idnits 2.17.1 draft-holmberg-ice-premature-00.txt: Checking boilerplate required by RFC 5378 and the IETF Trust (see https://trustee.ietf.org/license-info): ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/1id-guidelines.txt: ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/checklist : ---------------------------------------------------------------------------- -- The draft header indicates that this document updates RFC8445, but the abstract doesn't seem to mention this, which it should. Miscellaneous warnings: ---------------------------------------------------------------------------- == The copyright year in the IETF Trust and authors Copyright Line does not match the current year == Using lowercase 'not' together with uppercase 'MUST', 'SHALL', 'SHOULD', or 'RECOMMENDED' is not an accepted usage according to RFC 2119. Please use uppercase 'NOT' together with RFC 2119 keywords (if that is what you mean). Found 'MUST not' in this paragraph: While the timer is running, if a checklist has no pairs left to check, i.e., there are no pairs that are not in the failed state, the ICE agent MUST not conclude that ICE processing has failed, and MUST wait for the timer to elapse before doing so. -- The document date (February 27, 2019) is 1878 days in the past. Is this intentional? Checking references for intended status: Proposed Standard ---------------------------------------------------------------------------- (See RFCs 3967 and 4897 for information about using normative references to lower-maturity documents in RFCs) No issues found here. Summary: 0 errors (**), 0 flaws (~~), 2 warnings (==), 2 comments (--). Run idnits with the --verbose option for more detailed information about the items above. -------------------------------------------------------------------------------- 2 ICE Working Group C. Holmberg 3 Internet-Draft Ericsson 4 Updates: 8445 (if approved) J. Uberti 5 Intended status: Standards Track Google 6 Expires: August 31, 2019 February 27, 2019 8 Preventing Premature Interactive Connectivity Establishment (ICE) 9 Failures 10 draft-holmberg-ice-premature-00 12 Abstract 14 ... 16 Status of This Memo 18 This Internet-Draft is submitted in full conformance with the 19 provisions of BCP 78 and BCP 79. 21 Internet-Drafts are working documents of the Internet Engineering 22 Task Force (IETF). Note that other groups may also distribute 23 working documents as Internet-Drafts. The list of current Internet- 24 Drafts is at http://datatracker.ietf.org/drafts/current/. 26 Internet-Drafts are draft documents valid for a maximum of six months 27 and may be updated, replaced, or obsoleted by other documents at any 28 time. It is inappropriate to use Internet-Drafts as reference 29 material or to cite them other than as "work in progress." 31 This Internet-Draft will expire on August 31, 2019. 33 Copyright Notice 35 Copyright (c) 2019 IETF Trust and the persons identified as the 36 document authors. All rights reserved. 38 This document is subject to BCP 78 and the IETF Trust's Legal 39 Provisions Relating to IETF Documents 40 (http://trustee.ietf.org/license-info) in effect on the date of 41 publication of this document. Please review these documents 42 carefully, as they describe your rights and restrictions with respect 43 to this document. Code Components extracted from this document must 44 include Simplified BSD License text as described in Section 4.e of 45 the Trust Legal Provisions and are provided without warranty as 46 described in the Simplified BSD License. 48 Table of Contents 50 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 2 51 2. Conventions . . . . . . . . . . . . . . . . . . . . . . . . . 3 52 3. Relevant Scenarios . . . . . . . . . . . . . . . . . . . . . 3 53 3.1. No Candidates From Peer . . . . . . . . . . . . . . . . . 3 54 3.2. All Candidates Discarded . . . . . . . . . . . . . . . . 3 55 3.3. Immediate Candidate Pair Failure . . . . . . . . . . . . 4 56 4. Update to RFC 8445 . . . . . . . . . . . . . . . . . . . . . 4 57 5. Security Considerations . . . . . . . . . . . . . . . . . . . 5 58 6. IANA considerations . . . . . . . . . . . . . . . . . . . . . 5 59 7. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . 5 60 8. Normative References . . . . . . . . . . . . . . . . . . . . 5 61 Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 5 63 1. Introduction 65 [RFC8445] describes a protocol, Interactive Connectivity 66 Establishment (ICE), for Network Address Translator (NAT) traversal 67 for UDP-based communication. 69 Typically, when using ICE, endpoints will exchange candidate 70 addresses, form a list of candidate pairs, and then test each 71 candidate pair to see if connectivity can be established. If the 72 test for a given pair fails, it is marked accordingly, and if all 73 pairs have failed, the overall ICE process is considered to have 74 failed. 76 During the process of connectivity checks, additional candidates may 77 be created as a result of successful inbound checks from the remote 78 peer. Such candidates are referred to as peer-reflexive candidates, 79 and once discovered, will be used to form new candidate pairs which 80 will be tested like any other. However, there is an inherent race 81 condition here; if, before learning about any peer-reflexive 82 candidates, an endpoint runs out of candidate pairs to check, either 83 because it has none, or it considers them all to have failed, it will 84 prematurely declare failure and terminate ICE processing. This race 85 condition can occur in many common situations. 87 This specification updates [RFC8445], by simply requiring that an 88 endpoint wait a minimum amount of time before declaring ICE failure, 89 even if there are no candidate pairs to check, or if all candidate 90 pairs have failed. This delay provides enough time for the discovery 91 of peer-reflexive candidates, which may eventually lead to ICE 92 processing completing successfully. 94 2. Conventions 96 The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", 97 "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and 98 "OPTIONAL" in this document are to be interpreted as described in BCP 99 14 [RFC2119] [RFC8174] when, and only when, they appear in all 100 capitals, as shown here. 102 3. Relevant Scenarios 104 As noted above, the core problem this specification attempts to 105 address is the situation where even after local gathering and remote 106 candidate signaling has completed, the ICE agent immediately ends up 107 with no valid pairs and no candidate pairs left to check, resulting 108 in a premature ICE failure. This failure is premature because not 109 enough time has elapsed to allow for discovery of peer-reflexive 110 candidates from inbound connectivity checks; if discovered, these 111 candidates are very likely to result in a valid pair. 113 In most ICE scenarios, the lengthy timeouts for connectivity checks, 114 typically tens of seconds, will prevent this problem for occuring. 115 However, there are certain specific cases where this problem will 116 frequently occur. 118 3.1. No Candidates From Peer 120 It is entirely legal for an ICE gent to provide zero candidates of 121 its own. If the agent somehow knows that the remote endpoint is 122 directly reachable, gathering local candidates is unnecessary and 123 will only cause delays; the remote endpoint can discover the 124 appropriate local candidate via connectivity checks. 126 However, following the procedures from [RFC8445] strictly will result 127 in immediate ICE failure, since the checklist at the remote endpoint 128 will be empty. 130 3.2. All Candidates Discarded 132 Even if the ICE agent provides candidates, they may be discarded by 133 the remote endpoint if it does not know what to do with them. For 134 example, candidates may use an address family that the remote 135 endpoint does not support, (e.g., a host candidate with an IPv6 136 address in a NAT64 scenario), or may not be usable for some other 137 reason (e.g., a candidate that contains a FQDN that fails to 138 resolve). 140 In these scenarios, when the candidates are discarded, the checklist 141 at the remote endpoint will once again be empty, leading to immediate 142 ICE failure. 144 3.3. Immediate Candidate Pair Failure 146 Section 7.2.5.2 of [RFC8445] describes several situations in which a 147 candidate pair will be considered to have failed, well before the 148 connectivity check timeout. 150 As a result, even if the ICE agent provides usable candidates, the 151 pairs created by the remote endpoint may fail immediately when 152 checked, e.g., a check to a nonroutable address that receives an 153 immediate ICMP error. 155 In this situation, the checklist at the remote endpoint may contain 156 only failed pairs, resulting in immediate ICE failure. 158 4. Update to RFC 8445 160 In order to avoid the problem raised by this document, the ICE agent 161 needs to wait enough time to allow peer-reflexive candidates to be 162 discovered. Accordingly, when full ICE implementations begin their 163 ICE processing, as described in [RFC8445], Section 6.1, the ICE agent 164 MUST set a timer, and its duration SHOULD be equal to the ICE agent's 165 connectivity check timeout. 167 This timeout value is chosen to roughly coincide with the maximum 168 possible duration of ICE connectivity checks from the remote peer, 169 which, if successful, could create peer-reflexive candidates. 170 Because the ICE agent doesn't know the exact number of candidate 171 pairs and pacing interval in use by the remote side, this timeout 172 value is simply a guess, albeit an educated one. Regardless, for 173 this particular problem, the desired benefits will be realized as 174 long as the ICE agent waits some reasonable amount of time. 176 While the timer is running, if a checklist has no pairs left to 177 check, i.e., there are no pairs that are not in the failed state, the 178 ICE agent MUST not conclude that ICE processing has failed, and MUST 179 wait for the timer to elapse before doing so. 181 One consequence of this behavior is that in cases where ICE should 182 fail, e.g., where both sides provide candidates with unresolvable 183 FQDNs ICE will no longer fail immediately, and only fail when the 184 aforementioned timer expires. However, because most ICE scenarios 185 require an extended period of time to determine failure, the fact 186 that some specific scenarios no longer fail fast should have minimal 187 application impact, if any. 189 5. Security Considerations 191 The security considerations for ICE are defined in [RFC8445]. This 192 specification only recommends ICE endpoints to wait for a certain 193 time of period before they declare ICE failure, and does not 194 introduce new security considerations. 196 6. IANA considerations 198 This specification makes no requests to IANA. 200 7. Acknowledgements 202 8. Normative References 204 [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate 205 Requirement Levels", BCP 14, RFC 2119, 206 DOI 10.17487/RFC2119, March 1997, . 209 [RFC8174] Leiba, B., "Ambiguity of Uppercase vs Lowercase in RFC 210 2119 Key Words", BCP 14, RFC 8174, DOI 10.17487/RFC8174, 211 May 2017, . 213 [RFC8445] Keranen, A., Holmberg, C., and J. Rosenberg, "Interactive 214 Connectivity Establishment (ICE): A Protocol for Network 215 Address Translator (NAT) Traversal", RFC 8445, 216 DOI 10.17487/RFC8445, July 2018, . 219 Authors' Addresses 221 Christer Holmberg 222 Ericsson 223 Hirsalantie 11 224 Jorvas 02420 225 Finland 227 Email: christer.holmberg@ericsson.com 229 Justin Uberti 230 Google 231 747 6th St W 232 Kirkland 98033 233 USA 235 Email: justin@uberti.name