IETF Logo Mail Archive

Re: [pntaw] TURN over websockets

"Stach, Thomas" <thomas.stach@siemens-enterprise.com> Fri, 30 August 2013 13:24 UTC

Return-Path: <thomas.stach@siemens-enterprise.com>
X-Original-To: pntaw@ietfa.amsl.com
Delivered-To: pntaw@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id B8ED011E810D for <pntaw@ietfa.amsl.com>; Fri, 30 Aug 2013 06:24:37 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.599
X-Spam-Level:
X-Spam-Status: No, score=-2.599 tagged_above=-999 required=5 tests=[BAYES_00=-2.599]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id NB4-QtRk+GwS for <pntaw@ietfa.amsl.com>; Fri, 30 Aug 2013 06:24:32 -0700 (PDT)
Received: from senmx11-mx.siemens-enterprise.com (senmx11-mx.siemens-enterprise.com [62.134.46.9]) by ietfa.amsl.com (Postfix) with ESMTP id 57A4B11E8111 for <pntaw@ietf.org>; Fri, 30 Aug 2013 06:24:32 -0700 (PDT)
Received: from MCHP01HTC.global-ad.net (unknown [172.29.42.234]) by senmx11-mx.siemens-enterprise.com (Server) with ESMTP id 8A0CA1EB847E; Fri, 30 Aug 2013 15:24:31 +0200 (CEST)
Received: from MCHP04MSX.global-ad.net ([169.254.1.174]) by MCHP01HTC.global-ad.net ([172.29.42.234]) with mapi id 14.03.0123.003; Fri, 30 Aug 2013 15:24:31 +0200
From: "Stach, Thomas" <thomas.stach@siemens-enterprise.com>
To: Sergio Garcia Murillo <sergio.garcia.murillo@gmail.com>
Thread-Topic: [pntaw] TURN over websockets
Thread-Index: AQHOpVzeSFPe8Kl+LUCjnsamYIV4h5mtqQnw///regCAACaXIA==
Date: Fri, 30 Aug 2013 13:24:30 +0000
Message-ID: <F81CEE99482EFE438DAE2A652361EE12179BF9D6@MCHP04MSX.global-ad.net>
References: <52205AE1.9010807@gmail.com> <F81CEE99482EFE438DAE2A652361EE12179BF94B@MCHP04MSX.global-ad.net> <5220968E.2050708@gmail.com>
In-Reply-To: <5220968E.2050708@gmail.com>
Accept-Language: de-AT, en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-originating-ip: [172.29.42.225]
Content-Type: text/plain; charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
Cc: "pntaw@ietf.org" <pntaw@ietf.org>
Subject: Re: [pntaw] TURN over websockets
X-BeenThere: pntaw@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: "Discussion list for practices related to proxies, NATs, TURN, and WebRTC" <pntaw.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/pntaw>, <mailto:pntaw-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/pntaw>
List-Post: <mailto:pntaw@ietf.org>
List-Help: <mailto:pntaw-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/pntaw>, <mailto:pntaw-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 30 Aug 2013 13:24:37 -0000

> -----Original Message-----
> From: Sergio Garcia Murillo [mailto:sergio.garcia.murillo@gmail.com]
> Sent: Freitag, 30. August 2013 14:57
> To: Stach, Thomas
> Cc: pntaw@ietf.org
> Subject: Re: [pntaw] TURN over websockets
> 
> Hi Thomas,
> 
> Inline.
> 
> El 30/08/2013 14:34, Stach, Thomas escribió:
> > Sergio,
> >
> > Some comments inline
> >
> >> -----Original Message-----
> >> From: pntaw-bounces@ietf.org [mailto:pntaw-bounces@ietf.org] On
> Behalf
> >> Of Sergio Garcia Murillo
> >> Sent: Freitag, 30. August 2013 10:42
> >> To: pntaw@ietf.org
> >> Subject: [pntaw] TURN over websockets
> >>
> >> Hi all,
> >>
> >> I will shoot first.
> >>
> >> It is great to finally see some real interest in what I consider to
> be
> >> the blocking point for webrtc in order to run business on top of it,
> >> which is the ability to be able to connect through corporate
> firewalls.
> >>
> >> I have seen some people arguing that with just TURN over TCP on port
> >> 443
> >> the problem will be solved, but I seriously doubt it. Neither TURN
> over
> >> SSL would do, as most web filters do DPI and will not enable the
> >> connection. Also, I have heard lots of voices that says we are
> trying
> >> to
> >> override network admin policies with dirty tricks. With whom, I
> could
> >> agree.
> > [TS] I'm not sure if you are referencing draft-hutton-rtcweb-nat-
> firewall-considerations here.
> > Nevertheless the draft mentions TURN over TCP to port 443.
> And also does mention TURN over websockets, while it consider it to be
> not necessary.
> > The goal behind this is certainly not to sneak WEBRTC media streams
> through heavily fortified networks that have DPI deployed.
> > The goal rather to address a scenario e.g. at a small hotel with a
> not-so-skilled network admin, that opened his firewall on TCP port
> 80/443 to allow its guests to do some web browsing, but is afraid of
> opening its firewall for UDP traffic.
> > If we want to deploy WEBRTC in such an environment TURN over TLS to
> port 443 would do the job.
> 
> Maybe that is your scenario, definitively not mine. Try doing some
> serious business with banking, insurance or such kind of sector and you
> won't find no-so-skilled admin but a full flavor DPI web filter in
> place. Then try to go to their admin it department and ask them to do
> some funny configuration on their firewalls.
> 
> I really doubt that TURN over TLS would work in 100% of this scenarios.
[TS] Certainly not, but it would already increase the number of working scenarios considerably.
I'd prefer to go on step by step and start with specifying the browser should use TURN over TLS (including the HTTP proxy case). The more sophisticated stuff could follow.

> 
> 
> >> So, the only way I see to move forward and overcome this issues is
> by
> >> playing according to the WEB rules, and use HTTP standards to enable
> >> media connectivity in WebRTC that would play nicely with current
> >> corporate HTTP proxies and web filters.
> > [TS] Playing nicely with HTTP proxies is also a use case draft-
> hutton-rtcweb-nat-firewall-considerations.
> > Usage of the HTTP CONNECT method is proposed here. The request URI
> would include the TURN server (preferably even to the well-known STUN
> port). If the network admin put the TURN server into its whitelist,
> that could hardly be considered as sneaking unwanted traffic through.
> >> And,  for me the most viable solution would be to enable TURN over
> >> websockets.
> > [TS] This would require updates to the TURN protocol and the TURN
> software, whereas the proposals in draft-hutton-rtcweb-nat-firewall-
> considerations use the original transports.
> 
> Yes, it would require additions to the TURN protocol and new
> developments on TURN software.
> 
> > As most WebRTC services relay on websockets in one way or
> >> another for signaling, we could assume that media would work on 100%
> of
> >> the cases where signaling is working today.
> >> Also, as it is an http based solution, network administrators could
> >> apply corporate policies and block connections to not-trusted TURN
> >> servers.
> > [TS] which could also be done by white-listing the TURN server
> address via TCP without any further intermediate HTTP/Websocket layers.
> 
> Try to open a firewall in a corporate location, good luck! White
> listing
> in the web filter would be much more doable.
[TS] ... which is what I meant.

Regards
Thomas
> 
> Best regards
> Sergio

v2.8.7 | Report a Bug | By Email