Re: [pntaw] TURN over websockets or just TURN.

Oleg Moskalenko <mom040267@gmail.com> Wed, 25 September 2013 18:40 UTC

Return-Path: <mom040267@gmail.com>
X-Original-To: pntaw@ietfa.amsl.com
Delivered-To: pntaw@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 5031921F83EF for <pntaw@ietfa.amsl.com>; Wed, 25 Sep 2013 11:40:17 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.501
X-Spam-Level:
X-Spam-Status: No, score=-2.501 tagged_above=-999 required=5 tests=[AWL=0.098, BAYES_00=-2.599, HTML_MESSAGE=0.001, NO_RELAYS=-0.001]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id n3c8chgaP0Zp for <pntaw@ietfa.amsl.com>; Wed, 25 Sep 2013 11:40:16 -0700 (PDT)
Received: from mail-pb0-x234.google.com (mail-pb0-x234.google.com [IPv6:2607:f8b0:400e:c01::234]) by ietfa.amsl.com (Postfix) with ESMTP id 4110321F9D19 for <pntaw@ietf.org>; Wed, 25 Sep 2013 11:40:06 -0700 (PDT)
Received: by mail-pb0-f52.google.com with SMTP id wz12so55989pbc.11 for <pntaw@ietf.org>; Wed, 25 Sep 2013 11:40:03 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type; bh=e6nWpq1S5am1Ud38H+E9peFtc5RWW1ZbLlYHO+9yKko=; b=PjFlQT4ZWYEATUKh3j2S0gfVgBmzrA7JxM7RLDiZUfIPYWOE7GPege5Hks9pPYnzZ0 zoxDli2vIKVzh5N3qjNWT3nmOXFas+PdU/5eJmPTi82kM0WsItBgG0AkcIWi6D69vPdn PLK7TFHlWIlJyeEiMAoLaCBPReNzCrxfykdGwW4hOhwx4TwblVCcfMbIuxGLub7ED8ej istnAwJWLSAdbLsnfoJTyj4npbNESKQ0sB5lAWuxZcIX+zUMix98nHtEhn3Ou3DMMNuZ 9OxfZ724X2QNM0BoCOnfAhTeSd1rD+5vz1OtzxBqE3Bs4RDg3BPz2vukVREA0gNkvtZv EOyQ==
MIME-Version: 1.0
X-Received: by 10.66.234.131 with SMTP id ue3mr679078pac.35.1380134400984; Wed, 25 Sep 2013 11:40:00 -0700 (PDT)
Received: by 10.68.91.163 with HTTP; Wed, 25 Sep 2013 11:40:00 -0700 (PDT)
In-Reply-To: <9F33F40F6F2CD847824537F3C4E37DDF17BD53FD@MCHP04MSX.global-ad.net>
References: <9F33F40F6F2CD847824537F3C4E37DDF17BD44F6@MCHP04MSX.global-ad.net> <CALDtMrK9K-zSUd6-cLeRkkb0zixE=CDKKmOkfRCHNP-CZcriXg@mail.gmail.com> <9F33F40F6F2CD847824537F3C4E37DDF17BD53FD@MCHP04MSX.global-ad.net>
Date: Wed, 25 Sep 2013 11:40:00 -0700
Message-ID: <CALDtMrLfg3AJFOr=DYSGkhxrwuTA=LY3F6k9AJN7NCKCY+B0ZQ@mail.gmail.com>
From: Oleg Moskalenko <mom040267@gmail.com>
To: "Hutton, Andrew" <andrew.hutton@siemens-enterprise.com>
Content-Type: multipart/alternative; boundary=047d7b15a2b1b6932e04e7399445
Cc: "pntaw@ietf.org" <pntaw@ietf.org>
Subject: Re: [pntaw] TURN over websockets or just TURN.
X-BeenThere: pntaw@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: "Discussion list for practices related to proxies, NATs, TURN, and WebRTC" <pntaw.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/pntaw>, <mailto:pntaw-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/pntaw>
List-Post: <mailto:pntaw@ietf.org>
List-Help: <mailto:pntaw-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/pntaw>, <mailto:pntaw-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 25 Sep 2013 18:40:17 -0000

Andy, you are not mentioning the case when no explicit web proxy is
configured. See below:

On Wed, Sep 25, 2013 at 11:19 AM, Hutton, Andrew <
andrew.hutton@siemens-enterprise.com> wrote:

>
> >
> > That overhead is relatively minor.
>
> [AndyH] But it is still something that we would be better without unless
> it serves a good purpose.
>

it provides benefits when no explicit web proxy is configured in the
enterprise network.


>
> >
> >
> > The purpose of the extra HTTP handshake to upgrade to HTTP to a
> > websockets connection is to allow an HTTP Server to use the same port
> > for both HTTP and the websockets protocol.
> >
> > No, in this particular case the purpose is to use HTTP protocol as a
> > tunnel for TURN protocol.
> >
>
> [AndyH] Not really the proposal is to encapsulate TURN within a websockets
> connection not HTTP.
>

I meant just that. From the firewall perspective it will be HTTP.


>
>
> >
> >  However I don't think this is necessary for WebRTC media connections
> > as it is very unlikely that a web server will want to handle WebRTC
> > media/TURN at all never mind on the HTTP port as the media.
> >
> > I do not understand how a web server jumped into the picture. The
> > proposal has nothing to do with the web servers.
> >
>
> [AndyH] Exactly the media handling has nothing to do with the web server
> but websockets uses HTTP upgrade mechanism because it was designed to allow
> the web server to use the same port for HTTP and websockets (See
> http://tools.ietf.org/html/rfc6455#section-1.3). This mechanism is not
> needed in WebRTC because the web server and TURN server are not the same
> server.
>

Web servers and TURN servers are not the same - a good observation. They
use different IP addresses. And both are allowed to use port 80, 443 or
8080 or whatever.

The analogy is media over TCP. TCP was not designed as a suitable for media
protocol. It is inferior to UDP and any media channel over TCP is
artificial and totally against the TCP original intentions and TCP design.

According to your logic, TCP has unnecessary (for media) overhead over UDP
So, if we are all technological purists here, we must immediately ban any
media over TCP and remove that from WebRTC specs. But we discovered that in
some cases TCP is necessary because there is no other way to deliver the
data. This is a compromise.

This is totally the same with websockets. It was designed for a different
purpose. But while technology progresses, it uses the available tools and
gadgets to move ahead. We found that websockets is helpful in extending
WebRTC connectivity. Pretty much the same as earlier it was found that
media over TCP is sometimes required (and accepted).

So, if we do not accept TURN inside Websockets then we must start an
immediate campaign against media inside TURN TCP connections and through it
out of WebRTC specs. These things are totally symmetrical in all senses,
and they serve the same purpose - the connectivity purpose, and they have
the same problems.


> >
> > So does encapsulating the TURN data in websocket frames provide any
> > benefit.
> >
> > It provides a benefit of encapsulating TURN protocol into HTTP protocol
> > that is usually easily understandable and "parseable" by the firewalls.
> > The firewall can examine the subprotocol header and make a decision.
> >
>
> [AndyH] The subprotocol is nice but I assume the firewall only sees this
> if the websockets connection is not encrypted it seems to me that it might
> be better to have something like the subprotocol indicating TURN in the
> HTTP CONNECT making it clear to the proxy the purpose of the connection
> encrypted or not.
>

Again, sometimes we have to HTTP CONNECT when explicit proxy is not present.


>
> > I can imagine that there might be some scenarios in which using a
> > websockets connection might work when TURN might not simply because the
> > media is buried in further layers of encapsulation. However I don't
> > know if this is really the case and also we are of course not trying to
> > hide the fact that this is media.
> >
> > There are scenarios when difference between HTTP and TURN is as simple
> > as "connectivity" vs "no connectivity". That's rather important.
> >
>
> [AndyH] Can you explain in what scenarios TURN over Websockets would work
> and TURN/TCP with HTTP Connect would not?
>

When explicit proxy is not configured.


>
>
> >
> > The extra websockets overhead for all the media packets is surely a
> > drawback of this approach.
> >
> > When no packets can be passed through, then the network overhead is
> > exactly 0 (zero) but we do not consider it as a great scenario.
> >
>
> [AndyH] I am not sure I understand your point here. If there are no
> significant advantage to using the websockets encapsulation and I have not
> heard one yet, then the overhead is again something we could do without.
>
>
when explicit proxy is not configured


>
> >
> > Not encapsulating the TURN in websockets would also probably provide
> > better control for those wanting to assert policies on the handling of
> > media.
> >
> > DPI of the TURN packets is a hard task, especially considering that the
> > IP addresses in the TURN packets are obfuscated. On the other hand, we
> > may require some headers in the websocket connection to contain
> > information about the protocol, so it may be more firewall-friendly and
> > "examinable", without serious investment into new DPI algorithms.
> >
>
> [AndyH] I don't think we should discuss DPI it should simply be out of
> scope.
>
>
OK


> >
> > Therefore as you can see I don't see the benefit of encapsulating TURN
> > in websockets but I look forward to hearing other opinions and maybe I
> > have missed something important.
> >
> >
> > I hope I provide an opinion.
>
> [AndyH] You have but I am not yet convinced of the benefit I think we need
> concrete examples of why a websockets approach would be more successful
> than just TURN/TCP using HTTP CONNECT.
>
>
See above

Regards,
Oleg