Re: [tram] TURN over WebSocket

[Sergio Garcia Murillo <sergio.garcia.murillo@gmail.com>]

Hi Andrew,

Completely agree with your statements, my concerns are about been able 
to have the same level of connectivity in webrtc than in other 
proprietary solutions (like Skype/Webex).

In my setup I have TURN over udp and  tcp and TURNS at port 443, and I 
still having issues in some scenarios when TURN is failing to connect. 
In those scenarios I have no problems at all with the signaling which 
goes over WSS.

I don't have anything personal in favor of turn over ws, but I (and 
propably any company trying to do any kind of busyness arround webrtc) 
need a solution that can be deployed in a "months" time frame and not a 
"years" one, and that don't have the prerequisite of been in control of 
the intermediary elements (FW,s proxies, etc). So if there is any other 
solution easier and better than the one we are proposing I will be more 
than willing to collaborate with it.

Best regards
Sergio

On 03/12/2014 10:00, Hutton, Andrew wrote:
>
> I would be good to close as many holes as possible with regards to 
> webrtc connectivity but we have to be clear on which particular hole 
> we are trying to close.
>
> If I read the thread correctly it looks like the case we don’t 
> currently have a solution for is when using a transparent proxy with 
> unencrypted TURN on port 80.  I would like to understand why in the 
> scenario that Sergio mentioned that WSS works but not TURNS over 443 
> and whether support for ALPN would fix that.
>
> This is all about webrtc so I think there is an issue also with 
> increasing complexity in the browser which needs to implement all the 
> different mechanisms and also probably a bigger issue is getting the 
> rtcweb working group and the browser vendors to support this mechanism 
> and refer to it in draft-ietf-rtcweb-transports.
>
> So I would say I am sympathetic to this but not yet totally convinced 
> it closes a big enough hole to make it compelling for the browser 
> vendors to implement.
>
> Regards
>
> Andy
>
> *From:*tram [mailto:tram-bounces@ietf.org] *On Behalf Of *Victor Pascual
> *Sent:* 02 December 2014 21:55
> *To:* Sergio Garcia Murillo
> *Cc:* Jonathan Lennox; tram@ietf.org; [ACME] Victor Pascual Avila; 
> Tirumaleswar Reddy (tireddy); 
> draft-chenxin-behave-turn-websocket@tools.ietf.org; Simon Perreault
> *Subject:* Re: [tram] TURN over WebSocket
>
> Agree with Sergio. We're experiencing the same
>
> -Victor
>
>
> On Dec 2, 2014, at 9:26 PM, Sergio Garcia Murillo 
> <sergio.garcia.murillo@gmail.com 
> <mailto:sergio.garcia.murillo@gmail.com>> wrote:
>
>     We control the client and the server, and you are asking me to
>     wait until what is not in our control is changed. Obviously, not
>     working for me
>
>     BTW, I am talking about real life experiences, when WSS works and
>     TURNS over 443 doesn't.
>
>     Best regards
>     Sergio
>
>     On 02/12/2014 20:44, Tirumaleswar Reddy (tireddy) wrote:
>
>         why will it not work when ALPN is used ?
>
>         -Tiru
>
>         *From:*Sergio Garcia Murillo
>         [mailto:sergio.garcia.murillo@gmail.com] ?
>
>         *Sent:*Wednesday, December 03, 2014 12:52 AM
>         *To:* Tirumaleswar Reddy (tireddy)
>         *Cc:* Jonathan Lennox; [ACME] Victor Pascual Avila; Simon
>         Perreault; tram@ietf.org <mailto:tram@ietf.org>;
>         draft-chenxin-behave-turn-websocket@tools.ietf.org
>         <mailto:draft-chenxin-behave-turn-websocket@tools.ietf.org>
>         *Subject:* RE: [tram] TURN over WebSocket
>
>
>         El 02/12/2014 20:04, "Tirumaleswar Reddy (tireddy)"
>         <tireddy@cisco.com <mailto:tireddy@cisco.com>> escribió:
>         >
>         > From: Simon Perreault [mailto:sperreault@jive.com
>         <mailto:sperreault@jive.com>]
>         > Sent: Tuesday, December 02, 2014 10:19 PM
>         >
>         > To: Tirumaleswar Reddy (tireddy)
>         > Cc: Jonathan Lennox; Sergio Garcia Murillo; Victor Pascual
>         Avila; draft-chenxin-behave-turn-websocket@tools.ietf.org
>         <mailto:draft-chenxin-behave-turn-websocket@tools.ietf.org>;
>         tram@ietf.org <mailto:tram@ietf.org>
>         > Subject: Re: [tram] TURN over WebSocket
>         >
>         >
>         >
>         >
>         >
>         > On Tue, Dec 2, 2014 at 9:34 AM, Tirumaleswar Reddy (tireddy)
>         <tireddy@cisco.com <mailto:tireddy@cisco.com>> wrote:
>         >
>         > Transparent proxies like firewalls keep getting upgraded
>         frequently to handle new applications, threats etc. If
>         firewall has a feature to block WebRTC traffic then by sending
>         traffic over WebSocket will not solve the problem.
>         >
>         >
>         >
>         > (As a participant...)
>         >
>         >
>         > This has also been discussed before. TURN-over-WebSockets is
>         not a way for applications to circumvent policy.
>         >
>         >
>         >
>         > The problem is there are networks that are set up so that
>         "the web" is open, through a transparent proxy. WebRTC is part
>         of "the web". Making TURN fit the mould of "the web" is is not
>         circumventing policy, it's making WebRTC work. You should not
>         need to update your proxy/firewall config for WebRTC to just
>         work if "the web" already does work.
>         >
>         >
>         >
>         > [TR] Okay, so looks like the problem can also be solved by
>         running TURN over 443 similar to proposals in DPRIVE WG to run
>         DNS over 443.
>         >
>         >
>
>         Good try! Unlucky enough, doesn't work.
>
>         Best regards
>         Sergio
>