IETF Logo Mail Archive

Re: [pntaw] New version of draft-hutton-rtcweb-nat-firewall-considerations

Bernard Aboba <bernard_aboba@hotmail.com> Fri, 20 September 2013 22:48 UTC

Return-Path: <bernard_aboba@hotmail.com>
X-Original-To: pntaw@ietfa.amsl.com
Delivered-To: pntaw@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 6402D21F9EB0 for <pntaw@ietfa.amsl.com>; Fri, 20 Sep 2013 15:48:39 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -102.403
X-Spam-Level:
X-Spam-Status: No, score=-102.403 tagged_above=-999 required=5 tests=[AWL=0.039, BAYES_00=-2.599, HTML_MESSAGE=0.001, SUBJECT_FUZZY_TION=0.156, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id gX8XuUsydQ+G for <pntaw@ietfa.amsl.com>; Fri, 20 Sep 2013 15:48:31 -0700 (PDT)
Received: from blu0-omc1-s3.blu0.hotmail.com (blu0-omc1-s3.blu0.hotmail.com [65.55.116.14]) by ietfa.amsl.com (Postfix) with ESMTP id DEE2421F9EA2 for <pntaw@ietf.org>; Fri, 20 Sep 2013 15:48:30 -0700 (PDT)
Received: from BLU169-W136 ([65.55.116.8]) by blu0-omc1-s3.blu0.hotmail.com with Microsoft SMTPSVC(6.0.3790.4675); Fri, 20 Sep 2013 15:48:30 -0700
X-TMN: [Y/aoLQUew1mhc9SvQyKCuZQmUw/syM2X5UyGCBSwL2Y=]
X-Originating-Email: [bernard_aboba@hotmail.com]
Message-ID: <BLU169-W136A55AC013DA147313576D93220@phx.gbl>
Content-Type: multipart/alternative; boundary="_5f0056ef-e815-4445-ad4b-8bf88254f638_"
From: Bernard Aboba <bernard_aboba@hotmail.com>
To: Sergio Garcia Murillo <sergio.garcia.murillo@gmail.com>, "pntaw@ietf.org" <pntaw@ietf.org>
Date: Fri, 20 Sep 2013 15:48:30 -0700
Importance: Normal
In-Reply-To: <523CCD06.3030902@gmail.com>
References: <9F33F40F6F2CD847824537F3C4E37DDF17BCF3A5@MCHP04MSX.global-ad.net>, <523CCD06.3030902@gmail.com>
MIME-Version: 1.0
X-OriginalArrivalTime: 20 Sep 2013 22:48:30.0513 (UTC) FILETIME=[87147A10:01CEB653]
Subject: Re: [pntaw] New version of draft-hutton-rtcweb-nat-firewall-considerations
X-BeenThere: pntaw@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: "Discussion list for practices related to proxies, NATs, TURN, and WebRTC" <pntaw.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/pntaw>, <mailto:pntaw-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/pntaw>
List-Post: <mailto:pntaw@ietf.org>
List-Help: <mailto:pntaw-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/pntaw>, <mailto:pntaw-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 20 Sep 2013 22:48:39 -0000

Sergio said: 

      

      "Why are you leaving out of scope the case when the WebRTC service
      is not deployed by the corporate organization and/or the HTTP
      proxy has DPI validation? "
 
[BA ]  My reading of the document is that it is attempting to respect the restrictions set by the firewall administrator.   If UDP and TCP to ports other than 80/443 is denied, and in addition DPI is deployed, then you often will only have a subset of HTTP functionality available to speak to port 80 and maybe a subset of TLS which you can speak to port 443. 
 
This can significantly restrict the choices available.  In my experience, customers denying UDP in/out and only allowing TCP destined to selected ports (e.g. 80/443) as well as deploying DPI validation typically will not allow HTTP CONNECT (or even WebSockets).  
 
We are sometimes successful in making TURN allocation requests over TCP to port 80 or over TLS to port 443 in these scenarios, but TURN over TCP/TLS requests to other ports can fail.  Similarly, one should not expect TURN over WebSockets to work in these kind of installations; the DPI box probably hasn't been updated to handle WebSockets, or if it was, is configured to prevent WebSocket use.

v2.23.0 | Report a Bug | By Email