Re: [pntaw] TURN over websockets or just TURN.

"Hutton, Andrew" <> Wed, 25 September 2013 18:20 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id E474D11E812B for <>; Wed, 25 Sep 2013 11:20:59 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -2.565
X-Spam-Status: No, score=-2.565 tagged_above=-999 required=5 tests=[AWL=0.034, BAYES_00=-2.599]
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id XRCrPfkDjxXr for <>; Wed, 25 Sep 2013 11:20:55 -0700 (PDT)
Received: from ( []) by (Postfix) with ESMTP id 82ED711E8136 for <>; Wed, 25 Sep 2013 11:20:27 -0700 (PDT)
Received: from (unknown []) by (Server) with ESMTP id B63BD1EB86A2; Wed, 25 Sep 2013 20:20:18 +0200 (CEST)
Received: from ([]) by ([]) with mapi id 14.03.0123.003; Wed, 25 Sep 2013 20:19:58 +0200
From: "Hutton, Andrew" <>
To: Oleg Moskalenko <>, "" <>
Thread-Topic: [pntaw] TURN over websockets or just TURN.
Thread-Index: Ac651aqKgci54WbeToGdcCETWYgQigAH+EEAAAiWMGA=
Date: Wed, 25 Sep 2013 18:19:58 +0000
Message-ID: <>
References: <> <>
In-Reply-To: <>
Accept-Language: en-US
Content-Language: en-US
x-originating-ip: []
Content-Type: text/plain; charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
Subject: Re: [pntaw] TURN over websockets or just TURN.
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: "Discussion list for practices related to proxies, NATs, TURN, and WebRTC" <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Wed, 25 Sep 2013 18:21:00 -0000

See below.


> -----Original Message-----
> From: Oleg Moskalenko []
> Sent: 25 September 2013 16:46
> To: Hutton, Andrew
> Cc:
> Subject: Re: [pntaw] TURN over websockets or just TURN.
> Hi Andy
> please see below in the text:
> On Wed, Sep 25, 2013 at 2:59 AM, Hutton, Andrew <andrew.hutton@siemens-
>> wrote:
> In the presence of an explicit proxy the websockets approach is to use
> HTTP CONNECT to traverse the proxy (RFC 6455) so the question is
> whether there are any advantages or disadvantages to wrapping TURN with
> the websockets layer as this cannot be about the use of HTTP CONNECT
> which is used by in both solutions.
> HTTP CONNECT is used only when an explicit proxy is present. Websockets
> can provide improved connectivity when NO explicit proxy is present
> Websockets adds some overhead as there is an extra handshake that takes
> place with the server and there is some extra overhead in the data
> encapsulation.
> That overhead is relatively minor.

[AndyH] But it is still something that we would be better without unless it serves a good purpose.

> The purpose of the extra HTTP handshake to upgrade to HTTP to a
> websockets connection is to allow an HTTP Server to use the same port
> for both HTTP and the websockets protocol.
> No, in this particular case the purpose is to use HTTP protocol as a
> tunnel for TURN protocol.

[AndyH] Not really the proposal is to encapsulate TURN within a websockets connection not HTTP. 

>  However I don't think this is necessary for WebRTC media connections
> as it is very unlikely that a web server will want to handle WebRTC
> media/TURN at all never mind on the HTTP port as the media.
> I do not understand how a web server jumped into the picture. The
> proposal has nothing to do with the web servers.

[AndyH] Exactly the media handling has nothing to do with the web server but websockets uses HTTP upgrade mechanism because it was designed to allow the web server to use the same port for HTTP and websockets (See This mechanism is not needed in WebRTC because the web server and TURN server are not the same server.

> So does encapsulating the TURN data in websocket frames provide any
> benefit.
> It provides a benefit of encapsulating TURN protocol into HTTP protocol
> that is usually easily understandable and "parseable" by the firewalls.
> The firewall can examine the subprotocol header and make a decision.

[AndyH] The subprotocol is nice but I assume the firewall only sees this if the websockets connection is not encrypted it seems to me that it might be better to have something like the subprotocol indicating TURN in the HTTP CONNECT making it clear to the proxy the purpose of the connection encrypted or not.

> I can imagine that there might be some scenarios in which using a
> websockets connection might work when TURN might not simply because the
> media is buried in further layers of encapsulation. However I don't
> know if this is really the case and also we are of course not trying to
> hide the fact that this is media.
> There are scenarios when difference between HTTP and TURN is as simple
> as "connectivity" vs "no connectivity". That's rather important.

[AndyH] Can you explain in what scenarios TURN over Websockets would work and TURN/TCP with HTTP Connect would not?

> The extra websockets overhead for all the media packets is surely a
> drawback of this approach.
> When no packets can be passed through, then the network overhead is
> exactly 0 (zero) but we do not consider it as a great scenario.

[AndyH] I am not sure I understand your point here. If there are no significant advantage to using the websockets encapsulation and I have not heard one yet, then the overhead is again something we could do without.

> Not encapsulating the TURN in websockets would also probably provide
> better control for those wanting to assert policies on the handling of
> media.
> DPI of the TURN packets is a hard task, especially considering that the
> IP addresses in the TURN packets are obfuscated. On the other hand, we
> may require some headers in the websocket connection to contain
> information about the protocol, so it may be more firewall-friendly and
> "examinable", without serious investment into new DPI algorithms.

[AndyH] I don't think we should discuss DPI it should simply be out of scope.

> Therefore as you can see I don't see the benefit of encapsulating TURN
> in websockets but I look forward to hearing other opinions and maybe I
> have missed something important.
> I hope I provide an opinion.

[AndyH] You have but I am not yet convinced of the benefit I think we need concrete examples of why a websockets approach would be more successful than just TURN/TCP using HTTP CONNECT.

> Thanks
> Oleg