IETF Logo Mail Archive

Re: [pntaw] New version of draft-hutton-rtcweb-nat-firewall-considerations

"Chenxin (Xin)" <hangzhou.chenxin@huawei.com> Mon, 23 September 2013 10:40 UTC

Return-Path: <hangzhou.chenxin@huawei.com>
X-Original-To: pntaw@ietfa.amsl.com
Delivered-To: pntaw@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 36C2521F9A4A for <pntaw@ietfa.amsl.com>; Mon, 23 Sep 2013 03:40:27 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.521
X-Spam-Level:
X-Spam-Status: No, score=-6.521 tagged_above=-999 required=5 tests=[AWL=-0.078, BAYES_00=-2.599, RCVD_IN_DNSWL_MED=-4, SUBJECT_FUZZY_TION=0.156]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Pk9OkJ0eM44w for <pntaw@ietfa.amsl.com>; Mon, 23 Sep 2013 03:40:20 -0700 (PDT)
Received: from lhrrgout.huawei.com (lhrrgout.huawei.com [194.213.3.17]) by ietfa.amsl.com (Postfix) with ESMTP id 630FC21F99BD for <pntaw@ietf.org>; Mon, 23 Sep 2013 03:40:18 -0700 (PDT)
Received: from 172.18.7.190 (EHLO lhreml203-edg.china.huawei.com) ([172.18.7.190]) by lhrrg01-dlp.huawei.com (MOS 4.3.7-GA FastPath queued) with ESMTP id AYD62064; Mon, 23 Sep 2013 10:40:15 +0000 (GMT)
Received: from LHREML405-HUB.china.huawei.com (10.201.5.242) by lhreml203-edg.huawei.com (172.18.7.221) with Microsoft SMTP Server (TLS) id 14.3.146.0; Mon, 23 Sep 2013 11:39:18 +0100
Received: from SZXEMA410-HUB.china.huawei.com (10.82.72.42) by lhreml405-hub.china.huawei.com (10.201.5.242) with Microsoft SMTP Server (TLS) id 14.3.146.0; Mon, 23 Sep 2013 11:39:53 +0100
Received: from SZXEMA504-MBX.china.huawei.com ([169.254.7.96]) by SZXEMA410-HUB.china.huawei.com ([10.82.72.42]) with mapi id 14.03.0146.000; Mon, 23 Sep 2013 18:39:45 +0800
From: "Chenxin (Xin)" <hangzhou.chenxin@huawei.com>
To: "Markus.Isomaki@nokia.com" <Markus.Isomaki@nokia.com>, "melinda.shore@gmail.com" <melinda.shore@gmail.com>, "mom040267@gmail.com" <mom040267@gmail.com>
Thread-Topic: [pntaw] New version of draft-hutton-rtcweb-nat-firewall-considerations
Thread-Index: AQHOuECVB96cuMY1+kONkvod4Jbs+pnTGnuQ
Date: Mon, 23 Sep 2013 10:39:44 +0000
Message-ID: <9E34D50A21D1D1489134B4D770CE039768080325@SZXEMA504-MBX.china.huawei.com>
References: <9F33F40F6F2CD847824537F3C4E37DDF17BCF3A5@MCHP04MSX.global-ad.net> <523CCD06.3030902@gmail.com> <BLU169-W136A55AC013DA147313576D93220@phx.gbl> <523CD42E.8070102@gmail.com> <BLU169-W82036280852F26ED26283C93230@phx.gbl> <523D4F17.2040202@gmail.com> <9F33F40F6F2CD847824537F3C4E37DDF17BD01A8@MCHP04MSX.global-ad.net> <CALDtMrL5pT3MfbQufCphEKq0-pXj+JcfwW__wzG3T6wZ=TuWhg@mail.gmail.com> <9F33F40F6F2CD847824537F3C4E37DDF17BD08EA@MCHP04MSX.global-ad.net> <CALDtMrLcUrxseyiaPc_0AWJw3HPdaBuAS+xpviT2q=y4zmdNgw@mail.gmail.com> <523FD5FD.8030601@gmail.com> <CALDtMrK=9D3qXXK6EeWF4RDk26GHPDgkYfQzdJpD33JNK_MeRw@mail.gmail.com> <523FE3E7.3060101@gmail.com> <E44893DD4E290745BB608EB23FDDB7620A0C0969@008-AM1MPN1-043.mgdnok.nokia.com>
In-Reply-To: <E44893DD4E290745BB608EB23FDDB7620A0C0969@008-AM1MPN1-043.mgdnok.nokia.com>
Accept-Language: en-US, zh-CN
Content-Language: zh-CN
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-originating-ip: [10.166.41.132]
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
X-CFilter-Loop: Reflected
Cc: "pntaw@ietf.org" <pntaw@ietf.org>
Subject: Re: [pntaw] New version of draft-hutton-rtcweb-nat-firewall-considerations
X-BeenThere: pntaw@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: "Discussion list for practices related to proxies, NATs, TURN, and WebRTC" <pntaw.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/pntaw>, <mailto:pntaw-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/pntaw>
List-Post: <mailto:pntaw@ietf.org>
List-Help: <mailto:pntaw-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/pntaw>, <mailto:pntaw-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 23 Sep 2013 10:40:27 -0000

Hi, 

>Hi,
>
>Melinda Shore wrote:
>>
>> On 9/22/13 10:41 PM, Oleg Moskalenko wrote:
>> > Melinda, you are assuming that the policies are a precise accurate
>> > instrument that can be used to set the exact network access rules.
>> >
>
>I agree it is hard to determine what the policy is based on the actual firewall etc.
>rules. For instance if all UDP is blocked may not necessarily mean that the high
>level policy is that VoIP is not allowed. Or, on the other hand, if outbound HTTPS
>to port 443 is open, it does not necessarily mean that the policy is to allow
>whatever apps to tunnel whatever traffic that way.
[xin] yes, we should not focus on the firewall administrator policy, which is hard and should not be judged by us. If the IT admin wants, they always have methods to block webrtc data no matter by http connect or https or turn over websocket.
	Considering webrtc is a web application. A normal or fall-back media or data channel based on web should be considered, it is one benefit of *web*rtc. I think this is the key point we should discuss more. Websocket is a bidirection channel for web, which is wildly used as webrtc signaling channel. It is also really more convenient to carry webrtc data in it as a bidirection channel. I believe it will be better to consider more far for future. 
    About the change to turn server. It is better to add the function to turn server but add a websocket to tcp proxy(websockify) before turn server also work for existed deployment. We are working on this, and will give a simple prototype to validate it.
>
>> > They are not. The reality is that the modern state of network policies
>> > is rather behind the real-world requirements.
>>
>> My comfort level with telling people who run networks that their network
>> access management policies and technologies are behind the times and
>> because we know better then they do about these things it's fine if we
>> punch holes in their firewalls without asking is not very high, to be honest.
>>
>
>While I'm in general supportive to the proposals in draft-hutton-, I also agree we
>need to consider the network admin's perspective as well.
>
>There will be networks and administrators that explicitly want to restrict
>WebRTC. I think one part of the WebRTC firewall traversal "solution" needs to
>be an explanation HOW they can do it.
[xin] I think Markus pointed out an important things. We should discuss about it more to decide if these works is necessary. If media or data of VOIP through http or websocket channel is new thing for firewall, It is better to clarify it , because our target is give a web-fallback channel for a web application.

Regards,
  Xin
>
>Markus
>
>_______________________________________________
>pntaw mailing list
>pntaw@ietf.org
>https://www.ietf.org/mailman/listinfo/pntaw

v2.23.0 | Report a Bug | By Email