Re: [pntaw] New version of draft-hutton-rtcweb-nat-firewall-considerations

Bernard Aboba <bernard_aboba@hotmail.com> Sat, 21 September 2013 00:58 UTC

Return-Path: <bernard_aboba@hotmail.com>
X-Original-To: pntaw@ietfa.amsl.com
Delivered-To: pntaw@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id D06D021F9FBE for <pntaw@ietfa.amsl.com>; Fri, 20 Sep 2013 17:58:17 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -102.413
X-Spam-Level:
X-Spam-Status: No, score=-102.413 tagged_above=-999 required=5 tests=[AWL=0.029, BAYES_00=-2.599, HTML_MESSAGE=0.001, SUBJECT_FUZZY_TION=0.156, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id CVyjUaCSFatR for <pntaw@ietfa.amsl.com>; Fri, 20 Sep 2013 17:58:12 -0700 (PDT)
Received: from blu0-omc1-s6.blu0.hotmail.com (blu0-omc1-s6.blu0.hotmail.com [65.55.116.17]) by ietfa.amsl.com (Postfix) with ESMTP id ECFE321F9FB7 for <pntaw@ietf.org>; Fri, 20 Sep 2013 17:58:11 -0700 (PDT)
Received: from BLU169-W82 ([65.55.116.9]) by blu0-omc1-s6.blu0.hotmail.com with Microsoft SMTPSVC(6.0.3790.4675); Fri, 20 Sep 2013 17:58:04 -0700
X-TMN: [3tfzad8pCzohgmT3Qi3F1RKrghbFbOv4bh93gDTNuqk=]
X-Originating-Email: [bernard_aboba@hotmail.com]
Message-ID: <BLU169-W82036280852F26ED26283C93230@phx.gbl>
Content-Type: multipart/alternative; boundary="_7aafa332-9086-47d7-9f92-6a6df1ae94a8_"
From: Bernard Aboba <bernard_aboba@hotmail.com>
To: Sergio Garcia Murillo <sergio.garcia.murillo@gmail.com>
Date: Fri, 20 Sep 2013 17:58:04 -0700
Importance: Normal
In-Reply-To: <523CD42E.8070102@gmail.com>
References: <9F33F40F6F2CD847824537F3C4E37DDF17BCF3A5@MCHP04MSX.global-ad.net>, , <523CCD06.3030902@gmail.com>, <BLU169-W136A55AC013DA147313576D93220@phx.gbl>, <523CD42E.8070102@gmail.com>
MIME-Version: 1.0
X-OriginalArrivalTime: 21 Sep 2013 00:58:04.0925 (UTC) FILETIME=[A0FD9AD0:01CEB665]
Cc: "pntaw@ietf.org" <pntaw@ietf.org>
Subject: Re: [pntaw] New version of draft-hutton-rtcweb-nat-firewall-considerations
X-BeenThere: pntaw@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: "Discussion list for practices related to proxies, NATs, TURN, and WebRTC" <pntaw.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/pntaw>, <mailto:pntaw-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/pntaw>
List-Post: <mailto:pntaw@ietf.org>
List-Help: <mailto:pntaw-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/pntaw>, <mailto:pntaw-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 21 Sep 2013 00:58:17 -0000

Sergio said: 
"Also, if TURN over TLS on port 443 works (i.e. no DPI in place), 
    secure websockets works."
[BA] I have seen DPI boxes that look at the TLS to make sure it is *really* TLS, but if it passes muster (which it might not if you're using extensions or something new like TLS 1.2) then they'll let you through.  So I wouldn't assume that DPI == no TLS.  And yes, if they do let TLS through, then you can do TURN over TLS or secure websockets just as well. 
"So in 100% cases that TURN over TLS works,
    TURN over (secure) websockets works too."
[BA] Agree they would both traverse that firewall equally well, but TURN over (secure) websockets only works if the TURN server supports it, which most won't.   This makes mandating TURN over Webosckets support in the browser a hard sell.