IETF Logo Mail Archive

Re: [pntaw] New version of draft-hutton-rtcweb-nat-firewall-considerations

Sergio Garcia Murillo <sergio.garcia.murillo@gmail.com> Mon, 23 September 2013 08:57 UTC

Return-Path: <sergio.garcia.murillo@gmail.com>
X-Original-To: pntaw@ietfa.amsl.com
Delivered-To: pntaw@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 5AA3121F9E45 for <pntaw@ietfa.amsl.com>; Mon, 23 Sep 2013 01:57:05 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.443
X-Spam-Level:
X-Spam-Status: No, score=-2.443 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, SUBJECT_FUZZY_TION=0.156]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id v4FokP4JJpj6 for <pntaw@ietfa.amsl.com>; Mon, 23 Sep 2013 01:57:04 -0700 (PDT)
Received: from mail-wg0-x22f.google.com (mail-wg0-x22f.google.com [IPv6:2a00:1450:400c:c00::22f]) by ietfa.amsl.com (Postfix) with ESMTP id 820BF21F8201 for <pntaw@ietf.org>; Mon, 23 Sep 2013 01:57:04 -0700 (PDT)
Received: by mail-wg0-f47.google.com with SMTP id f12so2867979wgh.14 for <pntaw@ietf.org>; Mon, 23 Sep 2013 01:57:03 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=message-id:date:from:user-agent:mime-version:to:subject:references :in-reply-to:content-type:content-transfer-encoding; bh=ykYzf7yAL3ZEmVv30WjPCLlfsGtw1Glb5cH3/rUGTRY=; b=ToC+9ptdNXcbSZXuuw5gkLsODMwxVJoKF6zfBZoHtKlCRi1UB1zOtpcwcMOClWyhjZ RR493wwBkO81G62hPWED/rvfnYhZKvX2VQmGZqLhaVky1DoxZdVxR4jnGTiV4qccx5ia vprPNcg7tR1bryadUYy0uFke7+Q27EXbNAAT07m4innIPKIKVdPCyZhNSH0vMMe0cEWC /oKWODb0zIAlNvhNUppJ/WKvNBqJ/wBbOSzRfkB0Pqk4xG+h6f6gmAEC7d/tnEifAl0N IUtZPifogzhEH5h+mXJ76JkxVLXtgshsTjVQLZxMyhOag5vX92R+K1c+UJ5UUrVlyObr EIcQ==
X-Received: by 10.194.75.165 with SMTP id d5mr16259319wjw.18.1379926623704; Mon, 23 Sep 2013 01:57:03 -0700 (PDT)
Received: from [192.168.1.45] (54.Red-83-61-124.dynamicIP.rima-tde.net. [83.61.124.54]) by mx.google.com with ESMTPSA id ev4sm23603906wib.7.1969.12.31.16.00.00 (version=TLSv1 cipher=ECDHE-RSA-RC4-SHA bits=128/128); Mon, 23 Sep 2013 01:57:02 -0700 (PDT)
Message-ID: <5240025C.6080807@gmail.com>
Date: Mon, 23 Sep 2013 10:57:00 +0200
From: Sergio Garcia Murillo <sergio.garcia.murillo@gmail.com>
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:17.0) Gecko/20130801 Thunderbird/17.0.8
MIME-Version: 1.0
To: pntaw@ietf.org
References: <9F33F40F6F2CD847824537F3C4E37DDF17BCF3A5@MCHP04MSX.global-ad.net> <523CCD06.3030902@gmail.com> <BLU169-W136A55AC013DA147313576D93220@phx.gbl> <523CD42E.8070102@gmail.com> <BLU169-W82036280852F26ED26283C93230@phx.gbl> <523D4F17.2040202@gmail.com> <9F33F40F6F2CD847824537F3C4E37DDF17BD01A8@MCHP04MSX.global-ad.net> <CALDtMrL5pT3MfbQufCphEKq0-pXj+JcfwW__wzG3T6wZ=TuWhg@mail.gmail.com> <9F33F40F6F2CD847824537F3C4E37DDF17BD08EA@MCHP04MSX.global-ad.net> <CALDtMrLcUrxseyiaPc_0AWJw3HPdaBuAS+xpviT2q=y4zmdNgw@mail.gmail.com> <523FD5FD.8030601@gmail.com>
In-Reply-To: <523FD5FD.8030601@gmail.com>
Content-Type: text/plain; charset="ISO-8859-1"; format="flowed"
Content-Transfer-Encoding: 8bit
Subject: Re: [pntaw] New version of draft-hutton-rtcweb-nat-firewall-considerations
X-BeenThere: pntaw@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: "Discussion list for practices related to proxies, NATs, TURN, and WebRTC" <pntaw.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/pntaw>, <mailto:pntaw-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/pntaw>
List-Post: <mailto:pntaw@ietf.org>
List-Help: <mailto:pntaw-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/pntaw>, <mailto:pntaw-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 23 Sep 2013 08:57:05 -0000

El 23/09/2013 7:47, Melinda Shore escribió:
> On 9/22/13 9:36 PM, Oleg Moskalenko wrote:
>> Each large enterprise IT has a complex history and complex web of
>> policies. If a new standard provides new capabilities and useful
>> possible scenarios, without imposing strict rules on IT departments,
>> then I guess that would be a right thing.
> I think this is actually a pretty serious problem, but Elvis,
> as they say, has left the building.  The IETF RAI area has
> standardized protocols for avoiding the enforcement of local
> access policies.  The earlier work on STUN and TURN was to
> allow operation across NAT, which is (arguably) not a policy
> mechanism, but you all seem to want to extend it to allow
> operation across firewalls *which by policy do not permit
> the traffic in question*.  It's probably too late to do much
> about it but I hope that you're having lots of conversations
> with lots of enterprises whose firewalls you're planning on
> forcing your way through, to make sure that they're on board
> with this.
>

Hi Melinda,

The fact is that there is already an agreed requirement in WebRTC that 
supports it:

    F37     The browser must be able to send streams and
            data to a peer in the presence of FWs that only
            allows http(s) traffic.


And while we could discuss about it, this would not be the correct 
mailing list to do it.

Given said that, I agree with your view that WebRTC should not force its 
way through
corporate firewalls, punching  open holes and sneaking TURN inside TLS 
to bypass the
enterprise policies.

The TURN over websocket proposal tries to address that issue by playing 
"nice" with
corporate firewalls, by encapsulating the WebRTC media into  legit and 
valid HTTP
traffic.

This will allow IT administrator to allow/block and apply same corporate 
policies to
WebRTC media as they would do with any web content. Without having to 
deploy
any new infrastructure and with the same administrative interfaces as 
they have
today.

Regarding the security section that you mention in a later email, I 
agree with you again
and it is a chapter we would have to address in next versions of the 
draft. Would you
be willing to collaborate in writing it by listing which kind of issues 
would you like to be
covered in there?

Best regards
Sergio

v2.23.0 | Report a Bug | By Email