Re: [pntaw] Real-time media over TCP

"Ravindran, Parthasarathi (NSN - IN/Bangalore)" <> Sun, 10 November 2013 17:31 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id 7501511E8153 for <>; Sun, 10 Nov 2013 09:31:31 -0800 (PST)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -6.599
X-Spam-Status: No, score=-6.599 tagged_above=-999 required=5 tests=[AWL=-0.001, BAYES_00=-2.599, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_MED=-4]
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id P8o4veP8ZrGR for <>; Sun, 10 Nov 2013 09:31:27 -0800 (PST)
Received: from ( []) by (Postfix) with ESMTP id 206A211E81CD for <>; Sun, 10 Nov 2013 09:31:25 -0800 (PST)
Received: from ([]) by ( with ESMTP id rAAHVMjv011906 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=FAIL); Sun, 10 Nov 2013 18:31:22 +0100
Received: from ([]) by ( with ESMTP id rAAHVHID018783 (version=TLSv1/SSLv3 cipher=AES128-SHA bits=128 verify=FAIL); Sun, 10 Nov 2013 18:31:20 +0100
Received: from ([]) by ([]) with mapi id 14.03.0123.003; Mon, 11 Nov 2013 01:31:18 +0800
From: "Ravindran, Parthasarathi (NSN - IN/Bangalore)" <>
To: ext Harald Alvestrand <>, "'Justin Uberti'" <>, "" <>
Thread-Topic: [pntaw] Real-time media over TCP
Date: Sun, 10 Nov 2013 17:31:18 +0000
Message-ID: <>
References: <> <> <004e01cec5df$cf8daaf0$6ea900d0$> <> <> <BLU402-EAS357ECBFC621A567B9D3A7B4931A0@phx.gbl> <> <00d401cec90e$d688d5a0$839a80e0$> <> <> <> <> <000801cecdae$f6713160$e3539420$> <CAOJ7v-3W7Kj_Bn7pTPs+ =-wPZRSvC1DzAHB9=2cnK8> <> <> <008801cedd31$e0031f00$a0095d00$> <>
In-Reply-To: <>
Accept-Language: en-US
Content-Language: en-US
x-originating-ip: []
Content-Type: multipart/alternative; boundary="_000_40AFDF4AF1909E4CB42B6D91CE6C419D19C62108SGSIMBX006nsnin_"
MIME-Version: 1.0
X-purgate-type: clean
X-purgate-Ad: Categorized by eleven eXpurgate (R)
X-purgate: clean
X-purgate: This mail is considered clean (visit for further information)
X-purgate-size: 55708
X-purgate-ID: 151667::1384104682-00004A43-0FD1C64B/0-0/0-0
Cc: "" <>
Subject: Re: [pntaw] Real-time media over TCP
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: "Discussion list for practices related to proxies, NATs, TURN, and WebRTC" <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Sun, 10 Nov 2013 17:31:31 -0000

Hi Harald,

Even though there is a note  in Sec  for ability to traverse very restrictive FWs, there is no additional requirement because of this usecase. I attached the exact note and relevant requirement in the mail for easy reference. Also, there is no additional requirement as part of Sec 3.4.1 (Telephony terminal) or Sec 3.4.2 (WebEx call) w.r.t to traverse very restrictive FW. I’m requesting for adding the explicit additional requirement in Sec or  Sec or Sec to provide the better clarity between ICE-TCP based solution and TURN based solution. The requirement shall be in the line of:

“The browser should be able to send streams and data to a peer in the presence of NATs and FWs that block UDP traffic and incoming TCP connection.”

I have mailed these requirement change as part of in IETF RTCWeb WG. The requirement difference in this mail and archive is that “should” is mentioned here whereas “must” was mentioned earlier. Also update the existing NAT/FW requirement is to state both browser behind firewall scenario as follows:

“The browser must be able to send streams and data to a peer in the presence of NATs and FWs that block UDP traffic and incoming TCP connection in both browser side as well as in the peer side” (TURN only works)


Note: Sec note -
   This use-case adds requirements on support for fast stream
   switches F7, on encryption of media and on ability to traverse very
   restrictive FWs.  There exist several solutions that enable the
   server to forward one high resolution and several low resolution
   video streams: a) each browser could send a high resolution, but
   scalable stream, and the server could send just the base layer for
   the low resolution streams, b) each browser could in a simulcast
   fashion send one high resolution and one low resolution stream, and
   the server just selects or c) each browser sends just a high
   resolution stream, the server transcodes into low resolution streams
   as required.<>.2>.  Additional Requirements



Browser requirement:
 F17     The browser must be able to mix several
           audio streams.

F7      The browser must support insertion of reference frames
           in outgoing media streams when requested by a peer.

From: [] On Behalf Of ext Harald Alvestrand
Sent: Sunday, November 10, 2013 3:52 AM
To: Parthasarathi R; 'Justin Uberti';
Subject: Re: [pntaw] Real-time media over TCP

On 11/09/2013 10:55 AM, Parthasarathi R wrote:
Hi Justin,  Markus & all,

It is good to know that conference server usecase as well for ICE-TCP usage. I think that it is better to request for adding conference/IVR Server/Gateway with firewall usecases explicitly in the RTCWeb usecase & requirement document in case there is no other objection in this mail thread.

Section 3.4.3 "Video conferencing system with central server" seems to already cover this case.

In particular (from -12):

   Note: This use-case adds requirements on ..... ability to traverse very
   restrictive FWs.


From:<> [] On Behalf Of Justin Uberti
Sent: Saturday, November 09, 2013 7:27 AM
Cc: Harald Tveit Alvestrand;<>; Parthasarathi R
Subject: Re: [pntaw] Real-time media over TCP

On Fri, Nov 8, 2013 at 3:58 PM, <<>> wrote:
Hi Justin,

It’s great to hear that at least one browser will be able to do ICE-TCP. It is an optimization, but definitely a useful one for certain central server and gateway situations. I have heard also from other service/gateway providers that they want to avoid the TURN-TCP “hop” for the same reasons you state. After listening to them, I’d say ICE-TCP ought to be rather a “SHOULD” instead of “MAY” in the RTCWeb NAT traversal framework.

Sounds good.

I suppose that when real-time media runs over TCP, it is in general best to avoid bundling, but to run the different medias over separate TCP connections. That way a single lost packet only affects the rate of one of the medias instead of the aggregate.

That is an interesting idea, but I think it is probably difficult to make work because the BUNDLE decision happens separately from ICE candidate pair selection.

I think what we really want is some sort of multi-TCP transport, where we can open several simultaneous TCP connections and rotate between them. Or maybe a Minion TCP-based approach. These would have their own issues, but be conceptually simpler.

I wonder if you already have a plan in Chrome if and how to deal with HTTP (and TLS) restricted firewalls. Are you OK with the idea of connecting to a TURN server with HTTP CONNECT, or do you see some issues with that?

We already use HTTP CONNECT with ICE-TCP, TURN-TCP, and TURN-TLS. It works.


From:<> [<>] On Behalf Of ext Justin Uberti
Sent: 09 November, 2013 01:33
To: Parthasarathi R
Cc: Harald Alvestrand;<>

Subject: Re: [pntaw] Real-time media over TCP

FWIW: we use ICE-TCP to connect to a conferencing server, instead of TURN-TCP, to avoid the extra TURN hop and the whole TURN credentials business. It's an optimization for sure, but a useful one.

I don't think ICE-TCP will be all that useful for P2P connectivity in the near future. The scenarios that require ICE-TCP are the exact ones where simultaneous open will probably be impossible.

On Sun, Oct 20, 2013 at 9:10 AM, Parthasarathi R <<>> wrote:
Hi Harald & all,

I agree that ICE-TCP qualifies for "MAY" requirement in case both browsers
are behind firewall. ICE-TCP is good for usecase wherein only one of the
browsers is behind firewall. Existing WebRTC usecase namely FedEx call is
good example for only one browser behind firewall wherein IVR is not going
to be behind UDP blocking firewall. In those usecases, ICE-TCP candidates
has merits over TURN relay candidates. IMO, ICE-TCP MUST be considered.

The current WebRTC FW usecase is (accidentially) inline with one of the
browser behind firewall scenario as mentioned in sec of

"The difference is that one of the users is behind a NAT that blocks UDP

> -----Original Message-----
> From:<> [<>] On Behalf
> Of Harald Alvestrand
> Sent: Wednesday, October 16, 2013 5:33 PM
> To:<>
> Subject: Re: [pntaw] Real-time media over TCP
> On 10/15/2013 06:15 PM, Dan Wing wrote:
> > On Oct 14, 2013, at 11:02 PM, Tirumaleswar Reddy (tireddy)
> <<>> wrote:
> >
> >>> -----Original Message-----
> >>> From:<> [<>] On
> Behalf Of Dan
> >>> Wing (dwing)
> >>> Sent: Tuesday, October 15, 2013 5:31 AM
> >>> To:<>
> >>> Cc:<>;<>
> >>> Subject: Re: [pntaw] Real-time media over TCP
> >>>
> >>>
> >>> On Oct 14, 2013, at 12:06 PM,<> wrote:
> >>>
> >>>> Hi,
> >>>>
> >>>> In practice I doubt you find many situations where UDP is
> completely blocked
> >>> but incoming TCP connections from anywhere are allowed.
> >>>
> >>> Agreed.
> >>>
> >>> But if both ends are trying to communicate with each other, their
> >>> communications will appear as a TCP simultaneous-open.  That could
> (in fact,
> >>> "should") work across a firewall because the firewall will see an
> outbound SYN
> >>> to a host/port after which it will see an inbound SYN from that
> same
> >>> host/port.
> >> But firewall TCP inspection causes the inbound SYN from the same
> host/port to be dropped (Firewalls typically do not permit TCP
> simultaneous-open). Even with NAT as per the survey results in ICE TCP
> ( TCP simultaneous-open
> worked only in roughly 45% of the cases.
> > If avoiding TURN improves the user experience, and IT policy says TCP
> is allowed, I expect firewall vendors would make sure TCP simultaneous
> open works.
> >
> >
> If something improves the user experience if it is possible to do it,
> but the basic functionality works without it, and it's unclear whether
> the special circumstances under which it's going to improve the user
> experience in fact exist in the field, I think that's perfect for a MAY
> implement.
> _______________________________________________
> pntaw mailing list

pntaw mailing list<>


Surveillance is pervasive. Go Dark.