Re: [pntaw] TURN over websockets or just TURN.

"Tirumaleswar Reddy (tireddy)" <tireddy@cisco.com> Thu, 26 September 2013 03:26 UTC

Return-Path: <tireddy@cisco.com>
X-Original-To: pntaw@ietfa.amsl.com
Delivered-To: pntaw@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 1A76521F9967 for <pntaw@ietfa.amsl.com>; Wed, 25 Sep 2013 20:26:53 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -10.283
X-Spam-Level:
X-Spam-Status: No, score=-10.283 tagged_above=-999 required=5 tests=[AWL=0.315, BAYES_00=-2.599, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_HI=-8]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id nWaLYN9N+GaY for <pntaw@ietfa.amsl.com>; Wed, 25 Sep 2013 20:26:48 -0700 (PDT)
Received: from rcdn-iport-6.cisco.com (rcdn-iport-6.cisco.com [173.37.86.77]) by ietfa.amsl.com (Postfix) with ESMTP id ECADA11E80F4 for <pntaw@ietf.org>; Wed, 25 Sep 2013 20:26:46 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=cisco.com; i=@cisco.com; l=9047; q=dns/txt; s=iport; t=1380166007; x=1381375607; h=from:to:subject:date:message-id:references:in-reply-to: mime-version; bh=TC3M33TKbDuUXl34LMJXQBV9zgzV4MZobiQxabAbNXM=; b=PNw8XCP534fI21th7FQwEUdPhHN7zNz0w15UcalwD+xp5913UuzLRlFY X0EFsL+ghzKcGg9Wdcd9EDAI6nkwMH2MDreVVVNDEZP8NV8HDFkVkODJ7 I4Hfxk0c3r68yPTjhrkiWgoHLDfSRZH4dAH5qwT+qIiCpE1DzmxfRtKFh o=;
X-IronPort-Anti-Spam-Filtered: true
X-IronPort-Anti-Spam-Result: AgUFAKSoQ1KtJV2d/2dsb2JhbABbgkNEOFLAXYEhFnSCJQEBAQQtPh4CAQgRBAEBCx0HMhQJCAIEARIIE4drDLxVjyA3AYMdgQEDiQCgc4Mkgio
X-IronPort-AV: E=Sophos; i="4.90,982,1371081600"; d="scan'208,217"; a="264592515"
Received: from rcdn-core-6.cisco.com ([173.37.93.157]) by rcdn-iport-6.cisco.com with ESMTP; 26 Sep 2013 03:26:44 +0000
Received: from xhc-aln-x01.cisco.com (xhc-aln-x01.cisco.com [173.36.12.75]) by rcdn-core-6.cisco.com (8.14.5/8.14.5) with ESMTP id r8Q3QihX003711 (version=TLSv1/SSLv3 cipher=AES128-SHA bits=128 verify=FAIL); Thu, 26 Sep 2013 03:26:44 GMT
Received: from xmb-rcd-x10.cisco.com ([169.254.15.33]) by xhc-aln-x01.cisco.com ([173.36.12.75]) with mapi id 14.02.0318.004; Wed, 25 Sep 2013 22:26:44 -0500
From: "Tirumaleswar Reddy (tireddy)" <tireddy@cisco.com>
To: Sergio Garcia Murillo <sergio.garcia.murillo@gmail.com>, "pntaw@ietf.org" <pntaw@ietf.org>
Thread-Topic: [pntaw] TURN over websockets or just TURN.
Thread-Index: Ac651aqKgci54WbeToGdcCETWYgQigAWo1kAAAViDwAAALMdAAAA0c8AAACDlIAAAtpOAAADozFA
Date: Thu, 26 Sep 2013 03:26:43 +0000
Message-ID: <913383AAA69FF945B8F946018B75898A1907F780@xmb-rcd-x10.cisco.com>
References: <9F33F40F6F2CD847824537F3C4E37DDF17BD44F6@MCHP04MSX.global-ad.net> <CALDtMrK9K-zSUd6-cLeRkkb0zixE=CDKKmOkfRCHNP-CZcriXg@mail.gmail.com> <9F33F40F6F2CD847824537F3C4E37DDF17BD53FD@MCHP04MSX.global-ad.net> <CALDtMrLfg3AJFOr=DYSGkhxrwuTA=LY3F6k9AJN7NCKCY+B0ZQ@mail.gmail.com> <9F33F40F6F2CD847824537F3C4E37DDF17BD5567@MCHP04MSX.global-ad.net> <CALDtMrL=CA8Y8urr+p2=AOFEWA-2Wn0BcoSc37foM1KOFinAmQ@mail.gmail.com> <52434A18.3080707@gmail.com>
In-Reply-To: <52434A18.3080707@gmail.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-originating-ip: [10.65.74.247]
Content-Type: multipart/alternative; boundary="_000_913383AAA69FF945B8F946018B75898A1907F780xmbrcdx10ciscoc_"
MIME-Version: 1.0
Subject: Re: [pntaw] TURN over websockets or just TURN.
X-BeenThere: pntaw@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: "Discussion list for practices related to proxies, NATs, TURN, and WebRTC" <pntaw.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/pntaw>, <mailto:pntaw-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/pntaw>
List-Post: <mailto:pntaw@ietf.org>
List-Help: <mailto:pntaw-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/pntaw>, <mailto:pntaw-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 26 Sep 2013 03:26:53 -0000

Hi Oleg,

Please see inline [TR]

From: pntaw-bounces@ietf.org [mailto:pntaw-bounces@ietf.org] On Behalf Of Sergio Garcia Murillo
Sent: Thursday, September 26, 2013 2:10 AM
To: pntaw@ietf.org
Subject: Re: [pntaw] TURN over websockets or just TURN.

El 25/09/2013 21:18, Oleg Moskalenko escribió:
Andy, see below:

On Wed, Sep 25, 2013 at 12:03 PM, Hutton, Andrew <andrew.hutton@siemens-enterprise.com<mailto:andrew.hutton@siemens-enterprise.com>> wrote:

[AndyH] True I was considering that as the simple case and of course there is no HTTP CONNECT in that scenario. So are you saying that when there is no proxy then a websockets connection is more likely to work than a TURN/TCP or TURN/TLS connection. I would be interested in whether there is evidence of that I am not sure whether it is true or not certainly in the encrypted case I don't see how this can be but I am not an expert on this.

I cannot say that I am exactly an expert in IT firewall world, too. But I personally observed a rather strict corporate environments where a strict firewall is used without explicit HTTP proxy. Also, I heard from our TURN server users the stories about similar cases. The usual story was that the firewall blocks the outgoing TURN TCP connection unless it is destined to 80/443 port and it has an HTTP handshake.

Exactly the same case here. I have (had) a "potential" customer that is using a cloud based network filtering solution, and SIP over secure websockets works but TURN over TLS on port 443 doesn't. I yet have to double check my TURN TLS settings to see if everything is correctly configured and working correctly with chrome.

[TR] Various Enterprises in addition to firewalls are also using cloud connector which re-directs HTTP/HTTPS traffic to cloud based "Security As A Service" (SecaaS) for DPI, reputation based filtering etc http://www.gartner.com/technology/reprints.do?id=1-1FVA8PB&ct=130603&st=sbmp;st=sb. SecaaS can also do HTTPS inspection by acting as HTTPS proxy.

-Tiru.

Best regards
Sergio