AWL=-0.044,
BAYES_00=-2.599, HTML_MESSAGE=0.001, SUBJECT_FUZZY_TION=0.156]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com
[127.0.0.1]) (amavisd-new, port 10024) with ESMTP id qpfF8PospW1t for
<pntaw@ietfa.amsl.com>; Tue, 24 Sep 2013 10:39:16 -0700 (PDT)
Received: from senmx12-mx.siemens-enterprise.com
(senmx12-mx.siemens-enterprise.com [62.134.46.10]) by ietfa.amsl.com
(Postfix) with ESMTP id 9A0B611E80E4 for <pntaw@ietf.org>;
Tue, 24 Sep 2013 10:39:14 -0700 (PDT)
Received: from MCHP02HTC.global-ad.net (unknown [172.29.42.235]) by
senmx12-mx.siemens-enterprise.com (Server) with ESMTP id 6361723F05FE;
Tue, 24 Sep 2013 19:39:11 +0200 (CEST)
Received: from MCHP04MSX.global-ad.net ([169.254.1.31]) by
MCHP02HTC.global-ad.net ([172.29.42.235]) with mapi id 14.03.0123.003;
Tue, 24 Sep 2013 19:38:53 +0200
From: "Hutton, Andrew" <andrew.hutton@siemens-enterprise.com>
To: Sergio Garcia Murillo <sergio.garcia.murillo@gmail.com>,
"pntaw@ietf.org" <pntaw@ietf.org>
Thread-Topic: [pntaw] Indicating that the TLS connection is for
PeerConnection? (RE: New version of
draft-hutton-rtcweb-nat-firewall-considerations)
Thread-Index: AQHOuUzvTWCui4B7jk+gNY3xPjOdrQ==
Date: Tue, 24 Sep 2013 17:38:51 +0000
Message-ID: <9F33F40F6F2CD847824537F3C4E37DDF17BD3316@MCHP04MSX.global-ad.net>
References: <E44893DD4E290745BB608EB23FDDB7620A0C0ACE@008-AM1MPN1-043.mgdnok.nokia.com>
<524035A8.4030003@gmail.com>
In-Reply-To: <524035A8.4030003@gmail.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-originating-ip: [172.29.42.225]
Content-Type: multipart/alternative;
boundary="_000_9F33F40F6F2CD847824537F3C4E37DDF17BD3316MCHP04MSXglobal_"
MIME-Version: 1.0
Subject: Re: [pntaw] Indicating that the TLS connection is for PeerConnection?
(RE: New version of draft-hutton-rtcweb-nat-firewall-considerations)
X-BeenThere: pntaw@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: "Discussion list for practices related to proxies, NATs, TURN,
and WebRTC" <pntaw.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/pntaw>,
<mailto:pntaw-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/pntaw>
List-Post: <mailto:pntaw@ietf.org>
List-Help: <mailto:pntaw-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/pntaw>,
<mailto:pntaw-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 24 Sep 2013 17:39:21 -0000
Also the WebRTC client I assume could make use of the "Referer" header to tell the proxy the URI of the WebRTC application that initiated the connection. This would apply both to the HTTP Connect and WS approach. Regards Andy From: pntaw-bounces@ietf.org [mailto:pntaw-bounces@ietf.org] On Behalf Of Sergio Garcia Murillo Sent: 23 September 2013 13:36 To: pntaw@ietf.org Subject: Re: [pntaw] Indicating that the TLS connection is for PeerConnection? (RE: New version of draft-hutton-rtcweb-nat-firewall-considerations) El 23/09/2013 14:15, Markus.Isomaki@nokia.com<mailto:Markus.Isomaki@nokia.com> escribió: Hi Andy, Hutton, Andrew [mailto:andrew.hutton@siemens-enterprise.com] wrote: On: 23 September 2013 10:35 Markus.Isomaki Wrote: There will be networks and administrators that explicitly want to restrict WebRTC. I think one part of the WebRTC firewall traversal "solution" needs to be an explanation HOW they can do it. I agree with this it is something we need to discuss and elaborate on in the draft. The motivation behind the draft is to standardize the browser behavior in a way that there is a good chance of WebRTC media traversing firewalls by default but also to make it clear how browsers behave so that policy can be enforced when needed. Standardizing the browser behavior already helps. But rather than leaving it as an exercise to the reader, I think it would be better also to explain how an enlightened network admin can either let the WebRTC traffic flow better (e.g. using UDP rather than TCP), or explicitly restrict it. Traffic identification is clearly a crucial component here. For instance, when the browser does TURN allocation with HTTP CONNECT, could it include an indication that this is for the purposes of RTCPeerConnection to distinguish that from anything else. Like: CONNECT turn.example.com HTTP/1.1 Connection-Originator: RTCPeerConnection This may sound like a naïve proposal ("the HTTP evil bit header" ;-), but if we assumed that browser as trusted and standards compliant (huh...), it would not allow Javascript to establish such connections without that indicator. So at least that would be something. There are those who believe that rather than making traffic more identifiable, we should actually obfuscate it more to make things like mass-surveillance harder. So it's going to hard to find a win-win position. Like.. GET / HTTP/1.1 Host: TURN-ws.example.com Upgrade: websocket Connection: Upgrade Sec-WebSocket-Key: dGhlIHNhbXBsZSBub25jZQ== Origin: http://www.example.com Sec-WebSocket-Protocol: turn Sec-WebSocket-Version: 13 ;) Best regards Sergio
- [pntaw] Indicating that the TLS connection is for… Markus.Isomaki
- Re: [pntaw] Indicating that the TLS connection is… Sergio Garcia Murillo
- Re: [pntaw] Indicating that the TLS connection is… Markus.Isomaki
- Re: [pntaw] Indicating that the TLS connection is… Hutton, Andrew