Re: [rtcweb] Same location media

Roman Shpount <roman@telurix.com> Thu, 20 October 2011 17:58 UTC

Return-Path: <roman@telurix.com>
X-Original-To: rtcweb@ietfa.amsl.com
Delivered-To: rtcweb@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 88C8121F8BBB for <rtcweb@ietfa.amsl.com>; Thu, 20 Oct 2011 10:58:43 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.892
X-Spam-Level:
X-Spam-Status: No, score=-2.892 tagged_above=-999 required=5 tests=[AWL=0.084, BAYES_00=-2.599, FM_FORGED_GMAIL=0.622, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-1]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Nq5j5CbqGEFz for <rtcweb@ietfa.amsl.com>; Thu, 20 Oct 2011 10:58:43 -0700 (PDT)
Received: from mail-yw0-f44.google.com (mail-yw0-f44.google.com [209.85.213.44]) by ietfa.amsl.com (Postfix) with ESMTP id DCD4F21F8B74 for <rtcweb@ietf.org>; Thu, 20 Oct 2011 10:58:42 -0700 (PDT)
Received: by ywa8 with SMTP id 8so3660052ywa.31 for <rtcweb@ietf.org>; Thu, 20 Oct 2011 10:58:42 -0700 (PDT)
Received: by 10.236.197.99 with SMTP id s63mr17355116yhn.14.1319133522467; Thu, 20 Oct 2011 10:58:42 -0700 (PDT)
Received: from mail-gx0-f172.google.com (mail-gx0-f172.google.com [209.85.161.172]) by mx.google.com with ESMTPS id f24sm15006770yhk.5.2011.10.20.10.58.41 (version=TLSv1/SSLv3 cipher=OTHER); Thu, 20 Oct 2011 10:58:42 -0700 (PDT)
Received: by ggnv1 with SMTP id v1so3649948ggn.31 for <rtcweb@ietf.org>; Thu, 20 Oct 2011 10:58:41 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.68.23.6 with SMTP id i6mr21639643pbf.13.1319133520948; Thu, 20 Oct 2011 10:58:40 -0700 (PDT)
Received: by 10.68.47.40 with HTTP; Thu, 20 Oct 2011 10:58:40 -0700 (PDT)
In-Reply-To: <BLU152-W404F6E9A2510EBAC9F1C1F93EB0@phx.gbl>
References: <CAD5OKxuJi_VS9fRc4P6GN-StWzMhMHAQ2MyO8zJVsMfEeQRftg@mail.gmail.com> <BLU152-W274DC7DC92EF49307BC57D93EB0@phx.gbl> <CAD5OKxuooQzhmyHFi87XNPwiNqB7ohzhcbOWEsvCn-Zkshc9kQ@mail.gmail.com> <BLU152-W6591495353D395650050F293EB0@phx.gbl> <CAD5OKxtr=TGj4tCSCUsYxL=+Qturw-CKrTptDAkk=EQgQAVR2A@mail.gmail.com> <BLU152-W404F6E9A2510EBAC9F1C1F93EB0@phx.gbl>
Date: Thu, 20 Oct 2011 13:58:40 -0400
Message-ID: <CAD5OKxvgj=0gr1t-3TvEjNyz-L1FvYAgrnonbYn5FqFEhhYU7g@mail.gmail.com>
From: Roman Shpount <roman@telurix.com>
To: Bernard Aboba <bernard_aboba@hotmail.com>
Content-Type: multipart/alternative; boundary="bcaec5216223ed6c0104afbeb44d"
Cc: rtcweb@ietf.org
Subject: Re: [rtcweb] Same location media
X-BeenThere: rtcweb@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Real-Time Communication in WEB-browsers working group list <rtcweb.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/rtcweb>, <mailto:rtcweb-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/rtcweb>
List-Post: <mailto:rtcweb@ietf.org>
List-Help: <mailto:rtcweb-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/rtcweb>, <mailto:rtcweb-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 20 Oct 2011 17:58:43 -0000

On Thu, Oct 20, 2011 at 1:02 PM, Bernard Aboba <bernard_aboba@hotmail.com>wrote:

>  [BA] With respect to TURN with TCP/TLS we have found some firewalls that
> actually do deep packet inspection.  So if you're sending to TCP port 80 and
> aren't using HTTP, or are sending to port 443 and aren't using TLS (or are
> using TLS extensions the firewall doesn't understand), the firewall can
> block.   So yes, it is important to support TURN with TCP/TLS, but it should
> be recognized that even with that, there will still be a significant
> percentage of failures.
>

TURN over TLS is non-distinguishable (unless I am missing something) from
HTTPS connection. It is using the same TLS transport as HTTPS and firewall
cannot inspect the actual data transmitted. Firewall can probably do some
sort of heuristics based on packet sizes, but this will not be reliable
enough to distinguish TURN over TLS from HTTPS (or real time media over
HTTPS). In any case, if people are persistent enough they will find the way
to block RTC connections regardless of the protocol used.
_____________
Roman Shpount