IETF Logo Mail Archive

Re: [rtcweb] Retry: DTLS carrying RTP/SAVPF over ICE: To UDP or not to UDP?

Harald Alvestrand <harald@alvestrand.no> Thu, 12 June 2014 14:57 UTC

Return-Path: <harald@alvestrand.no>
X-Original-To: rtcweb@ietfa.amsl.com
Delivered-To: rtcweb@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 900A51B2A7D for <rtcweb@ietfa.amsl.com>; Thu, 12 Jun 2014 07:57:48 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.551
X-Spam-Level:
X-Spam-Status: No, score=-2.551 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RP_MATCHES_RCVD=-0.651] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id q-8oGQv8EULR for <rtcweb@ietfa.amsl.com>; Thu, 12 Jun 2014 07:57:47 -0700 (PDT)
Received: from mork.alvestrand.no (mork.alvestrand.no [158.38.152.117]) by ietfa.amsl.com (Postfix) with ESMTP id BED121A0546 for <rtcweb@ietf.org>; Thu, 12 Jun 2014 07:57:46 -0700 (PDT)
Received: from localhost (localhost [127.0.0.1]) by mork.alvestrand.no (Postfix) with ESMTP id 114247C3814; Thu, 12 Jun 2014 16:57:46 +0200 (CEST)
X-Virus-Scanned: Debian amavisd-new at alvestrand.no
Received: from mork.alvestrand.no ([127.0.0.1]) by localhost (mork.alvestrand.no [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id xB7LYh+xynan; Thu, 12 Jun 2014 16:57:43 +0200 (CEST)
Received: from hta-hippo.lul.corp.google.com (unknown [IPv6:2620:0:1043:1:7646:a0ff:fe90:e2bb]) by mork.alvestrand.no (Postfix) with ESMTPSA id B2B517C3812; Thu, 12 Jun 2014 16:57:43 +0200 (CEST)
Message-ID: <5399BFE6.5050003@alvestrand.no>
Date: Thu, 12 Jun 2014 16:57:42 +0200
From: Harald Alvestrand <harald@alvestrand.no>
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:24.0) Gecko/20100101 Thunderbird/24.5.0
MIME-Version: 1.0
To: "Pal Martinsen (palmarti)" <palmarti@cisco.com>, Karl Stahl <karl.stahl@intertex.se>
References: <CAOJ7v-2FTAKGd2ZUNt9PZBW9pFu7c9v7Gx8Z8vFOQo4K3dyr5Q@mail.gmail.com> <7594FB04B1934943A5C02806D1A2204B1D35B859@ESESSMB209.ericsson.se> <CALiegfn7WuyA8qbKWGs4JrNutqF9teXiEN8eqd0UJk5vRrX4TQ@mail.gmail.com> <539786C7.8090806@gmail.com> <E1FE4C082A89A246A11D7F32A95A17828E406A88@US70UWXCHMBA02.zam.alcatel-lucent.com> <CAG=SL7mGHuP0KBuvPGQ8bG0+CxHB7WjemCxZ5WxCXB8XgpOhCQ@mail.gmail.com> <E1FE4C082A89A246A11D7F32A95A17828E407D35@US70UWXCHMBA02.zam.alcatel-lucent.com> <53984062.1090202@gmail.com> <E1FE4C082A89A246A11D7F32A95A17828E407F64@US70UWXCHMBA02.zam.alcatel-lucent.com> <53986129.4050209@gmail.com> <E1FE4C082A89A246A11D7F32A95A17828E40858D@US70UWXCHMBA02.zam.alcatel-lucent.com> <53987FC3.7060408@gmail.com> <6025bc75-db01-45d4-ac4a-50a39740f15a@email.android.com> <E1FE4C082A89A246A11D7F32A95A17828E408FC8@US70UWXCHMBA02.zam.alcatel-lucent.com> <539929C1.3070 205@alvestrand.no> <017301cf8624$d4a68060$7df38120$@stahl@intertex.se> <057DC1BB-CEDA-4E28-A9EC-41C3FE5673F3@cisco.com>
In-Reply-To: <057DC1BB-CEDA-4E28-A9EC-41C3FE5673F3@cisco.com>
Content-Type: text/plain; charset="ISO-8859-1"; format="flowed"
Content-Transfer-Encoding: 8bit
Archived-At: http://mailarchive.ietf.org/arch/msg/rtcweb/wZG26WTexTufBEcLbfUxr5hCKes
Cc: Javier Cerviño <jcague@gmail.com>, "rtcweb@ietf.org" <rtcweb@ietf.org>
Subject: Re: [rtcweb] Retry: DTLS carrying RTP/SAVPF over ICE: To UDP or not to UDP?
X-BeenThere: rtcweb@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Real-Time Communication in WEB-browsers working group list <rtcweb.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/rtcweb>, <mailto:rtcweb-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/rtcweb/>
List-Post: <mailto:rtcweb@ietf.org>
List-Help: <mailto:rtcweb-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/rtcweb>, <mailto:rtcweb-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 12 Jun 2014 14:57:48 -0000

On 06/12/2014 01:30 PM, Pal Martinsen (palmarti) wrote:
> On 12 Jun 2014, at 11:58, Karl Stahl <karl.stahl@intertex.se> wrote:
>
>>>>     F18     The browser must be able to send streams and
>>>>             data to a peer in the presence of NATs and
>>>>             Firewalls that block UDP traffic.
>>> Yes. Using TURN servers is the way in which it is possible to fulfil this
>> requirement.
>>
>> Further in draft-ietf-rtcweb-use-cases-and-requirements-14:
>> "the straddling TURN server ... It must be
>>    possible to configure the browsers used in the enterprise with
>>    network specific STUN and TURN servers.  This should be possible to
>>    achieve by auto-configuration methods."
>> F20     The browser must support the use of STUN and TURN
>>            servers that are supplied by entities other than
>>            the web application (i.e. the network provider).
>>
>> This is a TURN server with one interface on the Enterprise LAN where the
>> browser
>> simple shall place the WebRTC media. (The other interface should be public.)
>>
>> The way for the browser to autodiscover such network provided (from the
>> enterprise and ISP) TURN server is being worked in
>> draft-patil-tram-turn-serv-disc-01.txt.
>>
>> This resolves any firewall restriction not allowing WebRTC media (by
>> paralleling the firewall with the TURN server), and also allows the
>> enterprise or ISP to point out a better path for the WebRTC media (instead
>> of through the often data crowded firewall default gateway).
>> (This will also be needed with IPv6.)
>>
> I have problems understanding how this solves any issues. I doubt many enterprise network managers would install a TURN server in parallel with their FW. Would be fair easier and safer to open up the appropriate ports in the firewall towards the TURN server.  They could then allow only UDP to allow for DPI and see that it is actually RTP traffic flowing.

That is actually a very convenient way to (logically) install a TURN 
server in parallel with your firewall.
They don't have to be on the same physical segments to be in parallel.

The important thing that Cullen (I think it was Cullen) pointed out when 
we discussed this requirement is that the TURN server is designated by 
the local network administrator, not by the entity responsible for the 
Web application that uses WebRTC.

Thus, some way for the browser to find this TURN server is needed.

>
> Having a TURN server supporting UDP/TCP/TLS as communication between the client and TURN server would solve almost all connectivity problems. We should, as Harald also pointed out, not try to force us throughout the FW if the admin do not want the traffic to go through.
>
> .-.
> Pål-Erik
>
>
>
>
>
>
>
>
>
>
>> /Karl
>>
>> -----Ursprungligt meddelande-----
>> Från: rtcweb [mailto:rtcweb-bounces@ietf.org] För Harald Alvestrand
>> Skickat: den 12 juni 2014 06:17
>> Till: Makaraju, Maridi Raju (Raju); Sergio Garcia Murillo; Javier Cerviño
>> Kopia: rtcweb@ietf.org
>> Ämne: Re: [rtcweb] Retry: DTLS carrying RTP/SAVPF over ICE: To UDP or not to
>> UDP?
>>
>> On 06/11/2014 08:38 PM, Makaraju, Maridi Raju (Raju) wrote:
>>>> The MUST was a consensus call in London. See the minutes for numbers. I
>> was one of >the ones who were surprised at the strength of the consensus.
>>> [Raju] I thought one of the implicit (may be explicit in
>> draft-ietf-rtcweb-use-cases-and-requirements-14) requirement for WebRTC is
>> "implementations should work right out of the box without extra boxes (e.g.
>> TURN) in between under UDP restrictive firewalls".
>> Unfortunately, nobody's found a way to make that true even for all common
>> NATs/firewalls that want to permit the communication.
>>
>> TURN servers are the least obnoxious way to make sure apps can work in the
>> presence of symmetric NATs.
>> We could wish that this wasn't so, but we could also wish that NATs would go
>> away and everyone would run IPv6; neither is likely to happen this year.
>>
>> Of course, in the presence of firewalls where the admin does *not* want to
>> permit the communication, we neither can nor should make communication work.
>>
>>
>>> Then I see the following requirement in
>> draft-ietf-rtcweb-use-cases-and-requirements-14. It did not mention use of
>> TURN in the text.
>>>     F18     The browser must be able to send streams and
>>>             data to a peer in the presence of NATs and
>>>             Firewalls that block UDP traffic.
>> Yes. Using TURN servers is the way in which it is possible to fulfil this
>> requirement.
>>
>>> BR
>>> Raju
>>>
>> _______________________________________________
>> rtcweb mailing list
>> rtcweb@ietf.org
>> https://www.ietf.org/mailman/listinfo/rtcweb
>>
>> _______________________________________________
>> rtcweb mailing list
>> rtcweb@ietf.org
>> https://www.ietf.org/mailman/listinfo/rtcweb

v2.23.0 | Report a Bug | By Email