IETF Logo Mail Archive

Re: [rtcweb] WGLC of draft-ietf-rtcweb-use-cases-and-requirements-11

"Karl Stahl" <karl.stahl@intertex.se> Fri, 20 September 2013 22:11 UTC

Return-Path: <karl.stahl@intertex.se>
X-Original-To: rtcweb@ietfa.amsl.com
Delivered-To: rtcweb@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 0F3CB21F9E6C for <rtcweb@ietfa.amsl.com>; Fri, 20 Sep 2013 15:11:40 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.406
X-Spam-Level:
X-Spam-Status: No, score=-1.406 tagged_above=-999 required=5 tests=[AWL=0.744, BAYES_00=-2.599, MSGID_MULTIPLE_AT=1.449, RCVD_IN_DNSWL_LOW=-1]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id WX+97XezgEtp for <rtcweb@ietfa.amsl.com>; Fri, 20 Sep 2013 15:11:35 -0700 (PDT)
Received: from smtp.it-norr.com (smtp.it-norr.com [80.244.64.161]) by ietfa.amsl.com (Postfix) with ESMTP id E02E621F9E51 for <rtcweb@ietf.org>; Fri, 20 Sep 2013 15:11:34 -0700 (PDT)
Received: from ([90.229.134.75]) by smtp.it-norr.com (Telecom3 SMTP service) with ASMTP id 201309210011316490; Sat, 21 Sep 2013 00:11:31 +0200
From: Karl Stahl <karl.stahl@intertex.se>
To: "'Hutton, Andrew'" <andrew.hutton@siemens-enterprise.com>, 'Magnus Westerlund' <magnus.westerlund@ericsson.com>, "'Cullen Jennings (fluffy)'" <fluffy@cisco.com>, rtcweb@ietf.org, draft-ietf-rtcweb-use-cases-and-requirements@tools.ietf.org
References: <C5E08FE080ACFD4DAE31E4BDBF944EB11667BBA0@xmb-aln-x02.cisco.com> <5238446D.8050700@ericsson.com> <9F33F40F6F2CD847824537F3C4E37DDF17BCF581@MCHP04MSX.global-ad.net>
In-Reply-To: <9F33F40F6F2CD847824537F3C4E37DDF17BCF581@MCHP04MSX.global-ad.net>
Date: Sat, 21 Sep 2013 00:11:30 +0200
Message-ID: <07a601ceb64e$5caaba00$16002e00$@stahl>
MIME-Version: 1.0
Content-Type: text/plain; charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable
X-Mailer: Microsoft Office Outlook 12.0
Thread-Index: AQHOs51tjte/V8mikk+NN5idi26Ro5nO5Y8ggABAlmA=
Content-Language: sv
Subject: Re: [rtcweb] WGLC of draft-ietf-rtcweb-use-cases-and-requirements-11
X-BeenThere: rtcweb@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Real-Time Communication in WEB-browsers working group list <rtcweb.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/rtcweb>, <mailto:rtcweb-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/rtcweb>
List-Post: <mailto:rtcweb@ietf.org>
List-Help: <mailto:rtcweb-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/rtcweb>, <mailto:rtcweb-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 20 Sep 2013 22:11:40 -0000

I want to point out that all methods suggested for RTP media through
firewalls that do not allow UDP traffic, by using "always open" https port
443 (or http port 80) result in tunneling RTP media over TCP. That gives
with severe quality problems from TCP retransmissions of dropped media
packet packets. Do we really want that for WebRTC?

A quality wise better solution is already pointed out in use case 3.2.5.1
mentioned below:
"An enterprise that uses a RTCWEB based web application for communication
desires to audit all RTCWEB based application session used from inside the
company towards any external peer. To be able to do this they deploy a TURN
server that straddle the boundary
between the internal network and the external"
 
I suggest the following is added to that use case:
"Such TURN server allows a media path, separated from the usually data
crowded enterprise Internet access, offering superior quality. This is a
better way to enable WebRTC on a network behind a restrictive firewall not
allowing UDP traffic, instead of tunneling RTP through always open http or
https ports resulting in RTP media over TCP – with severe quality problems
from TCP retransmissions of dropped packets. 

Such network administrator provided auditing TURN server would also put the
right party in control – The network administrator decides what is allowed
on his network."

Why should a network administrator that wants to block webrtc media, have to
do more than just closing his firewall for UDP, like below suggested
"configuring the browser not to do webrtc, normal HTTP black/white lists,
and solutions based on putting something in the HTTP Connect sent to the
proxy so the proxy can block it"?

Another thing in the second half of the same use case 3.2.5.1: 
Are NAT/firewalls inside the enterprise network assumed? If not, I think the
second half can be deleted.

" In cases where employees are using RTCWEB applications provided by an
   external service provider they still want to have the traffic to stay
   inside their internal network and in addition not load the straddling
   TURN server, "

ICE establishes a direct connection in this case, not using any TURN server
at all, doesn’t it? This is then not a problem.

/Karl

-----Ursprungligt meddelande-----
Från: rtcweb-bounces@ietf.org [mailto:rtcweb-bounces@ietf.org] För Hutton,
Andrew
Skickat: den 20 september 2013 19:58
Till: Magnus Westerlund; Cullen Jennings (fluffy); rtcweb@ietf.org;
draft-ietf-rtcweb-use-cases-and-requirements@tools.ietf.org
Ämne: Re: [rtcweb] WGLC of draft-ietf-rtcweb-use-cases-and-requirements-11

On: 17 September 2013 13:01 Magnus Westerlund Wrote:
> 3.2.3.1.  Description
> 
>    This use-case is almost identical to the Simple Video Communication
>    Service use-case (Section 3.2.1).  The difference is that one of the
>    users is behind a FW that only allows http traffic.
> 
> If a firewall only allows HTTP traffic, then can we really assume that 
> the firewall administrator per default will accept WebRTC Media and 
> Data traffic?
> 
> I am far from certain of this, and think on a requirement level needs 
> to express a situation where the firewall administrator allows WebRTC 
> across its FW, or at least can easily configure a rule to block it.
> Thus
> resulting in that any solution for this needs to be easily 
> identifiable and possible to block.
> 

Stefan already stated that this use case will be changed to take account of
my comments in
http://www.ietf.org/mail-archive/web/rtcweb/current/msg08264.html. So the
"only allows HTTP traffic" is going to be removed and changed to describe
the use case when the firewall requires traffic to flow via a HTTP Proxy. 

We also have a use case when a network specific TURN server is deployed
(3.2.5.1).

In both cases I agree that a network administrator must have a way to block
webrtc but there are various ways of achieving this including just
configuring the browser not to do webrtc, normal HTTP black/white lists, and
also I can imagine solutions based on putting something in the HTTP Connect
sent to the proxy so the proxy can block it. 

So I agree that it must be possible to block webrtc traffic but we need to
careful not to specify the solution in the use case.  

Andy


_______________________________________________
rtcweb mailing list
rtcweb@ietf.org
https://www.ietf.org/mailman/listinfo/rtcweb

v2.23.0 | Report a Bug | By Email