Re: [pntaw] TURN over websockets

[Sergio Garcia Murillo <sergio.garcia.murillo@gmail.com>]

Hi Thomas,

Inline.

El 30/08/2013 14:34, Stach, Thomas escribió:
> Sergio,
>
> Some comments inline
>
>> -----Original Message-----
>> From: pntaw-bounces@ietf.org [mailto:pntaw-bounces@ietf.org] On Behalf
>> Of Sergio Garcia Murillo
>> Sent: Freitag, 30. August 2013 10:42
>> To: pntaw@ietf.org
>> Subject: [pntaw] TURN over websockets
>>
>> Hi all,
>>
>> I will shoot first.
>>
>> It is great to finally see some real interest in what I consider to be
>> the blocking point for webrtc in order to run business on top of it,
>> which is the ability to be able to connect through corporate firewalls.
>>
>> I have seen some people arguing that with just TURN over TCP on port
>> 443
>> the problem will be solved, but I seriously doubt it. Neither TURN over
>> SSL would do, as most web filters do DPI and will not enable the
>> connection. Also, I have heard lots of voices that says we are trying
>> to
>> override network admin policies with dirty tricks. With whom, I could
>> agree.
> [TS] I'm not sure if you are referencing draft-hutton-rtcweb-nat-firewall-considerations here.
> Nevertheless the draft mentions TURN over TCP to port 443.
And also does mention TURN over websockets, while it consider it to be 
not necessary.
> The goal behind this is certainly not to sneak WEBRTC media streams through heavily fortified networks that have DPI deployed.
> The goal rather to address a scenario e.g. at a small hotel with a not-so-skilled network admin, that opened his firewall on TCP port 80/443 to allow its guests to do some web browsing, but is afraid of opening its firewall for UDP traffic.
> If we want to deploy WEBRTC in such an environment TURN over TLS to port 443 would do the job.

Maybe that is your scenario, definitively not mine. Try doing some 
serious business with banking, insurance or such kind of sector and you 
won't find no-so-skilled admin but a full flavor DPI web filter in 
place. Then try to go to their admin it department and ask them to do 
some funny configuration on their firewalls.

I really doubt that TURN over TLS would work in 100% of this scenarios.


>> So, the only way I see to move forward and overcome this issues is by
>> playing according to the WEB rules, and use HTTP standards to enable
>> media connectivity in WebRTC that would play nicely with current
>> corporate HTTP proxies and web filters.
> [TS] Playing nicely with HTTP proxies is also a use case draft-hutton-rtcweb-nat-firewall-considerations.
> Usage of the HTTP CONNECT method is proposed here. The request URI would include the TURN server (preferably even to the well-known STUN port). If the network admin put the TURN server into its whitelist, that could hardly be considered as sneaking unwanted traffic through.
>> And,  for me the most viable solution would be to enable TURN over
>> websockets.
> [TS] This would require updates to the TURN protocol and the TURN software, whereas the proposals in draft-hutton-rtcweb-nat-firewall-considerations use the original transports.

Yes, it would require additions to the TURN protocol and new 
developments on TURN software.

> As most WebRTC services relay on websockets in one way or
>> another for signaling, we could assume that media would work on 100% of
>> the cases where signaling is working today.
>> Also, as it is an http based solution, network administrators could
>> apply corporate policies and block connections to not-trusted TURN
>> servers.
> [TS] which could also be done by white-listing the TURN server address via TCP without any further intermediate HTTP/Websocket layers.

Try to open a firewall in a corporate location, good luck! White listing 
in the web filter would be much more doable.

Best regards
Sergio