IETF Logo Mail Archive

Re: [pntaw] TURN over websockets

"Stach, Thomas" <thomas.stach@siemens-enterprise.com> Fri, 30 August 2013 12:40 UTC

Return-Path: <thomas.stach@siemens-enterprise.com>
X-Original-To: pntaw@ietfa.amsl.com
Delivered-To: pntaw@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id DF4F521F909A for <pntaw@ietfa.amsl.com>; Fri, 30 Aug 2013 05:40:22 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.599
X-Spam-Level:
X-Spam-Status: No, score=-2.599 tagged_above=-999 required=5 tests=[BAYES_00=-2.599]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 224YsfYV+YDi for <pntaw@ietfa.amsl.com>; Fri, 30 Aug 2013 05:40:18 -0700 (PDT)
Received: from senmx11-mx.siemens-enterprise.com (senmx11-mx.siemens-enterprise.com [62.134.46.9]) by ietfa.amsl.com (Postfix) with ESMTP id 63F2C21F88A9 for <pntaw@ietf.org>; Fri, 30 Aug 2013 05:35:04 -0700 (PDT)
Received: from MCHP02HTC.global-ad.net (unknown [172.29.42.235]) by senmx11-mx.siemens-enterprise.com (Server) with ESMTP id 64ECE1EB8597; Fri, 30 Aug 2013 14:34:57 +0200 (CEST)
Received: from MCHP04MSX.global-ad.net ([169.254.1.174]) by MCHP02HTC.global-ad.net ([172.29.42.235]) with mapi id 14.03.0123.003; Fri, 30 Aug 2013 14:34:57 +0200
From: "Stach, Thomas" <thomas.stach@siemens-enterprise.com>
To: Sergio Garcia Murillo <sergio.garcia.murillo@gmail.com>, "pntaw@ietf.org" <pntaw@ietf.org>
Thread-Topic: [pntaw] TURN over websockets
Thread-Index: AQHOpVzeSFPe8Kl+LUCjnsamYIV4h5mtqQnw
Date: Fri, 30 Aug 2013 12:34:56 +0000
Message-ID: <F81CEE99482EFE438DAE2A652361EE12179BF94B@MCHP04MSX.global-ad.net>
References: <52205AE1.9010807@gmail.com>
In-Reply-To: <52205AE1.9010807@gmail.com>
Accept-Language: de-AT, en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-originating-ip: [172.29.42.225]
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
Subject: Re: [pntaw] TURN over websockets
X-BeenThere: pntaw@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: "Discussion list for practices related to proxies, NATs, TURN, and WebRTC" <pntaw.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/pntaw>, <mailto:pntaw-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/pntaw>
List-Post: <mailto:pntaw@ietf.org>
List-Help: <mailto:pntaw-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/pntaw>, <mailto:pntaw-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 30 Aug 2013 12:40:23 -0000

Sergio,

Some comments inline

> -----Original Message-----
> From: pntaw-bounces@ietf.org [mailto:pntaw-bounces@ietf.org] On Behalf
> Of Sergio Garcia Murillo
> Sent: Freitag, 30. August 2013 10:42
> To: pntaw@ietf.org
> Subject: [pntaw] TURN over websockets
> 
> Hi all,
> 
> I will shoot first.
> 
> It is great to finally see some real interest in what I consider to be
> the blocking point for webrtc in order to run business on top of it,
> which is the ability to be able to connect through corporate firewalls.
> 
> I have seen some people arguing that with just TURN over TCP on port
> 443
> the problem will be solved, but I seriously doubt it. Neither TURN over
> SSL would do, as most web filters do DPI and will not enable the
> connection. Also, I have heard lots of voices that says we are trying
> to
> override network admin policies with dirty tricks. With whom, I could
> agree.
[TS] I'm not sure if you are referencing draft-hutton-rtcweb-nat-firewall-considerations here.
Nevertheless the draft mentions TURN over TCP to port 443. 
The goal behind this is certainly not to sneak WEBRTC media streams through heavily fortified networks that have DPI deployed.
The goal rather to address a scenario e.g. at a small hotel with a not-so-skilled network admin, that opened his firewall on TCP port 80/443 to allow its guests to do some web browsing, but is afraid of opening its firewall for UDP traffic.
If we want to deploy WEBRTC in such an environment TURN over TLS to port 443 would do the job. 

> 
> So, the only way I see to move forward and overcome this issues is by
> playing according to the WEB rules, and use HTTP standards to enable
> media connectivity in WebRTC that would play nicely with current
> corporate HTTP proxies and web filters.
[TS] Playing nicely with HTTP proxies is also a use case draft-hutton-rtcweb-nat-firewall-considerations.
Usage of the HTTP CONNECT method is proposed here. The request URI would include the TURN server (preferably even to the well-known STUN port). If the network admin put the TURN server into its whitelist, that could hardly be considered as sneaking unwanted traffic through.
> 
> And,  for me the most viable solution would be to enable TURN over
> websockets. 
[TS] This would require updates to the TURN protocol and the TURN software, whereas the proposals in draft-hutton-rtcweb-nat-firewall-considerations use the original transports.
As most WebRTC services relay on websockets in one way or
> another for signaling, we could assume that media would work on 100% of
> the cases where signaling is working today.
> Also, as it is an http based solution, network administrators could
> apply corporate policies and block connections to not-trusted TURN
> servers.
[TS] which could also be done by white-listing the TURN server address via TCP without any further intermediate HTTP/Websocket layers.

Regards 
Thomas

> 
> Best regards
> Sergio
> _______________________________________________
> pntaw mailing list
> pntaw@ietf.org
> https://www.ietf.org/mailman/listinfo/pntaw

v2.23.0 | Report a Bug | By Email