Re: [pntaw] TURN over websockets or just TURN.
"Hutton, Andrew" <andrew.hutton@siemens-enterprise.com> Wed, 25 September 2013 19:03 UTC
Return-Path: <andrew.hutton@siemens-enterprise.com>
X-Original-To: pntaw@ietfa.amsl.com
Delivered-To: pntaw@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id D978221F9C6A for <pntaw@ietfa.amsl.com>; Wed, 25 Sep 2013 12:03:58 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.568
X-Spam-Level:
X-Spam-Status: No, score=-2.568 tagged_above=-999 required=5 tests=[AWL=0.031, BAYES_00=-2.599]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 3oD7yipN5epi for <pntaw@ietfa.amsl.com>; Wed, 25 Sep 2013 12:03:54 -0700 (PDT)
Received: from senmx12-mx.siemens-enterprise.com (senmx12-mx.siemens-enterprise.com [62.134.46.10]) by ietfa.amsl.com (Postfix) with ESMTP id 270C221F89FF for <pntaw@ietf.org>; Wed, 25 Sep 2013 12:03:50 -0700 (PDT)
Received: from MCHP01HTC.global-ad.net (unknown [172.29.42.234]) by senmx12-mx.siemens-enterprise.com (Server) with ESMTP id CFBCD23F0672; Wed, 25 Sep 2013 21:03:49 +0200 (CEST)
Received: from MCHP04MSX.global-ad.net ([169.254.1.31]) by MCHP01HTC.global-ad.net ([172.29.42.234]) with mapi id 14.03.0123.003; Wed, 25 Sep 2013 21:03:30 +0200
From: "Hutton, Andrew" <andrew.hutton@siemens-enterprise.com>
To: Oleg Moskalenko <mom040267@gmail.com>
Thread-Topic: [pntaw] TURN over websockets or just TURN.
Thread-Index: Ac651aqKgci54WbeToGdcCETWYgQigAH+EEAAAiWMGD//+v3AP//26Hg
Date: Wed, 25 Sep 2013 19:03:28 +0000
Message-ID: <9F33F40F6F2CD847824537F3C4E37DDF17BD5567@MCHP04MSX.global-ad.net>
References: <9F33F40F6F2CD847824537F3C4E37DDF17BD44F6@MCHP04MSX.global-ad.net> <CALDtMrK9K-zSUd6-cLeRkkb0zixE=CDKKmOkfRCHNP-CZcriXg@mail.gmail.com> <9F33F40F6F2CD847824537F3C4E37DDF17BD53FD@MCHP04MSX.global-ad.net> <CALDtMrLfg3AJFOr=DYSGkhxrwuTA=LY3F6k9AJN7NCKCY+B0ZQ@mail.gmail.com>
In-Reply-To: <CALDtMrLfg3AJFOr=DYSGkhxrwuTA=LY3F6k9AJN7NCKCY+B0ZQ@mail.gmail.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-originating-ip: [172.29.42.225]
Content-Type: text/plain; charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
Cc: "pntaw@ietf.org" <pntaw@ietf.org>
Subject: Re: [pntaw] TURN over websockets or just TURN.
X-BeenThere: pntaw@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: "Discussion list for practices related to proxies, NATs, TURN, and WebRTC" <pntaw.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/pntaw>, <mailto:pntaw-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/pntaw>
List-Post: <mailto:pntaw@ietf.org>
List-Help: <mailto:pntaw-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/pntaw>, <mailto:pntaw-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 25 Sep 2013 19:03:59 -0000
Below. > -----Original Message----- > From: Oleg Moskalenko [mailto:mom040267@gmail.com] > Sent: 25 September 2013 19:40 > To: Hutton, Andrew > Cc: pntaw@ietf.org > Subject: Re: [pntaw] TURN over websockets or just TURN. > > Andy, you are not mentioning the case when no explicit web proxy is > configured. See below: [AndyH] True I was considering that as the simple case and of course there is no HTTP CONNECT in that scenario. So are you saying that when there is no proxy then a websockets connection is more likely to work than a TURN/TCP or TURN/TLS connection. I would be interested in whether there is evidence of that I am not sure whether it is true or not certainly in the encrypted case I don't see how this can be but I am not an expert on this. > > On Wed, Sep 25, 2013 at 11:19 AM, Hutton, Andrew > <andrew.hutton@siemens-enterprise.com> wrote: > > > > > That overhead is relatively minor. > [AndyH] But it is still something that we would be better without > unless it serves a good purpose. > > it provides benefits when no explicit web proxy is configured in the > enterprise network. > > > > > > > > The purpose of the extra HTTP handshake to upgrade to HTTP to a > > websockets connection is to allow an HTTP Server to use the same port > > for both HTTP and the websockets protocol. > > > > No, in this particular case the purpose is to use HTTP protocol as a > > tunnel for TURN protocol. > > > [AndyH] Not really the proposal is to encapsulate TURN within a > websockets connection not HTTP. > > I meant just that. From the firewall perspective it will be HTTP. > > > > > > > However I don't think this is necessary for WebRTC media connections > > as it is very unlikely that a web server will want to handle WebRTC > > media/TURN at all never mind on the HTTP port as the media. > > > > I do not understand how a web server jumped into the picture. The > > proposal has nothing to do with the web servers. > > > [AndyH] Exactly the media handling has nothing to do with the web > server but websockets uses HTTP upgrade mechanism because it was > designed to allow the web server to use the same port for HTTP and > websockets (See http://tools.ietf.org/html/rfc6455#section-1.3). This > mechanism is not needed in WebRTC because the web server and TURN > server are not the same server. > > Web servers and TURN servers are not the same - a good observation. > They use different IP addresses. And both are allowed to use port 80, > 443 or 8080 or whatever. > The analogy is media over TCP. TCP was not designed as a suitable for > media protocol. It is inferior to UDP and any media channel over TCP is > artificial and totally against the TCP original intentions and TCP > design. > > According to your logic, TCP has unnecessary (for media) overhead over > UDP So, if we are all technological purists here, we must immediately > ban any media over TCP and remove that from WebRTC specs. But we > discovered that in some cases TCP is necessary because there is no > other way to deliver the data. This is a compromise. > This is totally the same with websockets. It was designed for a > different purpose. But while technology progresses, it uses the > available tools and gadgets to move ahead. We found that websockets is > helpful in extending WebRTC connectivity. Pretty much the same as > earlier it was found that media over TCP is sometimes required (and > accepted). > > So, if we do not accept TURN inside Websockets then we must start an > immediate campaign against media inside TURN TCP connections and > through it out of WebRTC specs. These things are totally symmetrical in > all senses, and they serve the same purpose - the connectivity purpose, > and they have the same problems. > [AndyH] Sorry I don't get this argument at all the question is simply whether the websockets overhead is worthwhile or not. > > > > > So does encapsulating the TURN data in websocket frames provide any > > benefit. > > > > It provides a benefit of encapsulating TURN protocol into HTTP > protocol > > that is usually easily understandable and "parseable" by the > firewalls. > > The firewall can examine the subprotocol header and make a decision. > > > [AndyH] The subprotocol is nice but I assume the firewall only sees > this if the websockets connection is not encrypted it seems to me that > it might be better to have something like the subprotocol indicating > TURN in the HTTP CONNECT making it clear to the proxy the purpose of > the connection encrypted or not. > > Again, sometimes we have to HTTP CONNECT when explicit proxy is not > present. > > > > I can imagine that there might be some scenarios in which using a > > websockets connection might work when TURN might not simply because > the > > media is buried in further layers of encapsulation. However I don't > > know if this is really the case and also we are of course not trying > to > > hide the fact that this is media. > > > > There are scenarios when difference between HTTP and TURN is as > simple > > as "connectivity" vs "no connectivity". That's rather important. > > > [AndyH] Can you explain in what scenarios TURN over Websockets would > work and TURN/TCP with HTTP Connect would not? > > When explicit proxy is not configured. > > > > > > > The extra websockets overhead for all the media packets is surely a > > drawback of this approach. > > > > When no packets can be passed through, then the network overhead is > > exactly 0 (zero) but we do not consider it as a great scenario. > > > [AndyH] I am not sure I understand your point here. If there are no > significant advantage to using the websockets encapsulation and I have > not heard one yet, then the overhead is again something we could do > without. > > > when explicit proxy is not configured > > > > > > Not encapsulating the TURN in websockets would also probably provide > > better control for those wanting to assert policies on the handling > of > > media. > > > > DPI of the TURN packets is a hard task, especially considering that > the > > IP addresses in the TURN packets are obfuscated. On the other hand, > we > > may require some headers in the websocket connection to contain > > information about the protocol, so it may be more firewall-friendly > and > > "examinable", without serious investment into new DPI algorithms. > > > [AndyH] I don't think we should discuss DPI it should simply be out of > scope. > > > OK > > > > > Therefore as you can see I don't see the benefit of encapsulating > TURN > > in websockets but I look forward to hearing other opinions and maybe > I > > have missed something important. > > > > > > I hope I provide an opinion. > [AndyH] You have but I am not yet convinced of the benefit I think we > need concrete examples of why a websockets approach would be more > successful than just TURN/TCP using HTTP CONNECT. > > See above > > Regards, > Oleg
- Re: [pntaw] TURN over websockets or just TURN. Sergio Garcia Murillo
- [pntaw] TURN over websockets or just TURN. Hutton, Andrew
- Re: [pntaw] TURN over websockets or just TURN. Markus.Isomaki
- Re: [pntaw] TURN over websockets or just TURN. Markus.Isomaki
- Re: [pntaw] TURN over websockets or just TURN. Hutton, Andrew
- Re: [pntaw] TURN over websockets or just TURN. Sergio Garcia Murillo
- Re: [pntaw] TURN over websockets or just TURN. Oleg Moskalenko
- Re: [pntaw] TURN over websockets or just TURN. Hutton, Andrew
- Re: [pntaw] TURN over websockets or just TURN. Hutton, Andrew
- Re: [pntaw] TURN over websockets or just TURN. Oleg Moskalenko
- Re: [pntaw] TURN over websockets or just TURN. Hutton, Andrew
- Re: [pntaw] TURN over websockets or just TURN. Oleg Moskalenko
- Re: [pntaw] TURN over websockets or just TURN. Sergio Garcia Murillo
- Re: [pntaw] TURN over websockets or just TURN. Tirumaleswar Reddy (tireddy)
- Re: [pntaw] TURN over websockets or just TURN. Oleg Moskalenko
- Re: [pntaw] TURN over websockets or just TURN. Tirumaleswar Reddy (tireddy)