IETF Logo Mail Archive

Re: [rtcweb] Same location media

Salvatore Loreto <salvatore.loreto@ericsson.com> Fri, 21 October 2011 09:58 UTC

Return-Path: <salvatore.loreto@ericsson.com>
X-Original-To: rtcweb@ietfa.amsl.com
Delivered-To: rtcweb@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id C336821F8C0B for <rtcweb@ietfa.amsl.com>; Fri, 21 Oct 2011 02:58:47 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -106.599
X-Spam-Level:
X-Spam-Status: No, score=-106.599 tagged_above=-999 required=5 tests=[AWL=-0.001, BAYES_00=-2.599, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_MED=-4, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id TI07-rip6PCl for <rtcweb@ietfa.amsl.com>; Fri, 21 Oct 2011 02:58:47 -0700 (PDT)
Received: from mailgw10.se.ericsson.net (mailgw10.se.ericsson.net [193.180.251.61]) by ietfa.amsl.com (Postfix) with ESMTP id BDF5021F8BA8 for <rtcweb@ietf.org>; Fri, 21 Oct 2011 02:58:46 -0700 (PDT)
X-AuditID: c1b4fb3d-b7c26ae0000035b9-e2-4ea142553886
Received: from esessmw0184.eemea.ericsson.se (Unknown_Domain [153.88.253.125]) by mailgw10.se.ericsson.net (Symantec Mail Security) with SMTP id 15.24.13753.55241AE4; Fri, 21 Oct 2011 11:58:46 +0200 (CEST)
Received: from mail.lmf.ericsson.se (153.88.115.8) by esessmw0184.eemea.ericsson.se (153.88.115.82) with Microsoft SMTP Server id 8.3.137.0; Fri, 21 Oct 2011 11:58:45 +0200
Received: from nomadiclab.lmf.ericsson.se (nomadiclab.lmf.ericsson.se [131.160.33.3]) by mail.lmf.ericsson.se (Postfix) with ESMTP id 5BB362321 for <rtcweb@ietf.org>; Fri, 21 Oct 2011 12:58:45 +0300 (EEST)
Received: from nomadiclab.lmf.ericsson.se (localhost [127.0.0.1]) by nomadiclab.lmf.ericsson.se (Postfix) with ESMTP id 2253E517DB for <rtcweb@ietf.org>; Fri, 21 Oct 2011 12:58:45 +0300 (EEST)
Received: from n211.nomadiclab.com (localhost [127.0.0.1]) by nomadiclab.lmf.ericsson.se (Postfix) with ESMTP id C328D51236 for <rtcweb@ietf.org>; Fri, 21 Oct 2011 12:58:44 +0300 (EEST)
Message-ID: <4EA14254.9030005@ericsson.com>
Date: Fri, 21 Oct 2011 12:58:44 +0300
From: Salvatore Loreto <salvatore.loreto@ericsson.com>
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.6; rv:7.0.1) Gecko/20110929 Thunderbird/7.0.1
MIME-Version: 1.0
To: rtcweb@ietf.org
References: <CAD5OKxuJi_VS9fRc4P6GN-StWzMhMHAQ2MyO8zJVsMfEeQRftg@mail.gmail.com>, <BLU152-W274DC7DC92EF49307BC57D93EB0@phx.gbl>, <CAD5OKxuooQzhmyHFi87XNPwiNqB7ohzhcbOWEsvCn-Zkshc9kQ@mail.gmail.com>, <BLU152-W6591495353D395650050F293EB0@phx.gbl>, <CAD5OKxtr=TGj4tCSCUsYxL=+Qturw-CKrTptDAkk=EQgQAVR2A@mail.gmail.com>, <BLU152-W404F6E9A2510EBAC9F1C1F93EB0@phx.gbl>, <CAD5OKxvgj=0gr1t-3TvEjNyz-L1FvYAgrnonbYn5FqFEhhYU7g@mail.gmail.com> <BLU152-W47FFB556E3F8FAB1EE9F5193EB0@phx.gbl>
In-Reply-To: <BLU152-W47FFB556E3F8FAB1EE9F5193EB0@phx.gbl>
Content-Type: multipart/alternative; boundary="------------000006060700090508010705"
X-Virus-Scanned: ClamAV using ClamSMTP
X-Brightmail-Tracker: AAAAAA==
Subject: Re: [rtcweb] Same location media
X-BeenThere: rtcweb@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Real-Time Communication in WEB-browsers working group list <rtcweb.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/rtcweb>, <mailto:rtcweb-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/rtcweb>
List-Post: <mailto:rtcweb@ietf.org>
List-Help: <mailto:rtcweb-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/rtcweb>, <mailto:rtcweb-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 21 Oct 2011 09:58:47 -0000

On 10/20/11 9:05 PM, Bernard Aboba wrote:
> Yes, Turn over TLS is non-distinguishable.  However, we've found deep 
> inspection firewalls that will actually attempt to parse the TLS 
> negotiation.  This creates brittleness to extensions in general.  
> Anything that is not "vanilla" could potentially fall prey, including 
> TLS extensions, Websockets, etc.  Sad, but true.
but then also your fallback proposal to send media on WebSocket
can potentially fall, isn't it?
or am I missing something?

/Sal
>
> ------------------------------------------------------------------------
> Date: Thu, 20 Oct 2011 13:58:40 -0400
> Subject: Re: [rtcweb] Same location media
> From: roman@telurix.com
> To: bernard_aboba@hotmail.com
> CC: rtcweb@ietf.org
>
>
>
> On Thu, Oct 20, 2011 at 1:02 PM, Bernard Aboba 
> <bernard_aboba@hotmail.com <mailto:bernard_aboba@hotmail.com>> wrote:
>
>     [BA] With respect to TURN with TCP/TLS we have found some
>     firewalls that actually do deep packet inspection.  So if you're
>     sending to TCP port 80 and aren't using HTTP, or are sending to
>     port 443 and aren't using TLS (or are using TLS extensions the
>     firewall doesn't understand), the firewall can block.   So yes, it
>     is important to support TURN with TCP/TLS, but it should be
>     recognized that even with that, there will still be a significant
>     percentage of failures.
>
>
> TURN over TLS is non-distinguishable (unless I am missing something) 
> from HTTPS connection. It is using the same TLS transport as HTTPS and 
> firewall cannot inspect the actual data transmitted. Firewall can 
> probably do some sort of heuristics based on packet sizes, but this 
> will not be reliable enough to distinguish TURN over TLS from HTTPS 
> (or real time media over HTTPS). In any case, if people are persistent 
> enough they will find the way to block RTC connections regardless of 
> the protocol used.
> _____________
> Roman Shpount
>
>

v2.23.0 | Report a Bug | By Email