IETF Logo Mail Archive

Re: [pntaw] New version of draft-hutton-rtcweb-nat-firewall-considerations

Sergio Garcia Murillo <sergio.garcia.murillo@gmail.com> Fri, 20 September 2013 23:03 UTC

Return-Path: <sergio.garcia.murillo@gmail.com>
X-Original-To: pntaw@ietfa.amsl.com
Delivered-To: pntaw@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 1A41F21F9ED2 for <pntaw@ietfa.amsl.com>; Fri, 20 Sep 2013 16:03:12 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.494
X-Spam-Level:
X-Spam-Status: No, score=-2.494 tagged_above=-999 required=5 tests=[AWL=-0.052, BAYES_00=-2.599, HTML_MESSAGE=0.001, SUBJECT_FUZZY_TION=0.156]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id j1RauUBUMLls for <pntaw@ietfa.amsl.com>; Fri, 20 Sep 2013 16:03:11 -0700 (PDT)
Received: from mail-we0-x230.google.com (mail-we0-x230.google.com [IPv6:2a00:1450:400c:c03::230]) by ietfa.amsl.com (Postfix) with ESMTP id 1B07121F9ECE for <pntaw@ietf.org>; Fri, 20 Sep 2013 16:03:10 -0700 (PDT)
Received: by mail-we0-f176.google.com with SMTP id u56so1094993wes.21 for <pntaw@ietf.org>; Fri, 20 Sep 2013 16:03:10 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=message-id:date:from:user-agent:mime-version:to:cc:subject :references:in-reply-to:content-type; bh=KHSK+VKMM875zOA3drRwS1ylt8l/ifhGmoLU0OpS3Ek=; b=NRqou4PK9BquGV+MQqH4Jg7DsgvqztLmup3tHKVr1lJkhgddoU9AKFOo+93isXLukA Wpl79hKBvJ3g9Xm45dOnilobOvURr7OD1f0qzOJDZWspi4hjICBAyIrIuSVVHbNqbw2e spLPAKWyyI3Yc7P0/fdEyplRIr1aZcW3N232gg4k6CLOHOcpztW/c9b26ImcBeQ+cHB0 5Xwkh2D/T72WSA1YVCfhkCd5QtIMu1uHo1QsC7VA4JOuG9noX4l+AVBL+tsLX+PfTV8d su+ua7+I5SLudy8ukjabu3+D1dtR++J5991U6kAzSJMl4NUGJLwyaQSDnISiSaz52QrR IYMQ==
X-Received: by 10.194.77.167 with SMTP id t7mr7851698wjw.27.1379718190200; Fri, 20 Sep 2013 16:03:10 -0700 (PDT)
Received: from [192.168.1.2] (171.pool85-51-25.dynamic.orange.es. [85.51.25.171]) by mx.google.com with ESMTPSA id li9sm8240556wic.4.1969.12.31.16.00.00 (version=TLSv1 cipher=ECDHE-RSA-RC4-SHA bits=128/128); Fri, 20 Sep 2013 16:03:09 -0700 (PDT)
Message-ID: <523CD42E.8070102@gmail.com>
Date: Sat, 21 Sep 2013 01:03:10 +0200
From: Sergio Garcia Murillo <sergio.garcia.murillo@gmail.com>
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:17.0) Gecko/20130801 Thunderbird/17.0.8
MIME-Version: 1.0
To: Bernard Aboba <bernard_aboba@hotmail.com>
References: <9F33F40F6F2CD847824537F3C4E37DDF17BCF3A5@MCHP04MSX.global-ad.net>, <523CCD06.3030902@gmail.com> <BLU169-W136A55AC013DA147313576D93220@phx.gbl>
In-Reply-To: <BLU169-W136A55AC013DA147313576D93220@phx.gbl>
Content-Type: multipart/alternative; boundary="------------010200080706070706050307"
Cc: "pntaw@ietf.org" <pntaw@ietf.org>
Subject: Re: [pntaw] New version of draft-hutton-rtcweb-nat-firewall-considerations
X-BeenThere: pntaw@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: "Discussion list for practices related to proxies, NATs, TURN, and WebRTC" <pntaw.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/pntaw>, <mailto:pntaw-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/pntaw>
List-Post: <mailto:pntaw@ietf.org>
List-Help: <mailto:pntaw-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/pntaw>, <mailto:pntaw-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 20 Sep 2013 23:03:12 -0000

El 21/09/2013 0:48, Bernard Aboba escribió:
> Sergio said:
>
> "Why are you leaving out of scope the case when the WebRTC service is 
> not deployed by the corporate organization and/or the HTTP proxy has 
> DPI validation? "
>
> [BA ]  My reading of the document is that it is attempting to respect 
> the restrictions set by the firewall administrator.   If UDP and TCP 
> to ports other than 80/443 is denied, and in addition DPI is deployed, 
> then you often will only have a subset of HTTP functionality available 
> to speak to port 80 and maybe a subset of TLS which you can speak 
> to port 443.

I am not against providing firewall administrators with tools for 
applying corporate policies to outbound connections, in fact I am all 
for it. But in my point of view, if the web part of my service is 
allowed by the company policies (either because it is no black listed, 
or it is whitelisted) then the webrtc part should work also.

>
> This can significantly restrict the choices available.  In my 
> experience, customers denying UDP in/out and only allowing TCP 
> destined to selected ports (e.g. 80/443) as well as deploying DPI 
> validation typically will not allow HTTP CONNECT (or even WebSockets).
>
> We are sometimes successful in making TURN allocation requests over 
> TCP to port 80 or over TLS to port 443 in these scenarios, but TURN 
> over TCP/TLS requests to other ports can fail. Similarly, one should 
> not expect TURN over WebSockets to work in these kind of 
> installations; the DPI box probably hasn't been updated to handle 
> WebSockets, or if it was, is configured to prevent WebSocket use.

Most of webrtc services I have seen so far are using websockets for 
signaling already, so if websockets are not supported by the firewall 
you have bigger problem.
Also, if TURN over TLS on port 443 works (i.e. no DPI in place), secure 
websockets works. So in 100% cases that TURN over TLS works, TURN over 
websocket works too. The other way round is not true.

Best regards
Sergio

v2.23.0 | Report a Bug | By Email