Re: [rtcweb] HTTP Fallback draft

Bernard Aboba <bernard_aboba@hotmail.com> Wed, 08 August 2012 01:46 UTC

Return-Path: <bernard_aboba@hotmail.com>
X-Original-To: rtcweb@ietfa.amsl.com
Delivered-To: rtcweb@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 8D6C811E80F1 for <rtcweb@ietfa.amsl.com>; Tue, 7 Aug 2012 18:46:41 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -101.762
X-Spam-Level:
X-Spam-Status: No, score=-101.762 tagged_above=-999 required=5 tests=[AWL=-0.559, BAYES_00=-2.599, MIME_QP_LONG_LINE=1.396, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id IvTk7QkRHW3k for <rtcweb@ietfa.amsl.com>; Tue, 7 Aug 2012 18:46:41 -0700 (PDT)
Received: from blu0-omc3-s14.blu0.hotmail.com (blu0-omc3-s14.blu0.hotmail.com [65.55.116.89]) by ietfa.amsl.com (Postfix) with ESMTP id 01FD611E80D2 for <rtcweb@ietf.org>; Tue, 7 Aug 2012 18:46:40 -0700 (PDT)
Received: from BLU401-EAS256 ([65.55.116.73]) by blu0-omc3-s14.blu0.hotmail.com with Microsoft SMTPSVC(6.0.3790.4675); Tue, 7 Aug 2012 18:46:40 -0700
X-Originating-IP: [24.16.96.166]
X-EIP: [6DhMyuoPyslJKRCESBx7sDlC9cgNLyhT]
X-Originating-Email: [bernard_aboba@hotmail.com]
Message-ID: <BLU401-EAS2566333A7F4DEA0D3BFDBE593CD0@phx.gbl>
References: <20120807180156.286e74d2@rainpc> <D5BDA7BE-FE55-47FA-99FD-1645084370B0@gmx.net> <20120807191226.5b8e7f32@rainpc>
Content-Transfer-Encoding: quoted-printable
From: Bernard Aboba <bernard_aboba@hotmail.com>
Content-Type: text/plain; charset="us-ascii"
In-Reply-To: <20120807191226.5b8e7f32@rainpc>
Date: Tue, 7 Aug 2012 18:51:39 -0700
To: Lorenzo Miniero <lorenzo@meetecho.com>
MIME-Version: 1.0 (1.0)
X-OriginalArrivalTime: 08 Aug 2012 01:46:40.0402 (UTC) FILETIME=[A7CC5720:01CD7507]
Cc: "rtcweb@ietf.org" <rtcweb@ietf.org>
Subject: Re: [rtcweb] HTTP Fallback draft
X-BeenThere: rtcweb@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Real-Time Communication in WEB-browsers working group list <rtcweb.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/rtcweb>, <mailto:rtcweb-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/rtcweb>
List-Post: <mailto:rtcweb@ietf.org>
List-Help: <mailto:rtcweb-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/rtcweb>, <mailto:rtcweb-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 08 Aug 2012 01:46:41 -0000

> We indeed met such network elements in our experience, even though most of the times it was just blind UDP filtering rather than RTP filtering per se. It sometimes was just blind port filtering but the effect was the same. This mostly happened within enterprises networks where we tried, no matter how small or large.


[BA] this fits with my experience as well.

> You're right. A couple of years ago we wrote a paper addressing the potential approaches for tunneling attempts (if you're interested, I can send you the link offline). In this paper we basically described, as a diagram, which incremental steps could be carried out in order to attempt a successful tunneling: 1) the first attempt is to just try port 443, without encapulating anything (e.g., ssh using 443 instead of 22);

[BA] There are DPI boxes that will compare traffic against TLS and catch this. So if it doesn't work you can't assume that 443 is blocked by the firewall. Same with non-HTTP on port 80.

> 2) in case that doesn't work, the second attempt is to use HTTP CONNECT and then fall back to 1. for the connection that is established;

[BA] Trying HTTP on port 443 isn't likely to work if the original non-TLS test on 443 failed. 

> 3) the third attempt (e.g., 443 is not available or the proxy acts as a MITM) is to actually encapsulate in HTTP messages, whether you do HTTP or HTTPS. In every case, the peer (either endpoint or server) must be configured accordingly of course.

[BA] If HTTP failed earlier, HTTP encapsulation also will probably fail. It makes more sense to me to try TLS on 443.

> What I describe in the draft is step 3, even though I guess some words to suggest steps 1 and 2 (where you'd still need to encapsulate RTP packets on top of a TCP-based protocol anyway) could be considered. As long as it looks like valid HTTP and it behaves accordingly, I think there's no reason why traversing should be impeded:

[BA] DPI boxes aren't always up to date. For example don't expect them to understand websockets.

> I agree with you and I'm not really dying to do RTP over HTTP either, but if some scenarios make it impossible for use cases to work (and some firewall/NAT deployers are to blame here, probably) then a fallback mechanism is something that can be nice to have, especially if we're interested in something that "just works".

[BA] If all the other avenues are tried first, then this would really be a last resort. Any idea how frequently it should be expected to be used?