IETF Logo Mail Archive

Re: [pntaw] TURN over websockets

Sergio Garcia Murillo <sergio.garcia.murillo@gmail.com> Fri, 30 August 2013 13:04 UTC

Return-Path: <sergio.garcia.murillo@gmail.com>
X-Original-To: pntaw@ietfa.amsl.com
Delivered-To: pntaw@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 45FB121E80A3 for <pntaw@ietfa.amsl.com>; Fri, 30 Aug 2013 06:04:49 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.599
X-Spam-Level:
X-Spam-Status: No, score=-2.599 tagged_above=-999 required=5 tests=[AWL=0.000, BAYES_00=-2.599]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id jE0p+mXW9eYc for <pntaw@ietfa.amsl.com>; Fri, 30 Aug 2013 06:04:48 -0700 (PDT)
Received: from mail-wi0-x22a.google.com (mail-wi0-x22a.google.com [IPv6:2a00:1450:400c:c05::22a]) by ietfa.amsl.com (Postfix) with ESMTP id 69C3921E808A for <pntaw@ietf.org>; Fri, 30 Aug 2013 06:04:47 -0700 (PDT)
Received: by mail-wi0-f170.google.com with SMTP id hi5so520074wib.5 for <pntaw@ietf.org>; Fri, 30 Aug 2013 06:04:46 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=message-id:date:from:user-agent:mime-version:to:cc:subject :references:in-reply-to:content-type:content-transfer-encoding; bh=6R1BdHIgGER0+tE6IcrwYiElfneopJTTTQv3Oowsofs=; b=cZ2uWJs4TUm/m8yK5I1Q9O8kC6LNw8dZUaAMcqFUMVhKVdJMi9U5sQrD/hiDzKGc6b tF5l+uk/xsAocbfGRkej409yj0IOHGVXVHxxJ+GmLMXgOxkn9N7IHWzw1zA+577kkIjC N/EHCydN6gVfieFiRHcZ6us7yJNmHoDMy9eh63o04Pk7EYuIFk8Ibz+WG7/mI4Ss+RRO 8kQh2mLkaIuH8X27tQ6UiFMVDuH9WfHvbC/uCUCplLux4y6kJ838W3kY5Rbeixr3bIS2 0Q6iB9LHmhHWJX3H4udAcBTN8yyyx1mt+2hcmZIaoebPxqOJ7sV9acV23WreUh9K/mi6 VZsA==
X-Received: by 10.180.160.240 with SMTP id xn16mr2360268wib.62.1377867885406; Fri, 30 Aug 2013 06:04:45 -0700 (PDT)
Received: from [192.168.1.45] (141.Red-83-50-134.dynamicIP.rima-tde.net. [83.50.134.141]) by mx.google.com with ESMTPSA id q5sm1058140wix.8.1969.12.31.16.00.00 (version=TLSv1 cipher=ECDHE-RSA-RC4-SHA bits=128/128); Fri, 30 Aug 2013 06:04:44 -0700 (PDT)
Message-ID: <5220986A.1080702@gmail.com>
Date: Fri, 30 Aug 2013 15:04:42 +0200
From: Sergio Garcia Murillo <sergio.garcia.murillo@gmail.com>
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:17.0) Gecko/20130801 Thunderbird/17.0.8
MIME-Version: 1.0
To: Markus.Isomaki@nokia.com
References: <52205AE1.9010807@gmail.com> <F81CEE99482EFE438DAE2A652361EE12179BF94B@MCHP04MSX.global-ad.net> <E44893DD4E290745BB608EB23FDDB7620A092563@008-AM1MPN1-041.mgdnok.nokia.com>
In-Reply-To: <E44893DD4E290745BB608EB23FDDB7620A092563@008-AM1MPN1-041.mgdnok.nokia.com>
Content-Type: text/plain; charset="ISO-8859-1"; format="flowed"
Content-Transfer-Encoding: 8bit
Cc: pntaw@ietf.org, thomas.stach@siemens-enterprise.com
Subject: Re: [pntaw] TURN over websockets
X-BeenThere: pntaw@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: "Discussion list for practices related to proxies, NATs, TURN, and WebRTC" <pntaw.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/pntaw>, <mailto:pntaw-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/pntaw>
List-Post: <mailto:pntaw@ietf.org>
List-Help: <mailto:pntaw-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/pntaw>, <mailto:pntaw-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 30 Aug 2013 13:04:49 -0000

Hi Markus,

I see some benefits for websockets over HTTP connect, but may be due to 
my own deployment choices, but I would be ok with it also.

One point that I see against http connect is that it is meant to be used 
as a fallback scenario, while with websockets you could use it always, 
regardless if there is any http proxy in place or not.

Best regards
Sergio

El 30/08/2013 14:52, Markus.Isomaki@nokia.com escribió:
> Hi Sergio, Thomas,
>
> I also assume that we should run TURN over TLS directly, or by establishing that connection via a proxy using HTTP CONNECT. The first method would work in networks that allow outbound TLS/TCP connections, while the other would work even in networks that only allow outbound communication via a proxy.
>
> As Thomas says, the benefit of TURN/TLS instead of TURN/WS/TLS is that no changes would need to be applied to existing TURN servers. Only the client side establishment (by the browser) would need to include the use of HTTP CONNECT.
>
> But is there some advantage why Websockets should be used? WS does have the explicit HTTP based handshake, which is supposed to make it somehow middlebox "friendlier". But I don't know how that is better than HTTP CONNECT in that sense.
>
> Regards,
> 	Markus
>
>
>> -----Original Message-----
>> From: pntaw-bounces@ietf.org [mailto:pntaw-bounces@ietf.org] On Behalf
>> Of ext Stach, Thomas
>> Sent: 30 August, 2013 15:35
>> To: Sergio Garcia Murillo; pntaw@ietf.org
>> Subject: Re: [pntaw] TURN over websockets
>>
>> Sergio,
>>
>> Some comments inline
>>
>>> -----Original Message-----
>>> From: pntaw-bounces@ietf.org [mailto:pntaw-bounces@ietf.org] On
>> Behalf
>>> Of Sergio Garcia Murillo
>>> Sent: Freitag, 30. August 2013 10:42
>>> To: pntaw@ietf.org
>>> Subject: [pntaw] TURN over websockets
>>>
>>> Hi all,
>>>
>>> I will shoot first.
>>>
>>> It is great to finally see some real interest in what I consider to be
>>> the blocking point for webrtc in order to run business on top of it,
>>> which is the ability to be able to connect through corporate firewalls.
>>>
>>> I have seen some people arguing that with just TURN over TCP on port
>>> 443
>>> the problem will be solved, but I seriously doubt it. Neither TURN
>>> over SSL would do, as most web filters do DPI and will not enable the
>>> connection. Also, I have heard lots of voices that says we are trying
>>> to override network admin policies with dirty tricks. With whom, I
>>> could agree.
>> [TS] I'm not sure if you are referencing draft-hutton-rtcweb-nat-firewall-
>> considerations here.
>> Nevertheless the draft mentions TURN over TCP to port 443.
>> The goal behind this is certainly not to sneak WEBRTC media streams through
>> heavily fortified networks that have DPI deployed.
>> The goal rather to address a scenario e.g. at a small hotel with a not-so-skilled
>> network admin, that opened his firewall on TCP port 80/443 to allow its
>> guests to do some web browsing, but is afraid of opening its firewall for UDP
>> traffic.
>> If we want to deploy WEBRTC in such an environment TURN over TLS to port
>> 443 would do the job.
>>
>>> So, the only way I see to move forward and overcome this issues is by
>>> playing according to the WEB rules, and use HTTP standards to enable
>>> media connectivity in WebRTC that would play nicely with current
>>> corporate HTTP proxies and web filters.
>> [TS] Playing nicely with HTTP proxies is also a use case draft-hutton-rtcweb-
>> nat-firewall-considerations.
>> Usage of the HTTP CONNECT method is proposed here. The request URI
>> would include the TURN server (preferably even to the well-known STUN
>> port). If the network admin put the TURN server into its whitelist, that could
>> hardly be considered as sneaking unwanted traffic through.
>>> And,  for me the most viable solution would be to enable TURN over
>>> websockets.
>> [TS] This would require updates to the TURN protocol and the TURN
>> software, whereas the proposals in draft-hutton-rtcweb-nat-firewall-
>> considerations use the original transports.
>> As most WebRTC services relay on websockets in one way or
>>> another for signaling, we could assume that media would work on 100%
>>> of the cases where signaling is working today.
>>> Also, as it is an http based solution, network administrators could
>>> apply corporate policies and block connections to not-trusted TURN
>>> servers.
>> [TS] which could also be done by white-listing the TURN server address via
>> TCP without any further intermediate HTTP/Websocket layers.
>>
>> Regards
>> Thomas
>>
>>> Best regards
>>> Sergio
>>> _______________________________________________
>>> pntaw mailing list
>>> pntaw@ietf.org
>>> https://www.ietf.org/mailman/listinfo/pntaw
>> _______________________________________________
>> pntaw mailing list
>> pntaw@ietf.org
>> https://www.ietf.org/mailman/listinfo/pntaw

v2.23.0 | Report a Bug | By Email