Re: [pntaw] draft-hutton-rtcweb-nat-firewall-considerations
"Hutton, Andrew" <andrew.hutton@siemens-enterprise.com> Wed, 04 September 2013 13:33 UTC
Return-Path: <andrew.hutton@siemens-enterprise.com>
X-Original-To: pntaw@ietfa.amsl.com
Delivered-To: pntaw@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 2DDEE21E80B8 for <pntaw@ietfa.amsl.com>; Wed, 4 Sep 2013 06:33:53 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.272
X-Spam-Level:
X-Spam-Status: No, score=-2.272 tagged_above=-999 required=5 tests=[AWL=-0.144, BAYES_00=-2.599, SARE_MILLIONSOF=0.315, SUBJECT_FUZZY_TION=0.156]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id TvZYh5BCWDWk for <pntaw@ietfa.amsl.com>; Wed, 4 Sep 2013 06:33:49 -0700 (PDT)
Received: from senmx11-mx.siemens-enterprise.com (senmx11-mx.siemens-enterprise.com [62.134.46.9]) by ietfa.amsl.com (Postfix) with ESMTP id AA36E11E81B5 for <pntaw@ietf.org>; Wed, 4 Sep 2013 06:33:48 -0700 (PDT)
Received: from MCHP02HTC.global-ad.net (unknown [172.29.42.235]) by senmx11-mx.siemens-enterprise.com (Server) with ESMTP id 982B81EB859C; Wed, 4 Sep 2013 15:33:45 +0200 (CEST)
Received: from MCHP04MSX.global-ad.net ([169.254.1.174]) by MCHP02HTC.global-ad.net ([172.29.42.235]) with mapi id 14.03.0123.003; Wed, 4 Sep 2013 15:33:45 +0200
From: "Hutton, Andrew" <andrew.hutton@siemens-enterprise.com>
To: Bernard Aboba <bernard_aboba@hotmail.com>, "pntaw@ietf.org" <pntaw@ietf.org>
Thread-Topic: [pntaw] draft-hutton-rtcweb-nat-firewall-considerations
Thread-Index: Ac6li3yHiavbr66zRBS13ndrj3kqWQBHbTyAALAYB9A=
Date: Wed, 04 Sep 2013 13:33:44 +0000
Message-ID: <9F33F40F6F2CD847824537F3C4E37DDF17BAB1BB@MCHP04MSX.global-ad.net>
References: <9F33F40F6F2CD847824537F3C4E37DDF17BA590C@MCHP04MSX.global-ad.net> <BLU169-W550866EED2D3C94D56050B93370@phx.gbl>
In-Reply-To: <BLU169-W550866EED2D3C94D56050B93370@phx.gbl>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-originating-ip: [172.29.42.225]
Content-Type: text/plain; charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
Subject: Re: [pntaw] draft-hutton-rtcweb-nat-firewall-considerations
X-BeenThere: pntaw@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: "Discussion list for practices related to proxies, NATs, TURN, and WebRTC" <pntaw.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/pntaw>, <mailto:pntaw-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/pntaw>
List-Post: <mailto:pntaw@ietf.org>
List-Help: <mailto:pntaw-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/pntaw>, <mailto:pntaw-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 04 Sep 2013 13:33:53 -0000
Hi Bernard, Thanks for the comments some responses below. Regards Andy > -----Original Message----- > From: Bernard Aboba [mailto:bernard_aboba@hotmail.com] > Sent: 01 September 2013 03:21 > To: Hutton, Andrew; pntaw@ietf.org > Subject: RE: [pntaw] draft-hutton-rtcweb-nat-firewall-considerations > > Here are some comments on the document. Overall, I like the approach > taken, which is to articulate use cases and the potential solutions to > them. However, I think it could be a bit clearer about the overall > recommendations and normative dependencies. > > Section 1 > > If an organization wants to support RTCWEB such a TURN server may be > located in the DMZ of the private network of that organization where > it is still under administrative control. > > In certain environments with very restrictive FW policies a TURN > server in the public internet may not be sufficient to establish > connectivity towards the RTCWEB peer for RTP-based media [RFC3550]. > Such policies can include blocking of all UDP based traffic and > allowing only HTTP(S) traffic to the TCP ports 80/443. In addition > access to the World Wide Web from inside an organization is often > only possible via a HTTP proxy. > > [BA] I think the above sentences miss an important distinction, which > is the difference between use of WebRTC internal to an organization and > use to communicate externally. In the internal scenario, employees of > an organization use WebRTC to communicate with each other, and the > corporate IT shop endeavors to configure the corporate NATs, Firewalls, > TURN servers, etc. to support that. In the external scenario, > organization employees use WebRTC to communicate with customers or > partners whose IT group may or may not be aware of WebRTC. It is in > this external scenario that many of the thorniest issues are likely to > arise. An example would be a company sales associate inviting a > potential customer to a screen sharing session to demonstrate a new > product. > [AndyH] I agree the draft currently concentrates on the external scenario which as you say covers an organizations employee using a 3rd party WebRTC service but it also might apply to other scenarios such as using a webrtc service from hotels, coffee shops etc. We do need more text on the internal case and will need to do more work on that. > > Section 2.2 > > > In the first case the browser needs to use ICE-TCP [RFC6544] and > provide active, passive and/or simultaneous-open TCP candidates. > Assuming the peer also provides TCP candidates, a connectivity check > for a TCP connection between the two peers should be successful. > > [BA] Not sure whether "should be successful" is trying to imply that > statistically this is expected to succeed in the majority of RTP over > TCP cases. That is not my experience - "simultaneous open" isn't > supported widely enough for that to be the case. [AndyH] - Agree and this was included for completeness my preference is for using TCP to the TURN server and possible we don't even need to use ICE-TCP. > > Note that the second case is not to be mixed up with TURN/TCP > [RFC6062], which deals with how to establish a TCP connection to the > peer. For this document we assume that the TURN server can reach > the > peer always via UDP, possibly via a second TURN server. > > [BA] In an external scenario, a "second TURN server" is not likely, > because the WebRTC application will only provide a single TURN server. > So it seems to me that TURN/TCP [RFC6062] might still be needed (and at > least in my experience, it ends up being used). [AndyH] - I am assuming that the two peers could be using different TURN servers which is why the draft refers to a second TURN server. I am not sure sure I understand your comment or why this means that TURN/TCP might be needed could you expand on that? > Section 2.3 > > In addition the RTCWEB > clients need to be configured to contact the TURN server over the > HTTP(S) ports and/or needs to be able to tell the browser > accordingly. > > [BA] At least in my experience, attempting to contact the TURN server > over the HTTP port tends to run afoul of DPI. So while I don't object > to this as a requirement, I've not found it particularly useful. [AndyH] - It could do and we don't want to try to get around this if DPI is deployed. However I believe that this provides a very significant increase to the chances of a successful webrtc connection. With regard to using the HTTP port then the port to be used is under the control of the webrtc application so any port could be used. > > Section 3.3.1 > > Afterwards, the RTCWEB client could upgrade the connection to use > TLS, forward STUN/TURN traffic via the HTTP proxy and use the TURN > server as media relay. Note that upgrading in this case is not to > be > misunderstood as usage of the HTTP UPGRADE method as specified in > [RFC2817] as this would require the TURN server to support HTTP. > > [BA] Can you clarify whether you are advocating support for this > native in the browser, or rather application implementation? I'm > assuming you mean browser native (so as to be able to take advantage of > this in ICE), but it also seems that an application might be able to > take advantage of this (possibly to do something malicous). > [AndyH] In the browser. I don't see how this opens up additional opportunities for the application to be malicious we are only talking about the transport for TURN allocations here. > > Section 4.3 > > However, the expected benefit in form of an increased success > rate for establishment of a media stream seems rather small, thus > HTTP fallback is left for further study. > > [BA] At least in my experience, the failure rate for ICE/ICE-TCP is not > so small in enterprise use cases (can be as high as 5 percent). Even > if it is 1 percent and you are talking about a service handling > hundreds of millions of users that kind of failure rate will generate a > very big support burden, particularly if the cost of service is small > or negligible. So I'd suggest that some testing of the recommendations > might be helpful to quantify what the risk is; even "small" failure > rates can be a big deal. [AndyH] Understood limited testing that we have done shows success with the HTTP Connect based mechanism but I would really like to hear from anybody with good stats. > > 9.1. Normative References > > > [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate > Requirement Levels", BCP 14, RFC 2119, March 1997. > > [BA] Only one normative reference?? Based on the recommendations in > Section 5, I was expecting some of the following references to be > normative: > > [RFC5245] Rosenberg, J., "Interactive Connectivity Establishment > (ICE): A Protocol for Network Address Translator (NAT) > Traversal for Offer/Answer Protocols", RFC 5245, April > 2010. > > [RFC5766] Mahy, R., Matthews, P., and J. Rosenberg, "Traversal > Using > Relays around NAT (TURN): Relay Extensions to Session > Traversal Utilities for NAT (STUN)", RFC 5766, April > 2010. > > > [RFC6544] Rosenberg, J., Keranen, A., Lowekamp, B., and A. Roach, > "TCP Candidates with Interactive Connectivity > Establishment (ICE)", RFC 6544, March 2012. > > Also (although Section 5 doesn't recommend this), you might want to > consider: > > [RFC6062] Perreault, S. and J. Rosenberg, "Traversal Using Relays > around NAT (TURN) Extensions for TCP Allocations", RFC > 6062, November 2010. > > IMHO, if you're going to support RTP over TCP (not really sure that > this needs to be mandated for WebRTC), then you'll need RFC 6062 in > addition to RFC 6544. > > > > > > > > ________________________________________ > From: andrew.hutton@siemens-enterprise.com > To: pntaw@ietf.org > Date: Fri, 30 Aug 2013 14:16:15 +0000 > Subject: [pntaw] draft-hutton-rtcweb-nat-firewall-considerations > One of the reasons for establishing the pntaw mailing list was to > discuss http://tools.ietf.org/html/draft-hutton-rtcweb-nat-firewall- > considerations-01 > > This draft discusses the interaction between webrtc browsers and Web > Proxies, Firewalls and TURN servers and makes some proposals on what > needs to be implemented in webrtc browsers. We have already received a > few comments both on the rtcweb list and off list so we are working on > an update which we hope to submit within the next couple of weeks. > > As some people have recently stated on the rtcweb list this is an > important aspect of webrtc that needs to be tackled to enable webrtc > deployments in many restricted environments. > > The draft discusses the use of HTTP CONNECT in environments with web > proxies to enable a tunnel to be established to the TURN server but > this does not require any TURN enhancements which some people seem to > have thought to be the case. A small number of people have told me > that this might be controversial but the way I see it is that webrtc > brings new types of media to web applications we need to specify the > interaction between webrtc browsers and proxies in the same was as is > done for HTTP (See http://tools.ietf.org/html/draft-ietf-httpbis-p2- > semantics-23#section-4.3.6). > > Look forward to your comments. > > Regards > Andy > > > > _______________________________________________ pntaw mailing list > pntaw@ietf.org https://www.ietf.org/mailman/listinfo/pntaw
- [pntaw] draft-hutton-rtcweb-nat-firewall-consider… Hutton, Andrew
- Re: [pntaw] draft-hutton-rtcweb-nat-firewall-cons… Bernard Aboba
- Re: [pntaw] draft-hutton-rtcweb-nat-firewall-cons… Bernard Aboba
- Re: [pntaw] draft-hutton-rtcweb-nat-firewall-cons… Hutton, Andrew
- Re: [pntaw] draft-hutton-rtcweb-nat-firewall-cons… Hutton, Andrew
- Re: [pntaw] draft-hutton-rtcweb-nat-firewall-cons… Bernard Aboba