[pntaw] Indicating that the TLS connection is for PeerConnection? (RE: New version of draft-hutton-rtcweb-nat-firewall-considerations)
<Markus.Isomaki@nokia.com> Mon, 23 September 2013 12:27 UTC
Return-Path: <Markus.Isomaki@nokia.com>
X-Original-To: pntaw@ietfa.amsl.com
Delivered-To: pntaw@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix)
with ESMTP id AA7C621F9B60 for <pntaw@ietfa.amsl.com>;
Mon, 23 Sep 2013 05:27:19 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.373
X-Spam-Level:
X-Spam-Status: No, score=-6.373 tagged_above=-999 required=5 tests=[AWL=0.070,
BAYES_00=-2.599, RCVD_IN_DNSWL_MED=-4, SUBJECT_FUZZY_TION=0.156]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com
[127.0.0.1]) (amavisd-new, port 10024) with ESMTP id iPCBCMur6nxX for
<pntaw@ietfa.amsl.com>; Mon, 23 Sep 2013 05:27:02 -0700 (PDT)
Received: from mgw-sa01.nokia.com (smtp.nokia.com [147.243.1.47]) by
ietfa.amsl.com (Postfix) with ESMTP id A7CA121F9AD5 for <pntaw@ietf.org>;
Mon, 23 Sep 2013 05:26:57 -0700 (PDT)
Received: from smtp.mgd.nokia.com ([65.54.30.26]) by mgw-sa01.nokia.com
(Sentrion-MTA-4.2.2/Sentrion-MTA-4.2.2) with ESMTP id r8NCFLR4013853
(version=TLSv1/SSLv3 cipher=AES128-SHA bits=128 verify=OK);
Mon, 23 Sep 2013 15:15:21 +0300
Received: from 008-AM1MPN1-043.mgdnok.nokia.com ([169.254.3.213]) by
008-AM1MMR1-010.mgdnok.nokia.com ([65.54.30.26]) with mapi id 14.03.0136.001;
Mon, 23 Sep 2013 12:15:21 +0000
From: <Markus.Isomaki@nokia.com>
To: <andrew.hutton@siemens-enterprise.com>, <melinda.shore@gmail.com>,
<mom040267@gmail.com>
Thread-Topic: Indicating that the TLS connection is for PeerConnection? (RE:
[pntaw] New version of draft-hutton-rtcweb-nat-firewall-considerations)
Thread-Index: Ac64T2SC1UaZK8OfTdWgv61uZV8UhQ==
Date: Mon, 23 Sep 2013 12:15:20 +0000
Message-ID: <E44893DD4E290745BB608EB23FDDB7620A0C0ACE@008-AM1MPN1-043.mgdnok.nokia.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-tituslabs-classifications-30: TLPropertyRoot=Nokia;
Confidentiality=Nokia Internal Use Only; Project=None;
x-titus-version: 3.5.9.3
x-headerinfofordlp: None
x-tituslabs-classificationhash-30: YifyyqlCDo9l8ySQLTGzHciosnhn8CXdx5K4PSclBMVmFMZu7Icxnd48gHtwvvveTKBdFGCM2PDCSe3jAjcaDZ5+fAeCWEaBLM0atL5TxnzGsXpapygZejbFlCoeAS0trPCILD82vfqgSAe1bbRiGr50/QHRaTqtlEsqm66H4ioHoOvwmP8RVnQQCAQF5GQboU474k+gZl0OFt43cPOFBNRcDlEitEeKnXRjjQjSOzHjd/W1mQMR7bZP9LanrSsy8cfNyDLoVwLgSEvyj/BPqmv54QuijSySYphEsfc1YCsDYO4NpbrLGptARhIVSnULt7KYAQxsj3NKPmGNxyge1kBNQf6srs22stS2i/YCPKiTjz3dTupijBL9jvuwdYqv
x-originating-ip: [172.21.80.69]
Content-Type: text/plain; charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
X-Nokia-AV: Clean
Cc: pntaw@ietf.org
Subject: [pntaw] Indicating that the TLS connection is for PeerConnection?
(RE: New version of draft-hutton-rtcweb-nat-firewall-considerations)
X-BeenThere: pntaw@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: "Discussion list for practices related to proxies, NATs, TURN,
and WebRTC" <pntaw.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/pntaw>,
<mailto:pntaw-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/pntaw>
List-Post: <mailto:pntaw@ietf.org>
List-Help: <mailto:pntaw-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/pntaw>,
<mailto:pntaw-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 23 Sep 2013 12:27:35 -0000
Hi Andy, Hutton, Andrew [mailto:andrew.hutton@siemens-enterprise.com] wrote: > > On: 23 September 2013 10:35 Markus.Isomaki Wrote: > > > > There will be networks and administrators that explicitly want to > > restrict WebRTC. I think one part of the WebRTC firewall traversal > > "solution" needs to be an explanation HOW they can do it. > > > > I agree with this it is something we need to discuss and elaborate on in the > draft. > > The motivation behind the draft is to standardize the browser behavior in a > way that there is a good chance of WebRTC media traversing firewalls by > default but also to make it clear how browsers behave so that policy can be > enforced when needed. > Standardizing the browser behavior already helps. But rather than leaving it as an exercise to the reader, I think it would be better also to explain how an enlightened network admin can either let the WebRTC traffic flow better (e.g. using UDP rather than TCP), or explicitly restrict it. Traffic identification is clearly a crucial component here. For instance, when the browser does TURN allocation with HTTP CONNECT, could it include an indication that this is for the purposes of RTCPeerConnection to distinguish that from anything else. Like: CONNECT turn.example.com HTTP/1.1 Connection-Originator: RTCPeerConnection This may sound like a naïve proposal ("the HTTP evil bit header" ;-), but if we assumed that browser as trusted and standards compliant (huh...), it would not allow Javascript to establish such connections without that indicator. So at least that would be something. There are those who believe that rather than making traffic more identifiable, we should actually obfuscate it more to make things like mass-surveillance harder. So it's going to hard to find a win-win position. Markus
- [pntaw] Indicating that the TLS connection is for… Markus.Isomaki
- Re: [pntaw] Indicating that the TLS connection is… Sergio Garcia Murillo
- Re: [pntaw] Indicating that the TLS connection is… Markus.Isomaki
- Re: [pntaw] Indicating that the TLS connection is… Hutton, Andrew