Re: [pntaw] TURN over websockets or just TURN.
Oleg Moskalenko <mom040267@gmail.com> Wed, 25 September 2013 18:40 UTC
Return-Path: <mom040267@gmail.com>
X-Original-To: pntaw@ietfa.amsl.com
Delivered-To: pntaw@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 5031921F83EF for <pntaw@ietfa.amsl.com>; Wed, 25 Sep 2013 11:40:17 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.501
X-Spam-Level:
X-Spam-Status: No, score=-2.501 tagged_above=-999 required=5 tests=[AWL=0.098, BAYES_00=-2.599, HTML_MESSAGE=0.001, NO_RELAYS=-0.001]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id n3c8chgaP0Zp for <pntaw@ietfa.amsl.com>; Wed, 25 Sep 2013 11:40:16 -0700 (PDT)
Received: from mail-pb0-x234.google.com (mail-pb0-x234.google.com [IPv6:2607:f8b0:400e:c01::234]) by ietfa.amsl.com (Postfix) with ESMTP id 4110321F9D19 for <pntaw@ietf.org>; Wed, 25 Sep 2013 11:40:06 -0700 (PDT)
Received: by mail-pb0-f52.google.com with SMTP id wz12so55989pbc.11 for <pntaw@ietf.org>; Wed, 25 Sep 2013 11:40:03 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type; bh=e6nWpq1S5am1Ud38H+E9peFtc5RWW1ZbLlYHO+9yKko=; b=PjFlQT4ZWYEATUKh3j2S0gfVgBmzrA7JxM7RLDiZUfIPYWOE7GPege5Hks9pPYnzZ0 zoxDli2vIKVzh5N3qjNWT3nmOXFas+PdU/5eJmPTi82kM0WsItBgG0AkcIWi6D69vPdn PLK7TFHlWIlJyeEiMAoLaCBPReNzCrxfykdGwW4hOhwx4TwblVCcfMbIuxGLub7ED8ej istnAwJWLSAdbLsnfoJTyj4npbNESKQ0sB5lAWuxZcIX+zUMix98nHtEhn3Ou3DMMNuZ 9OxfZ724X2QNM0BoCOnfAhTeSd1rD+5vz1OtzxBqE3Bs4RDg3BPz2vukVREA0gNkvtZv EOyQ==
MIME-Version: 1.0
X-Received: by 10.66.234.131 with SMTP id ue3mr679078pac.35.1380134400984; Wed, 25 Sep 2013 11:40:00 -0700 (PDT)
Received: by 10.68.91.163 with HTTP; Wed, 25 Sep 2013 11:40:00 -0700 (PDT)
In-Reply-To: <9F33F40F6F2CD847824537F3C4E37DDF17BD53FD@MCHP04MSX.global-ad.net>
References: <9F33F40F6F2CD847824537F3C4E37DDF17BD44F6@MCHP04MSX.global-ad.net> <CALDtMrK9K-zSUd6-cLeRkkb0zixE=CDKKmOkfRCHNP-CZcriXg@mail.gmail.com> <9F33F40F6F2CD847824537F3C4E37DDF17BD53FD@MCHP04MSX.global-ad.net>
Date: Wed, 25 Sep 2013 11:40:00 -0700
Message-ID: <CALDtMrLfg3AJFOr=DYSGkhxrwuTA=LY3F6k9AJN7NCKCY+B0ZQ@mail.gmail.com>
From: Oleg Moskalenko <mom040267@gmail.com>
To: "Hutton, Andrew" <andrew.hutton@siemens-enterprise.com>
Content-Type: multipart/alternative; boundary="047d7b15a2b1b6932e04e7399445"
Cc: "pntaw@ietf.org" <pntaw@ietf.org>
Subject: Re: [pntaw] TURN over websockets or just TURN.
X-BeenThere: pntaw@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: "Discussion list for practices related to proxies, NATs, TURN, and WebRTC" <pntaw.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/pntaw>, <mailto:pntaw-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/pntaw>
List-Post: <mailto:pntaw@ietf.org>
List-Help: <mailto:pntaw-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/pntaw>, <mailto:pntaw-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 25 Sep 2013 18:40:17 -0000
Andy, you are not mentioning the case when no explicit web proxy is configured. See below: On Wed, Sep 25, 2013 at 11:19 AM, Hutton, Andrew < andrew.hutton@siemens-enterprise.com> wrote: > > > > > That overhead is relatively minor. > > [AndyH] But it is still something that we would be better without unless > it serves a good purpose. > it provides benefits when no explicit web proxy is configured in the enterprise network. > > > > > > > The purpose of the extra HTTP handshake to upgrade to HTTP to a > > websockets connection is to allow an HTTP Server to use the same port > > for both HTTP and the websockets protocol. > > > > No, in this particular case the purpose is to use HTTP protocol as a > > tunnel for TURN protocol. > > > > [AndyH] Not really the proposal is to encapsulate TURN within a websockets > connection not HTTP. > I meant just that. From the firewall perspective it will be HTTP. > > > > > > However I don't think this is necessary for WebRTC media connections > > as it is very unlikely that a web server will want to handle WebRTC > > media/TURN at all never mind on the HTTP port as the media. > > > > I do not understand how a web server jumped into the picture. The > > proposal has nothing to do with the web servers. > > > > [AndyH] Exactly the media handling has nothing to do with the web server > but websockets uses HTTP upgrade mechanism because it was designed to allow > the web server to use the same port for HTTP and websockets (See > http://tools.ietf.org/html/rfc6455#section-1.3). This mechanism is not > needed in WebRTC because the web server and TURN server are not the same > server. > Web servers and TURN servers are not the same - a good observation. They use different IP addresses. And both are allowed to use port 80, 443 or 8080 or whatever. The analogy is media over TCP. TCP was not designed as a suitable for media protocol. It is inferior to UDP and any media channel over TCP is artificial and totally against the TCP original intentions and TCP design. According to your logic, TCP has unnecessary (for media) overhead over UDP So, if we are all technological purists here, we must immediately ban any media over TCP and remove that from WebRTC specs. But we discovered that in some cases TCP is necessary because there is no other way to deliver the data. This is a compromise. This is totally the same with websockets. It was designed for a different purpose. But while technology progresses, it uses the available tools and gadgets to move ahead. We found that websockets is helpful in extending WebRTC connectivity. Pretty much the same as earlier it was found that media over TCP is sometimes required (and accepted). So, if we do not accept TURN inside Websockets then we must start an immediate campaign against media inside TURN TCP connections and through it out of WebRTC specs. These things are totally symmetrical in all senses, and they serve the same purpose - the connectivity purpose, and they have the same problems. > > > > So does encapsulating the TURN data in websocket frames provide any > > benefit. > > > > It provides a benefit of encapsulating TURN protocol into HTTP protocol > > that is usually easily understandable and "parseable" by the firewalls. > > The firewall can examine the subprotocol header and make a decision. > > > > [AndyH] The subprotocol is nice but I assume the firewall only sees this > if the websockets connection is not encrypted it seems to me that it might > be better to have something like the subprotocol indicating TURN in the > HTTP CONNECT making it clear to the proxy the purpose of the connection > encrypted or not. > Again, sometimes we have to HTTP CONNECT when explicit proxy is not present. > > > I can imagine that there might be some scenarios in which using a > > websockets connection might work when TURN might not simply because the > > media is buried in further layers of encapsulation. However I don't > > know if this is really the case and also we are of course not trying to > > hide the fact that this is media. > > > > There are scenarios when difference between HTTP and TURN is as simple > > as "connectivity" vs "no connectivity". That's rather important. > > > > [AndyH] Can you explain in what scenarios TURN over Websockets would work > and TURN/TCP with HTTP Connect would not? > When explicit proxy is not configured. > > > > > > The extra websockets overhead for all the media packets is surely a > > drawback of this approach. > > > > When no packets can be passed through, then the network overhead is > > exactly 0 (zero) but we do not consider it as a great scenario. > > > > [AndyH] I am not sure I understand your point here. If there are no > significant advantage to using the websockets encapsulation and I have not > heard one yet, then the overhead is again something we could do without. > > when explicit proxy is not configured > > > > > Not encapsulating the TURN in websockets would also probably provide > > better control for those wanting to assert policies on the handling of > > media. > > > > DPI of the TURN packets is a hard task, especially considering that the > > IP addresses in the TURN packets are obfuscated. On the other hand, we > > may require some headers in the websocket connection to contain > > information about the protocol, so it may be more firewall-friendly and > > "examinable", without serious investment into new DPI algorithms. > > > > [AndyH] I don't think we should discuss DPI it should simply be out of > scope. > > OK > > > > Therefore as you can see I don't see the benefit of encapsulating TURN > > in websockets but I look forward to hearing other opinions and maybe I > > have missed something important. > > > > > > I hope I provide an opinion. > > [AndyH] You have but I am not yet convinced of the benefit I think we need > concrete examples of why a websockets approach would be more successful > than just TURN/TCP using HTTP CONNECT. > > See above Regards, Oleg
- Re: [pntaw] TURN over websockets or just TURN. Sergio Garcia Murillo
- [pntaw] TURN over websockets or just TURN. Hutton, Andrew
- Re: [pntaw] TURN over websockets or just TURN. Markus.Isomaki
- Re: [pntaw] TURN over websockets or just TURN. Markus.Isomaki
- Re: [pntaw] TURN over websockets or just TURN. Hutton, Andrew
- Re: [pntaw] TURN over websockets or just TURN. Sergio Garcia Murillo
- Re: [pntaw] TURN over websockets or just TURN. Oleg Moskalenko
- Re: [pntaw] TURN over websockets or just TURN. Hutton, Andrew
- Re: [pntaw] TURN over websockets or just TURN. Hutton, Andrew
- Re: [pntaw] TURN over websockets or just TURN. Oleg Moskalenko
- Re: [pntaw] TURN over websockets or just TURN. Hutton, Andrew
- Re: [pntaw] TURN over websockets or just TURN. Oleg Moskalenko
- Re: [pntaw] TURN over websockets or just TURN. Sergio Garcia Murillo
- Re: [pntaw] TURN over websockets or just TURN. Tirumaleswar Reddy (tireddy)
- Re: [pntaw] TURN over websockets or just TURN. Oleg Moskalenko
- Re: [pntaw] TURN over websockets or just TURN. Tirumaleswar Reddy (tireddy)