idnits 2.17.1 draft-ietf-mmusic-ice-18.txt: Checking boilerplate required by RFC 5378 and the IETF Trust (see https://trustee.ietf.org/license-info): ---------------------------------------------------------------------------- ** It looks like you're using RFC 3978 boilerplate. You should update this to the boilerplate described in the IETF Trust License Policy document (see https://trustee.ietf.org/license-info), which is required now. -- Found old boilerplate from RFC 3978, Section 5.1 on line 17. -- Found old boilerplate from RFC 3978, Section 5.5, updated by RFC 4748 on line 5310. -- Found old boilerplate from RFC 3979, Section 5, paragraph 1 on line 5321. -- Found old boilerplate from RFC 3979, Section 5, paragraph 2 on line 5328. -- Found old boilerplate from RFC 3979, Section 5, paragraph 3 on line 5334. Checking nits according to https://www.ietf.org/id-info/1id-guidelines.txt: ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/checklist : ---------------------------------------------------------------------------- ** There is 1 instance of too long lines in the document, the longest one being 2 characters in excess of 72. == There are 20 instances of lines with private range IPv4 addresses in the document. If these are generic example addresses, they should be changed to use any of the ranges defined in RFC 6890 (or successor): 192.0.2.x, 198.51.100.x or 203.0.113.x. -- The document has examples using IPv4 documentation addresses according to RFC6890, but does not use any IPv6 documentation addresses. Maybe there should be IPv6 examples, too? -- The draft header indicates that this document obsoletes RFC4091, but the abstract doesn't seem to mention this, which it should. Miscellaneous warnings: ---------------------------------------------------------------------------- == The copyright year in the IETF Trust Copyright Line does not match the current year == The document seems to use 'NOT RECOMMENDED' as an RFC 2119 keyword, but does not include the phrase in its RFC 2119 key words list. -- The document seems to lack a disclaimer for pre-RFC5378 work, but may have content which was first submitted before 10 November 2008. If you have contacted all the original authors and they are all willing to grant the BCP78 rights to the IETF Trust, then this is fine, and you can ignore this comment. If not, you may need to add the pre-RFC5378 disclaimer. (See the Legal Provisions document at https://trustee.ietf.org/license-info for more information.) -- The document date (September 13, 2007) is 6070 days in the past. Is this intentional? Checking references for intended status: Proposed Standard ---------------------------------------------------------------------------- (See RFCs 3967 and 4897 for information about using normative references to lower-maturity documents in RFCs) ** Obsolete normative reference: RFC 4234 (Obsoleted by RFC 5234) ** Obsolete normative reference: RFC 4566 (Obsoleted by RFC 8866) ** Obsolete normative reference: RFC 4091 (Obsoleted by RFC 5245) ** Obsolete normative reference: RFC 3484 (Obsoleted by RFC 6724) == Outdated reference: A later version (-18) exists of draft-ietf-behave-rfc3489bis-08 == Outdated reference: A later version (-16) exists of draft-ietf-behave-turn-04 -- Obsolete informational reference (is this intentional?): RFC 3489 (Obsoleted by RFC 5389) == Outdated reference: A later version (-07) exists of draft-ietf-mmusic-connectivity-precon-02 == Outdated reference: A later version (-20) exists of draft-ietf-sip-outbound-10 == Outdated reference: A later version (-08) exists of draft-ietf-behave-tcp-07 == Outdated reference: A later version (-18) exists of draft-ietf-sipping-config-framework-12 Summary: 6 errors (**), 0 flaws (~~), 9 warnings (==), 10 comments (--). Run idnits with the --verbose option for more detailed information about the items above. -------------------------------------------------------------------------------- 2 MMUSIC J. Rosenberg 3 Internet-Draft Cisco 4 Obsoletes: 4091 (if approved) September 13, 2007 5 Intended status: Standards Track 6 Expires: March 16, 2008 8 Interactive Connectivity Establishment (ICE): A Protocol for Network 9 Address Translator (NAT) Traversal for Offer/Answer Protocols 10 draft-ietf-mmusic-ice-18 12 Status of this Memo 14 By submitting this Internet-Draft, each author represents that any 15 applicable patent or other IPR claims of which he or she is aware 16 have been or will be disclosed, and any of which he or she becomes 17 aware will be disclosed, in accordance with Section 6 of BCP 79. 19 Internet-Drafts are working documents of the Internet Engineering 20 Task Force (IETF), its areas, and its working groups. Note that 21 other groups may also distribute working documents as Internet- 22 Drafts. 24 Internet-Drafts are draft documents valid for a maximum of six months 25 and may be updated, replaced, or obsoleted by other documents at any 26 time. It is inappropriate to use Internet-Drafts as reference 27 material or to cite them other than as "work in progress." 29 The list of current Internet-Drafts can be accessed at 30 http://www.ietf.org/ietf/1id-abstracts.txt. 32 The list of Internet-Draft Shadow Directories can be accessed at 33 http://www.ietf.org/shadow.html. 35 This Internet-Draft will expire on March 16, 2008. 37 Copyright Notice 39 Copyright (C) The IETF Trust (2007). 41 Abstract 43 This document describes a protocol for Network Address Translator 44 (NAT) traversal for multimedia sessions established with the offer/ 45 answer model. This protocol is called Interactive Connectivity 46 Establishment (ICE). ICE makes use of the Session Traversal 47 Utilities for NAT (STUN) protocol and its extension, Traversal Using 48 Relay NAT (TURN). ICE can be used by any protocol utilizing the 49 offer/answer model, such as the Session Initiation Protocol (SIP). 51 Table of Contents 53 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 7 54 2. Overview of ICE . . . . . . . . . . . . . . . . . . . . . . . 8 55 2.1. Gathering Candidate Addresses . . . . . . . . . . . . . . 10 56 2.2. Connectivity Checks . . . . . . . . . . . . . . . . . . . 12 57 2.3. Sorting Candidates . . . . . . . . . . . . . . . . . . . 13 58 2.4. Frozen Candidates . . . . . . . . . . . . . . . . . . . . 14 59 2.5. Security for Checks . . . . . . . . . . . . . . . . . . . 15 60 2.6. Concluding ICE . . . . . . . . . . . . . . . . . . . . . 15 61 2.7. Lite Implementations . . . . . . . . . . . . . . . . . . 17 62 3. Terminology . . . . . . . . . . . . . . . . . . . . . . . . . 17 63 4. Sending the Initial Offer . . . . . . . . . . . . . . . . . . 20 64 4.1. Full Implementation Requirements . . . . . . . . . . . . 20 65 4.1.1. Gathering Candidates . . . . . . . . . . . . . . . . 20 66 4.1.1.1. Host Candidates . . . . . . . . . . . . . . . . . 21 67 4.1.1.2. Server Reflexive and Relayed Candidates . . . . . 21 68 4.1.1.3. Computing Foundations . . . . . . . . . . . . . . 23 69 4.1.1.4. Keeping Candidates Alive . . . . . . . . . . . . 23 70 4.1.2. Prioritizing Candidates . . . . . . . . . . . . . . . 23 71 4.1.2.1. Recommended Formula . . . . . . . . . . . . . . . 24 72 4.1.2.2. Guidelines for Choosing Type and Local 73 Preferences . . . . . . . . . . . . . . . . . . . 25 74 4.1.3. Eliminating Redundant Candidates . . . . . . . . . . 26 75 4.1.4. Choosing Default Candidates . . . . . . . . . . . . . 26 76 4.2. Lite Implementation . . . . . . . . . . . . . . . . . . . 26 77 4.3. Encoding the SDP . . . . . . . . . . . . . . . . . . . . 27 78 5. Receiving the Initial Offer . . . . . . . . . . . . . . . . . 29 79 5.1. Verifying ICE Support . . . . . . . . . . . . . . . . . . 29 80 5.2. Determining Role . . . . . . . . . . . . . . . . . . . . 30 81 5.3. Gathering Candidates . . . . . . . . . . . . . . . . . . 31 82 5.4. Prioritizing Candidates . . . . . . . . . . . . . . . . . 31 83 5.5. Choosing Default Candidates . . . . . . . . . . . . . . . 31 84 5.6. Encoding the SDP . . . . . . . . . . . . . . . . . . . . 31 85 5.7. Forming the Check Lists . . . . . . . . . . . . . . . . . 32 86 5.7.1. Forming Candidate Pairs . . . . . . . . . . . . . . . 32 87 5.7.2. Computing Pair Priority and Ordering Pairs . . . . . 34 88 5.7.3. Pruning the Pairs . . . . . . . . . . . . . . . . . . 34 89 5.7.4. Computing States . . . . . . . . . . . . . . . . . . 34 90 5.8. Scheduling Checks . . . . . . . . . . . . . . . . . . . . 37 91 6. Receipt of the Initial Answer . . . . . . . . . . . . . . . . 39 92 6.1. Verifying ICE Support . . . . . . . . . . . . . . . . . . 39 93 6.2. Determining Role . . . . . . . . . . . . . . . . . . . . 39 94 6.3. Forming the Check List . . . . . . . . . . . . . . . . . 40 95 6.4. Performing Ordinary Checks . . . . . . . . . . . . . . . 40 97 7. Performing Connectivity Checks . . . . . . . . . . . . . . . 40 98 7.1. STUN Client Procedures . . . . . . . . . . . . . . . . . 40 99 7.1.1. Sending the Request . . . . . . . . . . . . . . . . . 40 100 7.1.1.1. PRIORITY and USE-CANDIDATE . . . . . . . . . . . 41 101 7.1.1.2. ICE-CONTROLLED and ICE-CONTROLLING . . . . . . . 41 102 7.1.1.3. Forming Credentials . . . . . . . . . . . . . . . 41 103 7.1.1.4. DiffServ Treatment . . . . . . . . . . . . . . . 41 104 7.1.2. Processing the Response . . . . . . . . . . . . . . . 42 105 7.1.2.1. Failure Cases . . . . . . . . . . . . . . . . . . 42 106 7.1.2.2. Success Cases . . . . . . . . . . . . . . . . . . 42 107 7.1.2.2.1. Discovering Peer Reflexive Candidates . . . . 43 108 7.1.2.2.2. Constructing a Valid Pair . . . . . . . . . . 43 109 7.1.2.2.3. Updating Pair States . . . . . . . . . . . . 44 110 7.1.2.2.4. Updating the Nominated Flag . . . . . . . . . 45 111 7.1.2.3. Check List and Timer State Updates . . . . . . . 45 112 7.2. STUN Server Procedures . . . . . . . . . . . . . . . . . 46 113 7.2.1. Additional Procedures for Full Implementations . . . 47 114 7.2.1.1. Detecting and Repairing Role Conflicts . . . . . 47 115 7.2.1.2. Computing Mapped Address . . . . . . . . . . . . 48 116 7.2.1.3. Learning Peer Reflexive Candidates . . . . . . . 48 117 7.2.1.4. Triggered Checks . . . . . . . . . . . . . . . . 49 118 7.2.1.5. Updating the Nominated Flag . . . . . . . . . . . 50 119 7.2.2. Additional Procedures for Lite Implementations . . . 50 120 8. Concluding ICE Processing . . . . . . . . . . . . . . . . . . 50 121 8.1. Procedures for Full Implementations . . . . . . . . . . . 51 122 8.1.1. Nominating Pairs . . . . . . . . . . . . . . . . . . 51 123 8.1.1.1. Regular Nomination . . . . . . . . . . . . . . . 51 124 8.1.1.2. Aggressive Nomination . . . . . . . . . . . . . . 52 125 8.1.2. Updating States . . . . . . . . . . . . . . . . . . . 52 126 8.2. Procedures for Lite Implementations . . . . . . . . . . . 53 127 8.2.1. Peer is Full . . . . . . . . . . . . . . . . . . . . 54 128 8.2.2. Peer is Lite . . . . . . . . . . . . . . . . . . . . 54 129 8.3. Freeing Candidates . . . . . . . . . . . . . . . . . . . 55 130 8.3.1. Full Implementation Procedures . . . . . . . . . . . 55 131 8.3.2. Lite Implementations . . . . . . . . . . . . . . . . 55 132 9. Subsequent Offer/Answer Exchanges . . . . . . . . . . . . . . 55 133 9.1. Generating the Offer . . . . . . . . . . . . . . . . . . 56 134 9.1.1. Procedures for All Implementations . . . . . . . . . 56 135 9.1.1.1. ICE Restarts . . . . . . . . . . . . . . . . . . 56 136 9.1.1.2. Removing a Media Stream . . . . . . . . . . . . . 57 137 9.1.1.3. Adding a Media Stream . . . . . . . . . . . . . . 57 138 9.1.2. Procedures for Full Implementations . . . . . . . . . 57 139 9.1.2.1. Existing Media Streams with ICE Running . . . . . 57 140 9.1.2.2. Existing Media Streams with ICE Completed . . . . 58 141 9.1.3. Procedures for Lite Implementations . . . . . . . . . 58 142 9.1.3.1. Existing Media Streams with ICE Running . . . . . 58 143 9.1.3.2. Existing Media Streams with ICE Completed . . . . 59 144 9.2. Receiving the Offer and Generating an Answer . . . . . . 59 145 9.2.1. Procedures for All Implementations . . . . . . . . . 59 146 9.2.1.1. Detecting ICE Restart . . . . . . . . . . . . . . 59 147 9.2.1.2. New Media Stream . . . . . . . . . . . . . . . . 60 148 9.2.1.3. Removed Media Stream . . . . . . . . . . . . . . 60 149 9.2.2. Procedures for Full Implementations . . . . . . . . . 60 150 9.2.2.1. Existing Media Streams with ICE Running and no 151 remote-candidates . . . . . . . . . . . . . . . . 60 152 9.2.2.2. Existing Media Streams with ICE Completed and 153 no remote-candidates . . . . . . . . . . . . . . 60 154 9.2.2.3. Existing Media Streams and remote-candidates . . 60 155 9.2.3. Procedures for Lite Implementations . . . . . . . . . 61 156 9.3. Updating the Check and Valid Lists . . . . . . . . . . . 62 157 9.3.1. Procedures for Full Implementations . . . . . . . . . 62 158 9.3.1.1. ICE Restarts . . . . . . . . . . . . . . . . . . 62 159 9.3.1.2. New Media Stream . . . . . . . . . . . . . . . . 62 160 9.3.1.3. Removed Media Stream . . . . . . . . . . . . . . 63 161 9.3.1.4. ICE Continuing for Existing Media Stream . . . . 63 162 9.3.2. Procedures for Lite Implementations . . . . . . . . . 63 163 10. Keepalives . . . . . . . . . . . . . . . . . . . . . . . . . 64 164 11. Media Handling . . . . . . . . . . . . . . . . . . . . . . . 65 165 11.1. Sending Media . . . . . . . . . . . . . . . . . . . . . . 65 166 11.1.1. Procedures for Full Implementations . . . . . . . . . 65 167 11.1.2. Procedures for Lite Implementations . . . . . . . . . 66 168 11.1.3. Procedures for All Implementations . . . . . . . . . 66 169 11.2. Receiving Media . . . . . . . . . . . . . . . . . . . . . 66 170 12. Usage with SIP . . . . . . . . . . . . . . . . . . . . . . . 67 171 12.1. Latency Guidelines . . . . . . . . . . . . . . . . . . . 67 172 12.1.1. Offer in INVITE . . . . . . . . . . . . . . . . . . . 67 173 12.1.2. Offer in Response . . . . . . . . . . . . . . . . . . 68 174 12.2. SIP Option Tags and Media Feature Tags . . . . . . . . . 69 175 12.3. Interactions with Forking . . . . . . . . . . . . . . . . 69 176 12.4. Interactions with Preconditions . . . . . . . . . . . . . 69 177 12.5. Interactions with Third Party Call Control . . . . . . . 70 178 13. Relationship with ANAT . . . . . . . . . . . . . . . . . . . 70 179 14. Extensibility Considerations . . . . . . . . . . . . . . . . 71 180 15. Grammar . . . . . . . . . . . . . . . . . . . . . . . . . . . 72 181 15.1. "candidate" Attribute . . . . . . . . . . . . . . . . . . 72 182 15.2. "remote-candidates" Attribute . . . . . . . . . . . . . . 74 183 15.3. "ice-lite" and "ice-mismatch" Attributes . . . . . . . . 74 184 15.4. "ice-ufrag" and "ice-pwd" Attributes . . . . . . . . . . 75 185 15.5. "ice-options" Attribute . . . . . . . . . . . . . . . . . 75 186 16. Setting Ta and RTO . . . . . . . . . . . . . . . . . . . . . 76 187 16.1. RTP Media Streams . . . . . . . . . . . . . . . . . . . . 76 188 16.2. Non-RTP Sessions . . . . . . . . . . . . . . . . . . . . 77 189 17. Example . . . . . . . . . . . . . . . . . . . . . . . . . . . 78 190 18. Security Considerations . . . . . . . . . . . . . . . . . . . 84 191 18.1. Attacks on Connectivity Checks . . . . . . . . . . . . . 84 192 18.2. Attacks on Server Reflexive Address Gathering . . . . . . 87 193 18.3. Attacks on Relayed Candidate Gathering . . . . . . . . . 87 194 18.4. Attacks on the Offer/Answer Exchanges . . . . . . . . . . 88 195 18.5. Insider Attacks . . . . . . . . . . . . . . . . . . . . . 88 196 18.5.1. The Voice Hammer Attack . . . . . . . . . . . . . . . 88 197 18.5.2. STUN Amplification Attack . . . . . . . . . . . . . . 89 198 18.6. Interactions with Application Layer Gateways and SIP . . 90 199 19. STUN Extensions . . . . . . . . . . . . . . . . . . . . . . . 91 200 19.1. New Attributes . . . . . . . . . . . . . . . . . . . . . 91 201 19.2. New Error Response Codes . . . . . . . . . . . . . . . . 91 202 20. Operational Considerations . . . . . . . . . . . . . . . . . 92 203 20.1. NAT and Firewall Types . . . . . . . . . . . . . . . . . 92 204 20.2. Bandwidth Requirements . . . . . . . . . . . . . . . . . 92 205 20.2.1. STUN and TURN Server Capacity Planning . . . . . . . 92 206 20.2.2. Gathering and Connectivity Checks . . . . . . . . . . 93 207 20.2.3. Keepalives . . . . . . . . . . . . . . . . . . . . . 93 208 20.3. ICE and ICE-lite . . . . . . . . . . . . . . . . . . . . 93 209 20.4. Troubleshooting and Performance Management . . . . . . . 94 210 20.5. Endpoint Configuration . . . . . . . . . . . . . . . . . 94 211 21. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 94 212 21.1. SDP Attributes . . . . . . . . . . . . . . . . . . . . . 94 213 21.1.1. candidate Attribute . . . . . . . . . . . . . . . . . 95 214 21.1.2. remote-candidates Attribute . . . . . . . . . . . . . 95 215 21.1.3. ice-lite Attribute . . . . . . . . . . . . . . . . . 95 216 21.1.4. ice-mismatch Attribute . . . . . . . . . . . . . . . 96 217 21.1.5. ice-pwd Attribute . . . . . . . . . . . . . . . . . . 96 218 21.1.6. ice-ufrag Attribute . . . . . . . . . . . . . . . . . 97 219 21.1.7. ice-options Attribute . . . . . . . . . . . . . . . . 97 220 21.2. STUN Attributes . . . . . . . . . . . . . . . . . . . . . 98 221 21.3. STUN Error Responses . . . . . . . . . . . . . . . . . . 98 222 22. IAB Considerations . . . . . . . . . . . . . . . . . . . . . 98 223 22.1. Problem Definition . . . . . . . . . . . . . . . . . . . 98 224 22.2. Exit Strategy . . . . . . . . . . . . . . . . . . . . . . 99 225 22.3. Brittleness Introduced by ICE . . . . . . . . . . . . . . 99 226 22.4. Requirements for a Long Term Solution . . . . . . . . . . 100 227 22.5. Issues with Existing NAPT Boxes . . . . . . . . . . . . . 101 228 23. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . 101 229 24. References . . . . . . . . . . . . . . . . . . . . . . . . . 102 230 24.1. Normative References . . . . . . . . . . . . . . . . . . 102 231 24.2. Informative References . . . . . . . . . . . . . . . . . 103 232 Appendix A. Lite and Full Implementations . . . . . . . . . . . 105 233 Appendix B. Design Motivations . . . . . . . . . . . . . . . . . 106 234 B.1. Pacing of STUN Transactions . . . . . . . . . . . . . . . 106 235 B.2. Candidates with Multiple Bases . . . . . . . . . . . . . 108 236 B.3. Purpose of the and Attributes . . . 109 237 B.4. Importance of the STUN Username . . . . . . . . . . . . . 110 238 B.5. The Candidate Pair Priority Formula . . . . . . . . . . . 111 239 B.6. The remote-candidates attribute . . . . . . . . . . . . . 111 240 B.7. Why are Keepalives Needed? . . . . . . . . . . . . . . . 112 241 B.8. Why Prefer Peer Reflexive Candidates? . . . . . . . . . . 113 242 B.9. Why Send an Updated Offer? . . . . . . . . . . . . . . . 113 243 B.10. Why are Binding Indications Used for Keepalives? . . . . 113 244 B.11. Why is the Conflict Resolution Mechanism Needed? . . . . 114 245 Author's Address . . . . . . . . . . . . . . . . . . . . . . . . 115 246 Intellectual Property and Copyright Statements . . . . . . . . . 116 248 1. Introduction 250 RFC 3264 [RFC3264] defines a two-phase exchange of Session 251 Description Protocol (SDP) messages [RFC4566] for the purposes of 252 establishment of multimedia sessions. This offer/answer mechanism is 253 used by protocols such as the Session Initiation Protocol (SIP) 254 [RFC3261]. 256 Protocols using offer/answer are difficult to operate through Network 257 Address Translators (NAT). Because their purpose is to establish a 258 flow of media packets, they tend to carry the IP addresses and ports 259 of media sources and sinks within their messages, which is known to 260 be problematic through NAT [RFC3235]. The protocols also seek to 261 create a media flow directly between participants, so that there is 262 no application layer intermediary between them. This is done to 263 reduce media latency, decrease packet loss, and reduce the 264 operational costs of deploying the application. However, this is 265 difficult to accomplish through NAT. A full treatment of the reasons 266 for this is beyond the scope of this specification. 268 Numerous solutions have been defined for allowing these protocols to 269 operate through NAT. These include Application Layer Gateways 270 (ALGs), the Middlebox Control Protocol [RFC3303], the original Simple 271 Traversal of UDP Through NAT (STUN) [RFC3489] specification, and 272 Realm Specific IP [RFC3102] [RFC3103] along with session description 273 extensions needed to make them work, such as the Session Description 274 Protocol (SDP) [RFC4566] attribute for the Real Time Control Protocol 275 (RTCP) [RFC3605]. Unfortunately, these techniques all have pros and 276 cons which make each one optimal in some network topologies, but a 277 poor choice in others. The result is that administrators and 278 implementors are making assumptions about the topologies of the 279 networks in which their solutions will be deployed. This introduces 280 complexity and brittleness into the system. What is needed is a 281 single solution which is flexible enough to work well in all 282 situations. 284 This specification defines Interactive Connectivity Establishment 285 (ICE) as a technique for NAT traversal for media streams established 286 by the offer/answer model. ICE is an extension to the offer/answer 287 model, and works by including a multiplicity of IP addresses and 288 ports in SDP offers and answers, which are then tested for 289 connectivity by peer-to-peer connectivity checks. The IP addresses 290 and ports included in the SDP and the connectivity checks are 291 performed using the revised STUN specification 292 [I-D.ietf-behave-rfc3489bis], now renamed to Session Traversal 293 Utilities for NAT. The new name and new specification reflect its 294 new role as a tool that is used with other NAT traversal techniques 295 (namely ICE) rather than a standalone NAT traversal solution, as the 296 original STUN specification was. ICE also makes use of Traversal 297 Using Relay NAT (TURN) [I-D.ietf-behave-turn], an extension to STUN. 298 Because ICE exchanges a multiplicity of IP addresses and ports for 299 each media stream, it also allows for address selection for multi- 300 homed and dual-stack hosts, and for this reason it deprecates RFC 301 4091 [RFC4091]. 303 2. Overview of ICE 305 In a typical ICE deployment, we have two endpoints (known as AGENTS 306 in RFC 3264 terminology) which want to communicate. They are able to 307 communicate indirectly via some signaling protocol (such as SIP), by 308 which they can perform an offer/answer exchange of SDP [RFC3264] 309 messages. Note that ICE is not intended for NAT traversal for SIP, 310 which is assumed to be provided via another mechanism 311 [I-D.ietf-sip-outbound]. At the beginning of the ICE process, the 312 agents are ignorant of their own topologies. In particular, they 313 might or might not be behind a NAT (or multiple tiers of NATs). ICE 314 allows the agents to discover enough information about their 315 topologies to potentially find one or more paths by which they can 316 communicate. 318 Figure 1 shows a typical environment for ICE deployment. The two 319 endpoints are labelled L and R (for left and right, which helps 320 visualize call flows). Both L and R are behind their own respective 321 NATs though they may not be aware of it. The type of NAT and its 322 properties are also unknown. Agents L and R are capable of engaging 323 in an offer/answer exchange by which they can exchange SDP messages, 324 whose purpose is to set up a media session between L and R. 325 Typically, this exchange will occur through a SIP server. 327 In addition to the agents, a SIP server and NATs, ICE is typically 328 used in concert with STUN or TURN servers in the network. Each agent 329 can have its own STUN or TURN server, or they can be the same. 331 +-------+ 332 | SIP | 333 +-------+ | Srvr | +-------+ 334 | STUN | | | | STUN | 335 | Srvr | +-------+ | Srvr | 336 | | / \ | | 337 +-------+ / \ +-------+ 338 / \ 339 / \ 340 / \ 341 / \ 342 / <- Signalling -> \ 343 / \ 344 / \ 345 +--------+ +--------+ 346 | NAT | | NAT | 347 +--------+ +--------+ 348 / \ 349 / \ 350 / \ 351 +-------+ +-------+ 352 | Agent | | Agent | 353 | L | | R | 354 | | | | 355 +-------+ +-------+ 357 Figure 1: ICE Deployment Scenario 359 The basic idea behind ICE is as follows: each agent has a variety of 360 candidate TRANSPORT ADDRESSES (combination of IP address and port for 361 a particular transport protocol, which is always UDP in this 362 specification)) it could use to communicate with the other agent. 363 These might include: 365 o A transport address on a directly attached network interface 367 o A translated transport address on the public side of a NAT (a 368 "server reflexive" address) 370 o The transport address allocated from a TURN server(a "relayed 371 address". 373 Potentially, any of L's candidate transport addresses can be used to 374 communicate with any of R's candidate transport addresses. In 375 practice, however, many combinations will not work. For instance, if 376 L and R are both behind NATs, their directly attached interface 377 addresses are unlikely to be able to communicate directly (this is 378 why ICE is needed, after all!). The purpose of ICE is to discover 379 which pairs of addresses will work. The way that ICE does this is to 380 systematically try all possible pairs (in a carefully sorted order) 381 until it finds one or more that works. 383 2.1. Gathering Candidate Addresses 385 In order to execute ICE, an agent has to identify all of its address 386 candidates. A CANDIDATE is a transport address - a combination of IP 387 address and port for a particular transport protocol (with only UDP 388 specified here). This document defines three types of candidates, 389 some derived from physical or logical network interfaces, others 390 discoverable via STUN and TURN. Naturally, one viable candidate is a 391 transport address obtained directly from a local interface. Such a 392 candidate is called a HOST CANDIDATE. The local interface could be 393 ethernet or WiFi, or it could be one that is obtained through a 394 tunnel mechanism, such as a Virtual Private Network (VPN) or Mobile 395 IP (MIP). In all cases, such a network interface appears to the 396 agent as a local interface from which ports (and thus candidates) can 397 be allocated. 399 If an agent is multihomed, it obtains a candidate from each IP 400 address. Depending on the location of the PEER (the other agent in 401 the session) on the IP network relative to the agent, the agent may 402 be reachable by the peer through one or more of those IP addresses. 403 Consider, for example, an agent which has a local IP address on a 404 private net 10 network (I1), and a second connected to the public 405 Internet (I2). A candidate from I1 will be directly reachable when 406 communicating with a peer on the same private net 10 network, while a 407 candidate from I2 will be directly reachable when communicating with 408 a peer on the public Internet. Rather than trying to guess which IP 409 address will work prior to sending an offer, the offering agent 410 includes both candidates in its offer. 412 Next, the agent uses STUN or TURN to obtain additional candidates. 413 These come in two flavors: translated addresses on the public side of 414 a NAT (SERVER REFLEXIVE CANDIDATES) and addresses on TURN servers 415 (RELAYED CANDIDATES). When TURN servers are utilized, both types of 416 candidates are obtained from the TURN server. If only STUN servers 417 are utilized, only server reflexive candidates are obtained from 418 them. The relationship of these candidates to the host candidate is 419 shown in Figure 2. In this figure, both types of candidates are 420 discovered using TURN. In the figure, the notation X:x means IP 421 address X and UDP port x. 423 To Internet 425 | 426 | 427 | /------------ Relayed 428 Y:y | / Address 429 +--------+ 430 | | 431 | TURN | 432 | Server | 433 | | 434 +--------+ 435 | 436 | 437 | /------------ Server 438 X1':x1'|/ Reflexive 439 +------------+ Address 440 | NAT | 441 +------------+ 442 | 443 | /------------ Local 444 X:x |/ Address 445 +--------+ 446 | | 447 | Agent | 448 | | 449 +--------+ 451 Figure 2: Candidate Relationships 453 When the agent sends the TURN Allocate Request from IP address and 454 port X:x, the NAT (assuming there is one) will create a binding 455 X1':x1', mapping this server reflexive candidate to the host 456 candidate X:x. Outgoing packets sent from the host candidate will be 457 translated by the NAT to the server reflexive candidate. Incoming 458 packets sent to the server reflexive candidate will be translated by 459 the NAT to the host candidate and forwarded to the agent. We call 460 the host candidate associated with a given server reflexive candidate 461 the BASE. 463 NOTE: "Base" refers to the address an agent sends from for a 464 particular candidate. Thus, as a degenerate case host candidates 465 also have a base, but it's the same as the host candidate. 467 When there are multiple NATs between the agent and the TURN server, 468 the TURN request will create a binding on each NAT, but only the 469 outermost server reflexive candidate (the one nearest the TURN 470 server) will be discovered by the agent. If the agent is not behind 471 a NAT, then the base candidate will be the same as the server 472 reflexive candidate and the server reflexive candidate is redundant 473 and will be eliminated. 475 The Allocate request then arrives at the TURN server. The TURN 476 server allocates a port y from its local IP address Y, and generates 477 an Allocate response, informing the agent of this relayed candidate. 478 The TURN server also informs the agent of the server reflexive 479 candidate, X1':x1' by copying the source transport address of the 480 Allocate request into the Allocate response. The TURN server acts as 481 a packet relay, forwarding traffic between L and R. In order to send 482 traffic to L, R sends traffic to the TURN server at Y:y, and the TURN 483 server forwards that to X1':x1', which passes through the NAT where 484 it is mapped to X:x and delivered to L. 486 When only STUN servers are utilized, the agent sends a STUN Binding 487 Request [I-D.ietf-behave-rfc3489bis] to its STUN server. The STUN 488 server will inform the agent of the server reflexive candidate 489 X1':x1' by copying the source transport address of the Binding 490 request into the Binding response. 492 2.2. Connectivity Checks 494 Once L has gathered all of its candidates, it orders them in highest 495 to lowest priority and sends them to R over the signalling channel. 496 The candidates are carried in attributes in the SDP offer. When R 497 receives the offer, it performs the same gathering process and 498 responds with its own list of candidates. At the end of this 499 process, each agent has a complete list of both its candidates and 500 its peer's candidates. It pairs them up, resulting in CANDIDATE 501 PAIRS. To see which pairs work, each agent schedules a series of 502 CHECKS. Each check is a STUN request/response transaction that the 503 client will perform on a particular candidate pair by sending a STUN 504 request from the local candidate to the remote candidate. 506 The basic principle of the connectivity checks is simple: 508 1. Sort the candidate pairs in priority order. 510 2. Send checks on each candidate pair in priority order. 512 3. Acknowledge checks received from the other agent. 514 With both agents performing a check on a candidate pair, the result 515 is a 4-way handshake: 517 L R 518 - - 519 STUN request -> \ L's 520 <- STUN response / check 522 <- STUN request \ R's 523 STUN response -> / check 525 Figure 3: Basic Connectivity Check 527 It is important to note that the STUN requests are sent to and from 528 the exact same IP addresses and ports that will be used for media 529 (e.g., RTP and RTCP). Consequently, agents demultiplex STUN and RTP/ 530 RTCP using contents of the packets, rather than the port on which 531 they are received. Fortunately, this demultiplexing is easy to do, 532 especially for RTP and RTCP. 534 Because a STUN Binding Request is used for the connectivity check, 535 the STUN Binding response will contain the agent's translated 536 transport address on the public side any NATs between the agent and 537 its peer. If this transport address is different from other 538 candidates the agent already learned, it represents a new candidate, 539 called a PEER REFLEXIVE CANDIDATE, which then gets tested by ICE just 540 the same as any other candidate. 542 As an optimization, as soon as R gets L's check message, R schedules 543 a connectivity check message to be sent to L on the same candidate 544 pair. This accelerates the process of finding a valid candidate, and 545 is called a TRIGGERED CHECK. 547 At the end of this handshake, both L and R know that they can send 548 (and receive) messages end-to-end in both directions. 550 2.3. Sorting Candidates 552 Because the algorithm above searches all candidate pairs, if a 553 working pair exists it will eventually find it no matter what order 554 the candidates are tried in. In order to produce faster (and better) 555 results, the candidates are sorted in a specified order. The 556 resulting list of sorted candidate pairs is called the CHECK LIST. 557 The algorithm is described in Section 4.1.2 but follows two general 558 principles: 560 o Each agent gives its candidates a numeric priority which is sent 561 along with the candidate to the peer 563 o The local and remote priorities are combined so that each agent 564 has the same ordering for the candidate pairs. 566 The second property is important for getting ICE to work when there 567 are NATs in front of L and R. Frequently, NATs will not allow packets 568 in from a host until the agent behind the NAT has sent a packet 569 towards that host. Consequently, ICE checks in each direction will 570 not succeed until both sides have sent a check through their 571 respective NATs. 573 The agent works through this check list by sending a STUN request for 574 the next candidate pair on the list periodically. These are called 575 ORDINARY CHECKS. 577 In general the priority algorithm is designed so that candidates of 578 similar type get similar priorities and so that more direct routes 579 (that is, through fewer media relays and through fewer NATs) are 580 preferred over indirect ones (ones with more media relays and more 581 NATs). Within those guidelines, however, agents have a fair amount 582 of discretion about how to tune their algorithms. 584 2.4. Frozen Candidates 586 The previous description only addresses the case where the agents 587 wish to establish a media session with one COMPONENT (a piece of a 588 media stream requiring a single transport address; a media stream may 589 require multiple components, each of which has to work for the media 590 stream as a whole to be work). Typically, (e.g., with RTP and RTCP) 591 the agents actually need to establish connectivity for more than one 592 flow. 594 The network properties are likely to be very similar for each 595 component (especially because RTP and RTCP are sent and received from 596 the same IP address). It is usually possible to leverage information 597 from one media component in order to determine the best candidates 598 for another. ICE does this with a mechanism called "frozen 599 candidates." 601 Each candidate is associated with a property called its FOUNDATION. 602 Two candidates have the same foundation when they are "similar" - of 603 the same type and obtained from the same host candidate and STUN 604 server using the same protocol. Otherwise, their foundation is 605 different. A candidate pair has a foundation too, which is just the 606 concatenation of the foundations of its two candidates. Initially, 607 only the candidate pairs with unique foundations are tested. The 608 other candidate pairs are marked "frozen". When the connectivity 609 checks for a candidate pair succeed, the other candidate pairs with 610 the same foundation are unfrozen. This avoids repeated checking of 611 components which are superficially more attractive but in fact are 612 likely to fail. 614 While we've described "frozen" here as a separate mechanism for 615 expository purposes, in fact it is an integral part of ICE and the 616 the ICE prioritization algorithm automatically ensures that the right 617 candidates are unfrozen and checked in the right order. 619 2.5. Security for Checks 621 Because ICE is used to discover which addresses can be used to send 622 media between two agents, it is important to ensure that the process 623 cannot be hijacked to send media to the wrong location. Each STUN 624 connectivity check is covered by a message authentication code (MAC) 625 computed using a key exchanged in the signalling channel. This MAC 626 provides message integrity and data origin authentication, thus 627 stopping an attacker from forging or modifying connectivity check 628 messages. Furthermore, if the SIP [RFC3261] caller is using ICE, and 629 their call forks, the ICE exchanges happen independently with each 630 forked recipient. In such a case, the keys exchanged in the 631 signaling help associate each ICE exchange with each forked 632 recipient. 634 2.6. Concluding ICE 636 ICE checks are performed in a specific sequence, so that high 637 priority candidate pairs are checked first, followed by lower 638 priority ones. One way to conclude ICE is to declare victory as soon 639 as a check for each component of each media stream completes 640 successfully. Indeed, this is a reasonable algorithm, and details 641 for it are provided below. However, it is possible that a packet 642 loss will cause a higher priority check to take longer to complete. 643 In that case, allowing ICE to run a little longer might produce 644 better results. More fundamentally, however, the prioritization 645 defined by this specification may not yield "optimal" results. As an 646 example, if the aim is to select low latency media paths, usage of a 647 relay is a hint that latencies may be higher, but it is nothing more 648 than a hint. An actual RTT measurement could be made, and it might 649 demonstrate that a pair with lower priority is actually better than 650 one with higher priority. 652 Consequently, ICE assigns one of the agents in the role of the 653 CONTROLLING AGENT, and the other of the CONTROLLED AGENT. The 654 controlling agent gets to nominate which candidate pairs will get 655 used for media amongst the ones that are valid. It can do this in 656 one of two ways - using REGULAR NOMINATION or AGGRESSIVE NOMINATION. 658 With regular nomination, the controlling agent lets the checks 659 continue until at least one valid candidate pair for each media 660 stream is found. Then, it picks amongst those that are valid, and 661 sends a second STUN request on its NOMINATED candidate pair, but this 662 time with a flag set to tell the peer that this pair has been 663 nominated for use. This is shown in Figure 4. 665 L R 666 - - 667 STUN request -> \ L's 668 <- STUN response / check 670 <- STUN request \ R's 671 STUN response -> / check 673 STUN request + flag -> \ L's 674 <- STUN response / check 676 Figure 4: Regular Nomination 678 Once the STUN transaction with the flag completes, both sides cancel 679 any future checks for that media stream. ICE will now send media 680 using this pair. The pair an ICE agent is using for media is called 681 the SELECTED PAIR. 683 In aggressive nomination, the controlling agent puts the flag in 684 every STUN request it sends. This way, once the first check 685 succeeds, ICE processing is complete for that media stream and the 686 controlling agent doesn't have to send a second STUN request. The 687 selected pair will be the highest priority valid pair whose check 688 succeeded. Aggressive nomination is faster than regular nomination, 689 but gives less flexibility. Aggressive nomination is shown in 690 Figure 5. 692 L R 693 - - 694 STUN request + flag -> \ L's 695 <- STUN response / check 697 <- STUN request \ R's 698 STUN response -> / check 700 Figure 5: Aggressive Nomination 702 Once all of the media streams are completed, the controlling endpoint 703 sends an updated offer if the candidates in the m and c lines for the 704 media stream (called the DEFAULT CANDIDATES) don't match ICE's 705 SELECTED CANDIDATES. 707 Once ICE is concluded, it can be restarted at any time for one or all 708 of the media streams by either agent. This is done by sending an 709 updated offer indicating a restart. 711 2.7. Lite Implementations 713 In order for ICE to be used in a call, both agents need to support 714 it. However, certain agents will always be connected to the public 715 Internet and have a public IP address at which it can receive packets 716 from any correspondent. To make it easier for these devices to 717 support ICE, ICE defines a special type of implementation called LITE 718 (in contrast to the normal FULL implementation). A lite 719 implementation doesn't gather candidates; it includes only host 720 candidates for any media stream. Lite agents do not generate 721 connectivity checks or run the state machines, though they need to be 722 able to respond to connectivity checks. When a lite implementation 723 connects with a full implementation, the full agent takes the role of 724 the controlling agent, and the lite agent takes on the controlled 725 role. When two lite implementations connect, no checks are sent. 727 For guidance on when a lite implementation is appropriate, see the 728 discussion in Appendix A. 730 It is important to note that the lite implementation was added to 731 this specification to provide a stepping stone to full 732 implementation. Even for devices that are always connected to the 733 public Internet, a full implementation is preferable if achievable. 735 3. Terminology 737 The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", 738 "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this 739 document are to be interpreted as described in RFC 2119 [RFC2119]. 741 Readers should be familiar with the terminology defined in the offer/ 742 answer model [RFC3264], STUN [I-D.ietf-behave-rfc3489bis] and NAT 743 Behavioral requirements for UDP [RFC4787] 745 This specification makes use of the following additional terminology: 747 Agent: As defined in RFC 3264, an agent is the protocol 748 implementation involved in the offer/answer exchange. There are 749 two agents involved in an offer/answer exchange. 751 Peer: From the perspective of one of the agents in a session, its 752 peer is the other agent. Specifically, from the perspective of 753 the offerer, the peer is the answerer. From the perspective of 754 the answerer, the peer is the offerer. 756 Transport Address: The combination of an IP address and transport 757 protocol (such as UDP or TCP) port. 759 Candidate: A transport address that is a potential point of contact 760 for receipt of media. Candidates also have properties - their 761 type (server reflexive, relayed or host), priority, foundation, 762 and base. 764 Component: A component is a piece of a media stream requiring a 765 single transport address; a media stream may require multiple 766 components, each of which has to work for the media stream as a 767 whole to work. For media streams based on RTP, there are two 768 components per media stream - one for RTP, and one for RTCP. 770 Host Candidate: A candidate obtained by binding to a specific port 771 from an IP address on the host. This includes IP addresses on 772 physical interfaces and logical ones, such as ones obtained 773 through Virtual Private Networks (VPNs) and Realm Specific IP 774 (RSIP) [RFC3102] (which lives at the operating system level). 776 Server Reflexive Candidate: A candidate whose IP address and port 777 are a binding allocated by a NAT for an agent when it sent a 778 packet through the NAT to a server. Server reflexive candidates 779 can be learned by STUN servers using the Binding Request, or TURN 780 servers, which provides both a Relayed and Server Reflexive 781 candidate. 783 Peer Reflexive Candidate: A candidate whose IP address and port are 784 a binding allocated by a NAT for an agent when it sent a STUN 785 Binding Request through the NAT to its peer. 787 Relayed Candidate: A candidate obtained by sending a TURN Allocate 788 request from a host candidate to a TURN server. The relayed 789 candidate is resident on the TURN server, and the TURN server 790 relays packets back towards the agent. 792 Base: The base of a server reflexive candidate is the host candidate 793 from which it was derived. A host candidate is also said to have 794 a base, equal to that candidate itself. Similarly, the base of a 795 relayed candidate is that candidate itself. 797 Foundation: An arbitrary string that is the same for two candidates 798 that have the same type, base IP address, protocol (UDP, TCP, 799 etc.) and STUN or TURN server. If any of these are different then 800 the foundation will be different. Two candidate pairs with the 801 same foundation pairs are likely to have similar network 802 characteristics. Foundations are used in the frozen algorithm. 804 Local Candidate: A candidate that an agent has obtained and included 805 in an offer or answer it sent. 807 Remote Candidate: A candidate that an agent received in an offer or 808 answer from its peer. 810 Default Destination/Candidate: The default destination for a 811 component of a media stream is the transport address that would be 812 used by an agent that is not ICE aware. For the RTP component, 813 the default IP address is in the c line of the SDP, and the port 814 in the m line. For the RTCP component it is in the rtcp attribute 815 when present, and when not present, the IP address in the c line 816 and 1 plus the port in the m line. A default candidate for a 817 component is one whose transport address matches the default 818 destination for that component. 820 Candidate Pair: A pairing containing a local candidate and a remote 821 candidate. 823 Check, Connectivity Check, STUN Check: A STUN Binding Request 824 transaction for the purposes of verifying connectivity. A check 825 is sent from the local candidate to the remote candidate of a 826 candidate pair. 828 Check List: An ordered set of candidate pairs that an agent will use 829 to generate checks. 831 Ordinary Check: A connectivity check generated by an agent as a 832 consequence of a timer that fires periodically, instructing it to 833 send a check. 835 Triggered Check: A connectivity check generated as a consequence of 836 the receipt of a connectivity check from the peer. 838 Valid List: An ordered set of candidate pairs for a media stream 839 that have been validated by a successful STUN transaction. 841 Full: An ICE implementation that performs the complete set of 842 functionality defined by this specification. 844 Lite: An ICE implementation that omits certain functions, 845 implementing only as much as is necessary for a peer 846 implementation that is full to gain the benefits of ICE. Lite 847 implementations do not maintain any of the state machines and do 848 not generate connectivity checks. 850 Controlling Agent: The ICE agent which is responsible for selecting 851 the final choice of candidate pairs and signaling them through 852 STUN and an updated offer, if needed. In any session, one agent 853 is always controlling. The other is the controlled agent. 855 Controlled Agent: An ICE agent which waits for the controlling agent 856 to select the final choice of candidate pairs. 858 Regular Nomination: The process of picking a valid candidate pair 859 for media traffic by validating the pair with one STUN request, 860 and then picking it by sending a second STUN request with a flag 861 indicating its nomination. 863 Aggressive Nomination: The process of picking a valid candidate pair 864 for media traffic by including a flag in every STUN request, such 865 that the first one to produce a valid candidate pair is used for 866 media. 868 Nominated: If a valid candidate pair has its nominated flag set, it 869 means that it may be selected by ICE for sending and receiving 870 media. 872 Selected Pair, Selected Candidate: The candidate pair selected by 873 ICE for sending and receiving media is called the selected pair, 874 and each of its candidates is called the selected candidate. 876 4. Sending the Initial Offer 878 In order to send the initial offer in an offer/answer exchange, an 879 agent must (1) gather candidates, (2) prioritize them, (3) choose 880 default candidates, and then (4) formulate and send the SDP offer. 881 All but the last of these four steps differ for full and lite 882 implementations. 884 4.1. Full Implementation Requirements 886 4.1.1. Gathering Candidates 888 An agent gathers candidates when it believes that communications is 889 imminent. An offerer can do this based on a user interface cue, or 890 based on an explicit request to initiate a session. Every candidate 891 is a transport address. It also has a type and a base. Four types 892 are defined and gathered by this specification - host candidates, 893 server reflexive candidates, peer reflexive candidates, and relayed 894 candidates. The server reflexive and relayed candidates are gathered 895 using STUN or TURN, and relayed candidates are obtained through TURN. 896 Peer reflexive candidates are obtained in later phases of ICE, as a 897 consequence of connectivity checks. The base of a candidate is the 898 candidate that an agent must send from when using that candidate. 900 4.1.1.1. Host Candidates 902 The first step is to gather host candidates. Host candidates are 903 obtained by binding to ports (typically ephemeral) on a IP address 904 attached to an interface (physical or virtual, including VPN 905 interfaces) on the host. 907 For each UDP media stream the agent wishes to use, the agent SHOULD 908 obtain a candidate for each component of the media stream on each IP 909 address that the host has. It obtains each candidate by binding to a 910 UDP port on the specific IP address. A host candidate (and indeed 911 every candidate) is always associated with a specific component for 912 which it is a candidate. Each component has an ID assigned to it, 913 called the component ID. For RTP-based media streams, the RTP itself 914 has a component ID of 1, and RTCP a component ID of 2. If an agent 915 is using RTCP it MUST obtain a candidate for it. If an agent is 916 using both RTP and RTCP, it would end up with 2*K host candidates if 917 an agent has K IP addresses. 919 The base for each host candidate is set to the candidate itself. 921 4.1.1.2. Server Reflexive and Relayed Candidates 923 Agents SHOULD obtain relayed candidates and SHOULD obtain server 924 reflexive candidates. These requirements are at SHOULD strength to 925 allow for provider variation. Use of STUN and TURN servers may be 926 unnecessary in closed networks where agents are never connected to 927 the public Internet or to endpoints outside of the closed network. 928 In such cases, a full implementation would be used for agents that 929 are dual-stack or multi-homed, to select a host candidate. Use of 930 TURN servers is expensive, and when ICE is being used, they will only 931 be utilized when both endpoints are behind NATs that perform address 932 and port dependent mapping. Consequently, some deployments might 933 consider this use case to be marginal, and elect not to use TURN 934 servers. If an agent does not gather server reflexive or relayed 935 candidates, it is RECOMMENDED that the functionality be implemented 936 and just disabled through configuration, so that it can re-enabled 937 through configuration if conditions change in the future. 939 If an agent is gathering both relayed and server reflexive 940 candidates, it uses a TURN server. If it is gathering just server 941 reflexive candidates, it uses a STUN server. 943 The agent next pairs each host candidate with the STUN or TURN server 944 with which it is configured or has discovered by some means. If a 945 STUN or TURN server is configured, it is RECOMMENDED that a domain 946 name be configured, and the DNS procedures in 947 [I-D.ietf-behave-rfc3489bis] (using SRV records with the "stun" 948 service) be used to discover the STUN server, and the DNS procedures 949 in [I-D.ietf-behave-turn] (using SRV records with the "turn" service) 950 be used to discover the TURN server. 952 This specification only considers usage of a single STUN or TURN 953 server. When there are multiple choices for that single STUN or TURN 954 server (when, for example, they are learned through DNS records and 955 multiple results are returned), an agent SHOULD use a single STUN or 956 TURN server (based on its IP address) for all candidates for a 957 particular session. This improves the performance of ICE. The 958 result is a set of pairs of host candidates with STUN or TURN 959 servers. The agent then chooses one pair, and sends a Binding or 960 Allocate request to the server from that host candidate. Binding 961 Requests to a STUN server are not authenticated, and any ALTERNATE- 962 SERVER attribute in a response is ignored. Agents MUST support the 963 backwards compatibility mode for the Binding Request defined in 964 [I-D.ietf-behave-rfc3489bis]. Allocate requests SHOULD be 965 authenticated using a long-term credential obtained by the client 966 through some other means. 968 Every Ta milliseconds thereafter, the agent can generate another new 969 STUN or TURN transaction. This transaction can either be a retry of 970 a previous transaction which failed with a recoverable error (such as 971 authentication failure), or a transaction for a new host candidate 972 and STUN or TURN server pair. The agent SHOULD NOT generate 973 transactions more frequently than one every Ta milliseconds. See 974 Section 16 for guidance on how to set Ta and the STUN retransmit 975 timer, RTO. 977 The agent will receive a Binding or Allocate response. A successful 978 Allocate Response will provide the agent with a server reflexive 979 candidate (obtained from the mapped address) and a relayed candidate 980 in the RELAY-ADDRESS attribute. If the Allocate request is rejected 981 because the server lacks resources to fulfill it, the agent SHOULD 982 instead send a Binding Request to obtain a server reflexive 983 candidate. A Binding Response will provide the agent with only a 984 server reflexive candidate (also obtained from the mapped address). 985 The base of the server reflexive candidate is the host candidate from 986 which the Allocate or Binding request was sent. The base of a 987 relayed candidate is that candidate itself. If a relayed candidate 988 is identical to a host candidate (which can happen in rare cases), 989 the relayed candidate MUST be discarded. 991 4.1.1.3. Computing Foundations 993 Finally, the agent assigns each candidate a foundation. The 994 foundation is an identifier, scoped within a session. Two candidates 995 MUST have the same foundation ID when all of the following are true: 997 o they are of the same type (host, relayed, server reflexive, or 998 peer reflexive) 1000 o their bases have the same IP address (the ports can be different) 1002 o for reflexive and relayed candidates, the STUN or TURN servers 1003 used to obtain them have the same IP address. 1005 o they were obtained using the same transport protocol (TCP, UDP, 1006 etc.) 1008 Similarly, two candidates MUST have different foundations if their 1009 types are different, their bases have different IP addresses, the 1010 STUN or TURN servers used to obtain them have different IP addresses, 1011 or their transport protocols are different. 1013 4.1.1.4. Keeping Candidates Alive 1015 Once server reflexive and relayed candidates are allocated, they MUST 1016 be kept alive until ICE processing has completed, as described in 1017 Section 8.3. For server reflexive candidates learned through a 1018 Binding request, the bindings MUST be kept alive by additional 1019 Binding Requests to the server. For relayed candidates learned 1020 through an Allocate request, the keepalive MUST be new Allocate 1021 requests. The Allocate requests will also refresh the server 1022 reflexive candidate. 1024 4.1.2. Prioritizing Candidates 1026 The prioritization process results in the assignment of a priority to 1027 each candidate. Each candidate for a media stream MUST have a unique 1028 priority that MUST be a positive integer between 1 and (2**32 - 1). 1029 This priority will be used by ICE to determine the order of the 1030 connectivity checks and the relative preference for candidates. 1032 An agent SHOULD compute this priority using the formula in 1033 Section 4.1.2.1 and choose its parameters using the guidelines in 1034 Section 4.1.2.2. If an agent elects to use a different formula, ICE 1035 will take longer to converge since both agents will not be 1036 coordinated in their checks. 1038 4.1.2.1. Recommended Formula 1040 When using the formula, an agent computes the priority by determining 1041 a preference for each type of candidate (server reflexive, peer 1042 reflexive, relayed and host), and, when the agent is multihomed, 1043 choosing a preference for its IP addresses. These two preferences 1044 are then combined to compute the priority for a candidate. That 1045 priority is computed using the following formula: 1047 priority = (2^24)*(type preference) + 1048 (2^8)*(local preference) + 1049 (2^0)*(256 - component ID) 1051 The type preference MUST be an integer from 0 to 126 inclusive, and 1052 represents the preference for the type of the candidate (where the 1053 types are local, server reflexive, peer reflexive and relayed). A 1054 126 is the highest preference, and a 0 is the lowest. Setting the 1055 value to a 0 means that candidates of this type will only be used as 1056 a last resort. The type preference MUST be identical for all 1057 candidates of the same type and MUST be different for candidates of 1058 different types. The type preference for peer reflexive candidates 1059 MUST be higher than that of server reflexive candidates. Note that 1060 candidates gathered based on the procedures of Section 4.1.1 will 1061 never be peer reflexive candidates; candidates of these type are 1062 learned from the connectivity checks performed by ICE. 1064 The local preference MUST be an integer from 0 to 65535 inclusive. 1065 It represents a preference for the particular IP address from which 1066 the candidate was obtained, in cases where an agent is multihomed. 1067 65535 represents the highest preference, and a zero, the lowest. 1068 When there is only a single IP address, this value SHOULD be set to 1069 65535. More generally, if there are multiple candidates for a 1070 particular component for a particular media stream which have the 1071 same type, the local preference MUST be unique for each one. In this 1072 specification, this only happens for multi-homed hosts. If a host is 1073 multi-homed because it is dual stacked, the local preference SHOULD 1074 be set equal to the precedence value for IP addresses described in 1075 RFC 3484 [RFC3484]. 1077 The component ID is the component ID for the candidate, and MUST be 1078 between 1 and 256 inclusive. 1080 4.1.2.2. Guidelines for Choosing Type and Local Preferences 1082 One criteria for selection of the type and local preference values is 1083 the use of a media intermediary, such as a TURN server, VPN server or 1084 NAT. With a media intermediary, if media is sent to that candidate, 1085 it will first transit the media intermediary before being received. 1086 Relayed candidates are one type of candidate that involves a media 1087 intermediary. Another are host candidates obtained from a VPN 1088 interface. When media is transited through a media intermediary, it 1089 can increase the latency between transmission and reception. It can 1090 increase the packet losses, because of the additional router hops 1091 that may be taken. It may increase the cost of providing service, 1092 since media will be routed in and right back out of a media 1093 intermediary run by a provider. If these concerns are important, the 1094 type preference for relayed candidates SHOULD be lower than host 1095 candidates. The RECOMMENDED values are 126 for host candidates, 100 1096 for server reflexive candidates, 110 for peer reflexive candidates, 1097 and 0 for relayed candidates. Furthermore, if an agent is multi- 1098 homed and has multiple IP addresses, the local preference for host 1099 candidates from a VPN interface SHOULD have a priority of 0. 1101 Another criteria for selection of preferences is IP address family. 1102 ICE works with both IPv4 and IPv6. It therefore provides a 1103 transition mechanism that allows dual-stack hosts to prefer 1104 connectivity over IPv6, but to fall back to IPv4 in case the v6 1105 networks are disconnected (due, for example, to a failure in a 6to4 1106 relay) [RFC3056]. It can also help with hosts that have both a 1107 native IPv6 address and a 6to4 address. In such a case, higher local 1108 preferences could be assigned to the v6 addresses, followed by the 1109 6to4 addresses, followed by the v4 addresses. This allows a site to 1110 obtain and begin using native v6 addresses immediately, yet still 1111 fallback to 6to4 addresses when communicating with agents in other 1112 sites that do not yet have native v6 connectivity. 1114 Another criteria for selecting preferences is security. If a user is 1115 a telecommuter, and therefore connected to their corporate network 1116 and a local home network, they may prefer their voice traffic to be 1117 routed over the VPN in order to keep it on the corporate network when 1118 communicating within the enterprise, but use the local network when 1119 communicating with users outside of the enterprise. In such a case, 1120 a VPN address would have a higher local preference than any other 1121 address. 1123 Another criteria for selecting preferences is topological awareness. 1124 This is most useful for candidates that make use of intermediaries. 1125 In those cases, if an agent has preconfigured or dynamically 1126 discovered knowledge of the topological proximity of the 1127 intermediaries to itself, it can use that to assign higher local 1128 preferences to candidates obtained from closer intermediaries. 1130 4.1.3. Eliminating Redundant Candidates 1132 Next, the agent eliminates redundant candidates. A candidate is 1133 redundant if its transport address equals another candidate, and its 1134 base equals the base of that other candidate. Note that two 1135 candidates can have the same transport address yet have different 1136 bases, and these would not be considered redundant. Frequently, a 1137 server reflexive candidate and a host candidate will be redundant 1138 when the agent is not behind a NAT. The agent SHOULD eliminate the 1139 redundant candididate with the lower priority. 1141 4.1.4. Choosing Default Candidates 1143 A candidate is said to be default if it would be the target of media 1144 from a non-ICE peer; that target being called the DEFAULT 1145 DESTINATION. If the default candidates are not selected by the ICE 1146 algorithm when communicating with an ICE-aware peer, an updated 1147 offer/answer will be required after ICE processing completes in order 1148 to "fix-up" the SDP so that the default destination for media matches 1149 the candidates selected by ICE. If ICE happens to select the default 1150 candidates, no updated offer/answer is required. 1152 An agent MUST choose a set of candidates, one for each component of 1153 each in-use media stream, to be default. A media stream is in-use if 1154 it does not have a port of zero (which is used in RFC 3264 to reject 1155 a media stream). Consequently, a media stream is in-use even if it 1156 is marked as a=inactive [RFC4566] or has a bandwidth value of zero. 1158 It is RECOMMENDED that default candidates be chosen based on the 1159 likelihood of those candidates to work with the peer that is being 1160 contacted. It is RECOMMENDED that the default candidates are the 1161 relayed candidates (if relayed candidates are available), server 1162 reflexive candidates (if server reflexive candidates are available), 1163 and finally host candidates. 1165 4.2. Lite Implementation 1167 Lite implementations only utilize host candidates. A lite 1168 implementation MUST, for each component of each media stream, 1169 allocate zero or one IPv4 candidates. It MAY allocate zero or more 1170 IPv6 candidates, but no more than one per each IPv6 address utilized 1171 by the host. Since there can be no more than one IPv4 candidate per 1172 component of each media stream, if an agent has multiple IPv4 1173 addresses, it MUST choose one for allocating the candidate. If a 1174 host is dual-stack, it is RECOMMENDED that it allocate one IPv4 1175 candidate and one global IPv6 address. With the lite implementation, 1176 ICE cannot be used to dynamically choose amongst candidates. 1177 Therefore, including more than one candidate from a particular scope 1178 is NOT RECOMMENDED, since only a connectivity check can truly 1179 determine whether to use one address or the other. 1181 Each component has an ID assigned to it, called the component ID. 1182 For RTP-based media streams the RTP itself has a component ID of 1, 1183 and RTCP a component ID of 2. If an agent is using RTCP it MUST 1184 obtain candidates for it. 1186 Each candidate is assigned a foundation. The foundation MUST be 1187 different for two candidates allocated from different IP addresses, 1188 and MUST be the same otherwise. A simple integer that increments for 1189 each IP address will suffice. In addition, each candidate MUST be 1190 assigned a unique priority amongst all candidates for the same media 1191 stream. This priority SHOULD be equal to: 1193 priority = (2^24)*(126) + 1194 (2^8)*(IP precedence) + 1195 (2^0)*(256 - component ID) 1197 If a host is v4-only, it SHOULD set the IP precedence to 65535. If a 1198 host is v6 or dual-stack, the IP precedence SHOULD be the precedence 1199 value for IP addresses described in RFC 3484 [RFC3484]. 1201 Next, an agent chooses a default candidate for each component of each 1202 media stream. If a host is IPv4 only, there would only be one 1203 candidate for each component of each media stream, and therefore that 1204 candidate is the default. If a host is IPv6 or dual stack, the 1205 selection of default is a matter of local policy. This default 1206 SHOULD be chosen, such that, it is the candidate most likely to be 1207 used with a peer. For IPv6-only hosts, this would typically by a 1208 globally scoped IPv6 address. For dual-stack hosts, the IPv4 address 1209 is RECOMMENDED. 1211 4.3. Encoding the SDP 1213 The process of encoding the SDP is identical between full and lite 1214 implementations. 1216 The agent will include an m-line for each media stream it wishes to 1217 use. The ordering of media streams in the SDP is relevant for ICE. 1218 ICE will perform its connectivity checks for the first m-line first, 1219 and consequently media will be able to flow for that stream first. 1220 Agents SHOULD place their most important media stream, if there is 1221 one, first in the SDP. 1223 There will be a candidate attribute for each candidate for a 1224 particular media stream. Section 15 provides detailed rules for 1225 constructing this attribute. The attribute carries the IP address, 1226 port and transport protocol for the candidate, in addition to its 1227 properties that need to be signaled to the peer for ICE to work: the 1228 priority, foundation, and component ID. The candidate attribute also 1229 carries information about the candidate that is useful for 1230 diagnostics and other functions: its type and related transport 1231 addresses. 1233 STUN connectivity checks between agents are authenticated using the 1234 short term credential mechanism defined for STUN 1235 [I-D.ietf-behave-rfc3489bis]. This mechanism relies on a username 1236 and password that are exchanged through protocol machinery between 1237 the client and server. With ICE, the offer/answer exchange is used 1238 to exchange them. The username part of this credential is formed by 1239 concatenating a username fragment from each agent, separated by a 1240 colon. Each agent also provides a password, used to compute the 1241 message integrity for requests it receives. The username fragment 1242 and password are exchanged in the ice-ufrag and ice-pwd attributes, 1243 respectively. In addition to providing security, the username 1244 provides disambiguation and correlation of checks to media streams. 1245 See Appendix B.4 for motivation. 1247 If an agent is a lite implementation, it MUST include an "a=ice-lite" 1248 session level attribute in its SDP. If an agent is a full 1249 implementation, it MUST NOT include this attribute. 1251 The default candidates are added to the SDP as the default 1252 destination for media. For streams based on RTP, this is done by 1253 placing the IP address and port of the RTP candidate into the c and m 1254 lines, respectively. If the agent is utilizing RTCP, it MUST encode 1255 the RTCP candidate using the a=rtcp attribute as defined in RFC 3605 1256 [RFC3605]. If RTCP is not in use, the agent MUST signal that using 1257 b=RS:0 and b=RR:0 as defined in RFC 3556 [RFC3556]. 1259 The transport addresses that will be the default destination for 1260 media when communicating with non-ICE peers MUST also be present as 1261 candidates in one or more a=candidate lines. 1263 ICE provides for extensibility by allowing an offer or answer to 1264 contain a series of tokens which identify the ICE extensions used by 1265 that agent. If an agent supports an ICE extension, it MUST include 1266 the token defined for that extension in the ice-options attribute. 1268 The following is an example SDP message that includes ICE attributes 1269 (lines folded for readability): 1271 v=0 1272 o=jdoe 2890844526 2890842807 IN IP4 10.0.1.1 1273 s= 1274 c=IN IP4 192.0.2.3 1275 t=0 0 1276 a=ice-pwd:asd88fgpdd777uzjYhagZg 1277 a=ice-ufrag:8hhY 1278 m=audio 45664 RTP/AVP 0 1279 b=RS:0 1280 b=RR:0 1281 a=rtpmap:0 PCMU/8000 1282 a=candidate:1 1 UDP 2130706431 10.0.1.1 8998 typ host 1283 a=candidate:2 1 UDP 1694498815 192.0.2.3 45664 typ srflx raddr 1284 10.0.1.1 rport 8998 1286 Once an agent has sent its offer or sent its answer, that agent MUST 1287 be prepared to receive both STUN and media packets on each candidate. 1288 As discussed in Section 11.1, media packets can be sent to a 1289 candidate prior to its appearance as the default destination for 1290 media in an offer or answer. 1292 5. Receiving the Initial Offer 1294 When an agent receives an initial offer, it will check if the offerer 1295 supports ICE, determine its own role, gather candidates, prioritize 1296 them, choose default candidates, encode and send an answer, and for 1297 full implementations, form the check lists and begin connectivity 1298 checks. 1300 5.1. Verifying ICE Support 1302 The agent will proceed with the ICE procedures defined in this 1303 specification if, for each media stream in the SDP it received, the 1304 default destination for each component of that media stream appears 1305 in a candidate attribute. For example, in the case of RTP, the IP 1306 address and port in the c and m line, respectively, appears in a 1307 candidate attribute and the value in the rtcp attribute appears in a 1308 candidate attribute. 1310 If this condition is not met, the agent MUST process the SDP based on 1311 normal RFC 3264 procedures, without using any of the ICE mechanisms 1312 described in the remainder of this specification with the following 1313 exceptions: 1315 1. The agent MUST follow the rules of Section 10, which describe 1316 keepalive procedures for all agents. 1318 2. If the agent is not proceeding with ICE because there were 1319 a=candidate attributes, but none that matched the default 1320 destination of the media stream, the agent MUST include an a=ice- 1321 mismatch attribute in its answer. 1323 5.2. Determining Role 1325 For each session, each agent takes on a role. There are two roles - 1326 controlling, and controlled. The controlling agent is responsible 1327 for the choice of the final candidate pairs used for communications. 1328 For a full agent, this means nominating the candidate pairs that can 1329 be used by ICE for each media stream, and for generating the updated 1330 offer based on ICE's selection, when needed. For a lite 1331 implementation, being the controlling agent means selecting a 1332 candidate pair based on the ones in the offer and answer (for IPv4, 1333 there is only ever one pair), and then generating an updated offer 1334 reflecting that selection, when needed (it is never needed for an 1335 IPv4 only host). The controlled agent is told which candidate pairs 1336 to use for each media stream, and does not generate an updated offer 1337 to signal this information. The sections below describe in detail 1338 the actual procedures following by controlling and controlled nodes. 1340 The rules for determining the role and the impact on behavior are as 1341 follows: 1343 Both agents are full: The agent which generated the offer which 1344 started the ICE processing MUST take the controlling role, and the 1345 other MUST take the controlled role. Both agents will form check 1346 lists, run the ICE state machines, and generate connectivity 1347 checks. The controlling agent will execute the logic in 1348 Section 8.1 to nominate pairs that will be selected by ICE, and 1349 then both agents end ICE as described in Section 8.1.2. In 1350 unusual cases, described in Appendix B.11, it is possible for both 1351 agents to mistakenly believe they are controlled or controlling. 1352 To resolve this, each agent MUST select a random number, called 1353 the tie-breaker, uniformly distributed between 0 and (2**64) - 1 1354 (that is, a 64 bit positive integer). This number is used in 1355 connectivity checks to detect and repair this case, as described 1356 in Section 7.1.1.2. 1358 One agent Full, one Lite: The full agent MUST take the controlling 1359 role, and the lite agent MUST take the controlled role. The full 1360 agent will form check lists, run the ICE state machines, and 1361 generate connectivity checks. That agent will execute the logic 1362 in Section 8.1 to nominate pairs that will be selected by ICE, and 1363 use the logic in Section 8.1.2 to end ICE. The lite 1364 implementation will just listen for connectivity checks, receive 1365 them and respond to them, and then conclude ICE as described in 1366 Section 8.2. For the lite implementation, the state of ICE 1367 processing for each media stream is considered to be Running, and 1368 the state of ICE overall is Running. 1370 Both Lite: The agent which generated the offer which started the ICE 1371 processing MUST take the controlling role, and the other MUST take 1372 the controlled role. In this case, no connectivity checks are 1373 ever sent. Rather, once the offer/answer exchange completes, each 1374 agent performs the processing described in Section 8 without 1375 connectivity checks. It is possible that both agents will believe 1376 they are controlled or controlling. In the latter case, the 1377 conflict is resolved through glare detection capabilities in the 1378 signaling protocol carrying the offer/answer exchange. The state 1379 of ICE processing for each media stream is considered to be 1380 Running, and the state of ICE overall is Running. 1382 Once roles are determined for a session, they persist unless ICE is 1383 restarted. A ICE restart (Section 9.1) causes a new selection of 1384 roles and tie-breakers. 1386 5.3. Gathering Candidates 1388 The process for gathering candidates at the answerer is identical to 1389 the process for the offerer as described in Section 4.1.1 for full 1390 implementations and Section 4.2 for lite implementations. It is 1391 RECOMMENDED that this process begin immediately on receipt of the 1392 offer, prior to alerting the user. Such gathering MAY begin when an 1393 agent starts. 1395 5.4. Prioritizing Candidates 1397 The process for prioritizing candidates at the answerer is identical 1398 to the process followed by the offerer, as described in Section 4.1.2 1399 for full implementations and Section 4.2 for lite implementations. 1401 5.5. Choosing Default Candidates 1403 The process for selecting default candidates at the answerer is 1404 identical to the process followed by the offerer, as described in 1405 Section 4.1.4 for full implementations and Section 4.2 for lite 1406 implementations. 1408 5.6. Encoding the SDP 1410 The process for encoding the SDP at the answerer is identical to the 1411 process followed by the offerer for both full and lite 1412 implementations, as described in Section 4.3. 1414 5.7. Forming the Check Lists 1416 Forming check lists is done only by full implementations. Lite 1417 implementations MUST skip the steps defined in this section. 1419 There is one check list per in-use media stream resulting from the 1420 offer/answer exchange. To form the check list for a media stream, 1421 the agent forms candidate pairs, computes a candidate pair priority, 1422 orders the pairs by priority, prunes them, and sets their states. 1423 These steps are described in this section. 1425 5.7.1. Forming Candidate Pairs 1427 First, the agent takes each of its candidates for a media stream 1428 (called LOCAL CANDIDATES) and pairs them with the candidates it 1429 received from its peer (called REMOTE CANDIDATES) for that media 1430 stream. In order to prevent the attacks described in Section 18.5.2, 1431 agents MAY limit the number of candidates they'll accept in an offer 1432 or answer. A local candidate is paired with a remote candidate if 1433 and only if the two candidates have the same component ID and have 1434 the same IP address version. It is possible that some of the local 1435 candidates don't get paired with a remote candidate, and some of the 1436 remote candidates don't get paired with local candidates. This can 1437 happen if one agent didn't include candidates for the all of the 1438 components for a media stream. If this happens, the number of 1439 components for that media stream is effectively reduced, and 1440 considered to be equal to the minimum across both agents of the 1441 maximum component ID provided by each agent across all components for 1442 the media stream. 1444 In the case of RTP, this would happen when one agent provided 1445 candidates for RTCP, and the other did not. As another example, the 1446 offerer can multiplex RTP and RTCP on the same port and signals it 1447 can do that in the SDP through an SDP attribute 1448 [I-D.ietf-avt-rtp-and-rtcp-mux]. However, since the offerer doesn't 1449 know if the answerer can perform such multiplexing, the offerer 1450 includes candidates for RTP and RTCP on separate ports, so that the 1451 offer has two components per media stream. If the answerer can 1452 perform such multiplexing, it would include just a single component 1453 for each candidate - for the combined RTP/RTCP mux. ICE would end up 1454 acting as if there was just a single component for this candidate. 1456 The candidate pairs whose local and remote candidates were both the 1457 default candidates for a particular component is called, 1458 unsurprisingly, the default candidate pair for that component. This 1459 is the pair that would be used to transmit media if both agents had 1460 not been ICE aware. 1462 In order to aid understanding, Figure 9 shows the relationships 1463 between several key concepts - transport addresses, candidates, 1464 candidate pairs, and check lists, in addition to indicating the main 1465 properties of candidates and candidate pairs. 1467 +------------------------------------------+ 1468 | | 1469 | +---------------------+ | 1470 | |+----+ +----+ +----+ | +Type | 1471 | || IP | |Port| |Tran| | +Priority | 1472 | ||Addr| | | | | | +Foundation | 1473 | |+----+ +----+ +----+ | +ComponentiD | 1474 | | Transport | +RelatedAddr | 1475 | | Addr | | 1476 | +---------------------+ +Base | 1477 | Candidate | 1478 +------------------------------------------+ 1479 * * 1480 * ************************************* 1481 * * 1482 +-------------------------------+ 1483 .| | 1484 | Local Remote | 1485 | +----+ +----+ +default? | 1486 | |Cand| |Cand| +valid? | 1487 | +----+ +----+ +nominated?| 1488 | +State | 1489 | | 1490 | | 1491 | Candidate Pair | 1492 +-------------------------------+ 1493 * * 1494 * ************ 1495 * * 1496 +------------------+ 1497 | Candidate Pair | 1498 +------------------+ 1499 +------------------+ 1500 | Candidate Pair | 1501 +------------------+ 1502 +------------------+ 1503 | Candidate Pair | 1504 +------------------+ 1506 Check 1507 List 1508 Figure 9: Conceptual Diagram of a Check List 1510 5.7.2. Computing Pair Priority and Ordering Pairs 1512 Once the pairs are formed, a candidate pair priority is computed. 1513 Let G be the priority for the candidate provided by the controlling 1514 agent. Let D be the priority for the candidate provided by the 1515 controlled agent. The priority for a pair is computed as: 1517 pair priority = 2^32*MIN(G,D) + 2*MAX(G,D) + (G>D?1:0) 1519 Where G>D?1:0 is an expression whose value is 1 if G is greater than 1520 D, and 0 otherwise. This formula ensures a unique priority for each 1521 pair. Once the priority is assigned, the agent sorts the candidate 1522 pairs in decreasing order of priority. If two pairs have identical 1523 priority, the ordering amongst them is arbitrary. 1525 5.7.3. Pruning the Pairs 1527 This sorted list of candidate pairs is used to determine a sequence 1528 of connectivity checks that will be performed. Each check involves 1529 sending a request from a local candidate to a remote candidate. 1530 Since an agent cannot send requests directly from a reflexive 1531 candidate, but only from its base, the agent next goes through the 1532 sorted list of candidate pairs. For each pair where the local 1533 candidate is server reflexive, the server reflexive candidate MUST be 1534 replaced by its base. Once this has been done, the agent MUST prune 1535 the list. This is done by removing a pair if its local and remote 1536 candidates are identical to the local and remote candidates of a pair 1537 higher up on the priority list. The result is a sequence of ordered 1538 candidate pairs, called the check list for that media stream. 1540 In addition, in order to limit the attacks described in 1541 Section 18.5.2, an agent SHOULD limit the total number of 1542 connectivity checks they perform across all check lists to a 1543 configurable value. A default of 100 is RECOMMENDED. This limit is 1544 enforced by discarding the lower priority candidate pairs until there 1545 are less than 100. It is RECOMMENDED that a lower value be utilized 1546 when possible, set to the maximum number of plausible checks that 1547 might be seen in an actual deployment configuration. 1549 5.7.4. Computing States 1551 Each candidate pair in the check list has a foundation and a state. 1552 The foundation is the combination of the foundations of the local and 1553 remote candidates in the pair. The state is assigned once the check 1554 list for each media stream has been computed. There are five 1555 potential values that the state can have: 1557 Waiting: A check has not been performed for this pair, and can be 1558 performed as soon as it is the highest priority Waiting pair on 1559 the check list. 1561 In-Progress: A check has been sent for this pair, but the 1562 transaction is in progress. 1564 Succeeded: A check for this pair was already done and produced a 1565 successful result. 1567 Failed: A check for this pair was already done and failed, either 1568 never producing any response or producing an unrecoverable failure 1569 response. 1571 Frozen: A check for this pair hasn't been performed, and it can't 1572 yet be performed until some other check succeeds, allowing this 1573 pair to unfreeze and move into the Waiting state. 1575 As ICE runs, the pairs will move between states as shown in 1576 Figure 10. 1578 +-----------+ 1579 | | 1580 | | 1581 | Frozen | 1582 | | 1583 | | 1584 +-----------+ 1585 | 1586 |unfreeze 1587 | 1588 V 1589 +-----------+ +-----------+ 1590 | | | | 1591 | | perform | | 1592 | Waiting |-------->|In-Progress| 1593 | | | | 1594 | | | | 1595 +-----------+ +-----------+ 1596 / | 1597 // | 1598 // | 1599 // | 1600 / | 1601 // | 1602 failure // |success 1603 // | 1604 / | 1605 // | 1606 // | 1607 // | 1608 V V 1609 +-----------+ +-----------+ 1610 | | | | 1611 | | | | 1612 | Failed | | Succeeded | 1613 | | | | 1614 | | | | 1615 +-----------+ +-----------+ 1617 Figure 10: Pair State FSM 1619 The initial states for each pair in a check list are computed by 1620 performing the following sequence of steps: 1622 1. The agent sets all of the pairs in each check list to the Frozen 1623 state. 1625 2. The agent examines the check list for the first media stream (a 1626 media stream is the first media stream when it is described by 1627 the first m-line in the SDP offer and answer). For that media 1628 stream, it: 1630 * Groups together all of the pairs with the same foundation, 1632 * For each group, sets the state of the pair with the lowest 1633 component ID to Waiting. If there is more than one such pair, 1634 the one with the highest priority is used. 1636 One of the check lists will have some number of pairs in the Waiting 1637 state, and the other check lists will have all of their pairs in the 1638 Frozen state. A check list with at least one pair that is Waiting is 1639 called an active check list, and a check list with all pairs frozen 1640 is called a frozen check list. 1642 The check list itself is associated with a state, which captures the 1643 state of ICE checks for that media stream. There are three states: 1645 Running: In this state, ICE checks are still in progress for this 1646 media stream. 1648 Completed: In this state, ICE checks have produced nominated pairs 1649 for each component of the media stream. Consequently, ICE has 1650 succeeded and media can be sent. 1652 Failed: In this state, the ICE checks have not completed 1653 successfully for this media stream. 1655 When a check list is first constructed as the consequence of an 1656 offer/answer exchange, it is placed in the Running state. 1658 ICE processing across all media streams also has a state associated 1659 with it. This state is equal to Running while ICE processing is 1660 underway. The state is Completed when ICE processing is complete and 1661 Failed if it failed without success. Rules for transitioning between 1662 states are described below. 1664 5.8. Scheduling Checks 1666 Checks are generated only by full implementations. Lite 1667 implementations MUST skip the steps described in this section. 1669 An agent performs ordinary checks and triggered checks. The 1670 generation of both checks is governed by a timer which fires 1671 periodically for each media stream. The agent maintains a FIFO 1672 queue, called the triggered check queue, which contains candidate 1673 pairs for which checks are to be sent at the next available 1674 opportunity. When the timer fires, the agent removes the top pair 1675 from triggered check queue, performs a connectivity check on that 1676 pair, and sets the state of the candidate pair to In-Progress. If 1677 there are no pairs in the triggered check queue, an ordinary check is 1678 sent. 1680 Once the agent has computed the check lists as described in 1681 Section 5.7, it sets a timer for each active check list. The timer 1682 fires every Ta*N seconds, where N is the number of active check lists 1683 (initially, there is only one active check list). Implementations 1684 MAY set the timer to fire less frequently than this. Implementations 1685 SHOULD take care to spread out these timers so that they do not fire 1686 at the same time for each media stream. Ta and the retransmit timer 1687 RTO are computed as described in Section 16. Multiplying by N allows 1688 this aggregate check throughput to be split between all active check 1689 lists. The first timer fires immediately, so that the agent performs 1690 a connectivity check the moment the offer/answer exchange has been 1691 done, followed by the next check Ta seconds later (since there is 1692 only one active check list). 1694 When the timer fires, and there is no triggered check to be sent, the 1695 agent MUST choose an ordinary check as follows: 1697 o Find the highest priority pair in that check list that is in the 1698 Waiting state. 1700 o If there is such a pair: 1702 * Send a STUN check from the local candidate of that pair to the 1703 remote candidate of that pair. The procedures for forming the 1704 STUN request for this purpose are described in Section 7.1.1. 1706 * Set the state of the candidate pair to In-Progress. 1708 o If there is no such pair: 1710 * Find the highest priority pair in that check list that is in 1711 the Frozen state. 1713 * If there is such a pair: 1715 + Unfreeze the pair. 1717 + Perform a check for that pair, causing its state to 1718 transition to In-Progress. 1720 * If there is no such pair: 1722 + Terminate the timer for that check list. 1724 To compute the message integrity for the check, the agent uses the 1725 remote username fragment and password learned from the SDP from its 1726 peer. The local username fragment is known directly by the agent for 1727 its own candidate. 1729 6. Receipt of the Initial Answer 1731 This section describes the procedures that an agent follows when it 1732 receives the answer from the peer. It verifies that its peer 1733 supports ICE, determines its role, and for full implementations, 1734 forms the check list and begins performing ordinary checks. 1736 When ICE is used with SIP, forking may result in a single offer 1737 generating a multiplicity of answers. In that each, ICE proceeds 1738 completely in parallel and independently for each answer, treating 1739 the combination of its offer and each answer as an independent offer/ 1740 answer exchange, with its own set of pairs, check lists, states, and 1741 so on. The only case in which processing of one pair impacts another 1742 is freeing of candidates, discussed below in Section 8.3. 1744 6.1. Verifying ICE Support 1746 The logic at the offerer is identical to that of the answerer as 1747 described in Section 5.1, with the exception that an offerer would 1748 not ever generate a=ice-mismatch attributes in an SDP. 1750 In some cases, the answer may omit a=candidate attributes for the 1751 media streams, and instead include an a=ice-mismatch attribute for 1752 one or more of the media streams in the SDP. This signals to the 1753 offerer that the answerer supports ICE, but that ICE processing was 1754 not used for the session because a signaling intermediary modified 1755 the default destination for media components without modifying the 1756 corresponding candidate attributes. See Section 18 for a discussion 1757 of cases where this can happen. This specification provides no 1758 guidance on how an agent should proceed in such a failure case. 1760 6.2. Determining Role 1762 The offerer follows the same procedures described for the answerer in 1763 Section 5.2. 1765 6.3. Forming the Check List 1767 Formation of check lists is performed only by full implementations. 1768 The offerer follows the same procedures described for the answerer in 1769 Section 5.7. 1771 6.4. Performing Ordinary Checks 1773 Ordinary checks are performed only by full implementations. The 1774 offerer follows the same procedures described for the answerer in 1775 Section 5.8. 1777 7. Performing Connectivity Checks 1779 This section describes how connectivity checks are performed. All 1780 ICE implementations are required to be compliant to 1781 [I-D.ietf-behave-rfc3489bis], as opposed to the older [RFC3489]. 1782 However, whereas a full implementation will both generate checks 1783 (acting as a STUN client) and receive them (acting as a STUN server), 1784 a lite implementation will only ever receive checks, and thus will 1785 only act as a STUN server. 1787 7.1. STUN Client Procedures 1789 These procedures define how an agent sends a connectivity check, 1790 whether it is an ordinary or a triggered check. These procedures are 1791 only applicable to full implementations. 1793 7.1.1. Sending the Request 1795 The check is generated by sending a Binding Request from a local 1796 candidate, to a remote candidate. [I-D.ietf-behave-rfc3489bis] 1797 describes how Binding Requests are constructed and generated. A 1798 connectivity check MUST utilize the STUN short term credential 1799 mechanism. Support for backwards compatibility with RFC 3489 MUST 1800 NOT be used or assumed with connectivity checks. The FINGERPRINT 1801 mechanism MUST be used for connectivity checks. 1803 ICE extends STUN by defining several new attributes, including 1804 PRIORITY, USE-CANDIDATE, ICE-CONTROLLED, and ICE-CONTROLLING. These 1805 new attributes are formally defined in Section 19.1, and their usage 1806 is described in the subsections below. These STUN extensions are 1807 applicable only to connectivity checks used for ICE. 1809 7.1.1.1. PRIORITY and USE-CANDIDATE 1811 An agent MUST include the PRIORITY attribute in its Binding Request. 1812 The attribute MUST be set equal to the priority that would be 1813 assigned, based on the algorithm in Section 4.1.2, to a peer 1814 reflexive candidate, should one be learned as a consequence of this 1815 check (see Section 7.1.2.2.1 for how peer reflexive candidates are 1816 learned). This priority value will be computed identically to how 1817 the priority for the local candidate of the pair was computed, except 1818 that the type preference is set to the value for peer reflexive 1819 candidate types. 1821 The controlling agent MAY include the USE-CANDIDATE attribute in the 1822 Binding Request. The controlled agent MUST NOT include it in its 1823 Binding Request. This attribute signals that the controlling agent 1824 wishes to cease checks for this component, and use the candidate pair 1825 resulting from the check for this component. Section 8.1.1 provides 1826 guidance on determining when to include it. 1828 7.1.1.2. ICE-CONTROLLED and ICE-CONTROLLING 1830 The agent MUST include the ICE-CONTROLLED attribute in the request if 1831 it is in the controlled role, and MUST include the ICE-CONTROLLING 1832 attribute in the request if it is in the controlling role. The 1833 content of either attribute MUST be the tie breaker that was 1834 determined in Section 5.2. These attributes are defined fully in 1835 Section 19.1. 1837 7.1.1.3. Forming Credentials 1839 A Binding Request serving as a connectivity check MUST utilize the 1840 STUN short term credential mechanism. The username for the 1841 credential is formed by concatenating the username fragment provided 1842 by the peer with the username fragment of the agent sending the 1843 request, separated by a colon (":"). The password is equal to the 1844 password provided by the peer. For example, consider the case where 1845 agent L is the offerer, and agent R is the answerer. Agent L 1846 included a username fragment of LFRAG for its candidates, and a 1847 password of LPASS. Agent R provided a username fragment of RFRAG and 1848 a password of RPASS. A connectivity check from L to R (and its 1849 response of course) utilize the username RFRAG:LFRAG and a password 1850 of RPASS. A connectivity check from R to L (and its response) 1851 utilize the username LFRAG:RFRAG and a password of LPASS. 1853 7.1.1.4. DiffServ Treatment 1855 If the agent is using Diffserv Codepoint markings [RFC2475] in its 1856 media packets, it SHOULD apply those same markings to its 1857 connectivity checks. 1859 7.1.2. Processing the Response 1861 When a Binding Response is received, it is correlated to its Binding 1862 Request using the transaction ID, as defined in 1863 [I-D.ietf-behave-rfc3489bis], which then ties it to the candidate 1864 pair for which the Binding Request was sent. This section defines 1865 additional procedures for processing Binding Responses, specific to 1866 this usage of STUN. 1868 7.1.2.1. Failure Cases 1870 If the STUN transaction generates a 487 (Role Conflict) error 1871 response, the agent checks whether it had included the ICE-CONTROLLED 1872 or ICE-CONTROLLING attribute in the Binding Request. If the request 1873 had contained the ICE-CONTROLLED attribute, the agent MUST switch to 1874 the controlling role if it has not already done so. If the request 1875 had contained the ICE-CONTROLLING attribute, the agent MUST switch to 1876 the controlled role if it has not already done so. Once it has 1877 switched, the agent MUST enqueue the candidate pair whose check 1878 generated the 487 into the triggered check queue. The state of that 1879 pair is set to Waiting. When the triggered check is sent, it will 1880 contain an ICE-CONTROLLING or ICE-CONTROLLED attribute reflecting its 1881 new role. Note, however, that the tie-breaker value MUST NOT be 1882 reselected. 1884 Agents MAY support receipt of ICMP errors for connectivity checks. 1885 If the STUN transaction generates an ICMP error, the agent sets the 1886 state of the pair to Failed. If the STUN transaction generates a 1887 STUN error response that is unrecoverable (as defined in 1888 [I-D.ietf-behave-rfc3489bis]), or times out, the agent sets the state 1889 of the pair to Failed. 1891 The agent MUST check that the source IP address and port of the 1892 response equals the destination IP address and port that the Binding 1893 Request was sent to, and that the destination IP address and port of 1894 the response match the source IP address and port that the Binding 1895 Request was sent from. In other words, the source and destination 1896 transport addresses in the request and responses are the symmetric. 1897 If they are not symmetric, the agent sets the state of the pair to 1898 Failed. 1900 7.1.2.2. Success Cases 1902 A check is considered to be a success if all of the following are 1903 true: 1905 o the STUN transaction generated a success response 1907 o the source IP address and port of the response equals the 1908 destination IP address and port that the Binding Request was sent 1909 to 1911 o the destination IP address and port of the response match the 1912 source IP address and port that the Binding Request was sent from 1914 7.1.2.2.1. Discovering Peer Reflexive Candidates 1916 The agent checks the mapped address from the STUN response. If the 1917 transport address does not match any of the local candidates that the 1918 agent knows about, the mapped address represents a new candidate - a 1919 peer reflexive candidate. Like other candidates, it has a type, 1920 base, priority and foundation. They are computed as follows: 1922 o Its type is equal to peer reflexive. 1924 o Its base is set equal to the local candidate of the candidate pair 1925 from which the STUN check was sent. 1927 o Its priority is set equal to the value of the PRIORITY attribute 1928 in the Binding Request. 1930 o Its foundation is selected as described in Section 4.1.1. 1932 This peer reflexive candidate is then added to the list of local 1933 candidates for the media stream. Its username fragment and password 1934 are the same as all other local candidates for that media stream. 1935 However, the peer reflexive candidate is not paired with other remote 1936 candidates. This is not necessary; a valid pair will be generated 1937 from it momentarily based on the procedures in Section 7.1.2.2.2. If 1938 an agent wishes to pair the peer reflexive candidate with other 1939 remote candidates besides the one in the valid pair that will be 1940 generated, the agent MAY generate an updated offer which includes the 1941 peer reflexive candidate. This will cause it to be paired with all 1942 other remote candidates. 1944 7.1.2.2.2. Constructing a Valid Pair 1946 The agent constructs a candidate pair whose local candidate equals 1947 the mapped address of the response, and whose remote candidate equals 1948 the destination address to which the request was sent. This is 1949 called a valid pair, since it has been validated by a STUN 1950 connectivity check. The valid pair may equal the pair that generated 1951 the check, may equal a different pair in the check list, or may be a 1952 pair not currently on any check list. If the pair equals the pair 1953 that generated the check or is on a check list currently, it is also 1954 added to the VALID LIST, which is maintained by the agent for each 1955 media stream. This list is empty at the start of ICE processing, and 1956 fills as checks are performed, resulting in valid candidate pairs. 1958 It will be very common that the pair will not be on any check list. 1959 Recall that the check list has pairs whose local candidates are never 1960 server reflexive; those pairs had their local candidates converted to 1961 the base of the server reflexive candidates, and then pruned if they 1962 were redundant. When the response to the STUN check arrives, the 1963 mapped address will be reflexive if there is a NAT between the two. 1964 In that case, the valid pair will have a local candidate that doesn't 1965 match any of the pairs in the check list. 1967 If the pair is not on any check list, the agent computes the priority 1968 for the pair based on the priority of each candidate, using the 1969 algorithm in Section 5.7. The priority of the local candidate 1970 depends on its type. If it is not peer reflexive, it is equal to the 1971 priority signaled for that candidate in the SDP. If it is peer 1972 reflexive, it is equal to the PRIORITY attribute the agent placed in 1973 the Binding Request which just completed. The priority of the remote 1974 candidate is taken from the SDP of the peer. If the candidate does 1975 not appear there, then the check must have been a triggered check to 1976 a new remote candidate. In that case, the priority is taken as the 1977 value of the PRIORITY attribute in the Binding Request which 1978 triggered the check that just completed. The pair is then added to 1979 the VALID LIST. 1981 7.1.2.2.3. Updating Pair States 1983 The agent sets the state of the pair that generated the check to 1984 Succeeded. The success of this check might also cause the state of 1985 other checks to change as well. The agent MUST perform the following 1986 two steps: 1988 1. The agent changes the states for all other Frozen pairs for the 1989 same media stream and same foundation to Waiting. Typically 1990 these other pairs will have different component IDs but not 1991 always. 1993 2. If there is a pair in the valid list for every component of this 1994 media stream (where this is the actual number of components being 1995 used, in cases where the number of components signaled in the SDP 1996 differs from offerer to answerer), the success of this check may 1997 unfreeze checks for other media streams. Note that this step is 1998 followed not just the first time the valid list under 1999 consideration has a pair for every component, but every 2000 subsequent time a check succeeds and adds yet another pair to 2001 that valid list. The agent examines the check list for each 2002 other media stream in turn: 2004 * If the check list is active, the agent changes the state of 2005 all Frozen pairs in that check list whose foundation matches a 2006 pair in the valid list under consideration, to Waiting. 2008 * If the check list is frozen, and there is at least one pair in 2009 the check list whose foundation matches a pair in the valid 2010 list under consideration, the state of all pairs in the check 2011 list whose foundation matches a pair in the valid list under 2012 consideration are set to Waiting. This will cause the check 2013 list to become active, and ordinary checks will begin for it, 2014 as described in Section 5.8. 2016 * If the check list is frozen, and there are no pairs in the 2017 check list whose foundation matches a pair in the valid list 2018 under consideration, the agent 2020 + Groups together all of the pairs with the same foundation, 2022 + For each group, sets the state of the pair with the lowest 2023 component ID to Waiting. If there is more than one such 2024 pair, the one with the highest priority is used. 2026 7.1.2.2.4. Updating the Nominated Flag 2028 If the agent was a controlling agent, and it had included a USE- 2029 CANDIDATE attribute in the Binding Request, the valid pair generated 2030 from that check has its nominated flag set to true. This flag 2031 indicates that this valid pair should be used for media if it is the 2032 highest priority one amongst those whose nominated flag is set. This 2033 may conclude ICE processing for this media stream or all media 2034 streams; see Section 8. 2036 If the agent is the controlled agent, the response may result in the 2037 valid pair having its nominated flag set. See Section 7.2.1.5 for 2038 the procedure. 2040 7.1.2.3. Check List and Timer State Updates 2042 Regardless of whether the check was successful or failed, the 2043 completion of the transaction may require updating of check list and 2044 timer states. 2046 If all of the pairs in the check list are now either in the Failed or 2047 Succeeded state: 2049 o If there is not a pair in the valid list for each component of the 2050 media stream, the state of the check list is set to Failed. 2052 o For each frozen check list, the agent: 2054 * Groups together all of the pairs with the same foundation, 2056 * For each group, sets the state of the pair with the lowest 2057 component ID to Waiting. If there is more than one such pair, 2058 the one with the highest priority is used. 2060 If none of the pairs in the check list are in the Waiting or Frozen 2061 state, the check list is no longer considered active, and will not 2062 count towards the value of N in the computation of timers for 2063 ordinary checks as described in Section 5.8. 2065 7.2. STUN Server Procedures 2067 An agent MUST be prepared to receive a Binding Request on the base of 2068 each candidate it included in its most recent offer or answer. This 2069 requirement holds even if the peer is a lite implementation. 2071 The agent MUST use a short term credential to authenticate the 2072 request and perform a message integrity check. The agent MUST 2073 consider the username to be valid if it consists of two values 2074 separated by a colon, where the first value is equal to the username 2075 fragment generated by the agent in an offer or answer for a session 2076 in-progress. It is possible (and in fact very likely) that an 2077 offerer will receive a Binding Request prior to receiving the answer 2078 from its peer. If this happens, the agent MUST immediately generate 2079 a response (including computation of the mapped address as described 2080 in Section 7.2.1.2. The agent has sufficient information at this 2081 point to generate the response; the password from the peer is not 2082 required. Once the answer is received, it MUST proceed with the 2083 remaining steps required, namely Section 7.2.1.3, Section 7.2.1.4, 2084 and Section 7.2.1.5 for full implementations. In cases where 2085 multiple STUN requests are received before the answer, this may cause 2086 several pairs to be queued up in the triggered check queue. 2088 An agent MUST NOT utilize the ALTERNATE-SERVER mechanism, and MUST 2089 NOT support the backwards compatibility mechanisms to RFC 3489. It 2090 MUST utilize the FINGERPRINT mechanism. 2092 If the agent is using Diffserv Codepoint markings [RFC2475] in its 2093 media packets, it SHOULD apply those same markings to its responses 2094 to Binding Requests. The same would apply to any layer 2 markings 2095 the endpoint might be applying to media packets. 2097 7.2.1. Additional Procedures for Full Implementations 2099 This subsection defines the additional server procedures applicable 2100 to full implementations. 2102 7.2.1.1. Detecting and Repairing Role Conflicts 2104 Normally, the rules for selection of a role in Section 5.2 will 2105 result in each agent selecting a different role - one controlling, 2106 and one controlled. However, in unusual call flows, typically 2107 utilizing third party call control, it is possible for both agents to 2108 select the same role. This section describes procedures for checking 2109 for this case and repairing it. 2111 An agent MUST examine the Binding Request for either the ICE- 2112 CONTROLLING or ICE-CONTROLLED attribute. It MUST follow these 2113 procedures: 2115 o If neither ICE-CONTROLLING or ICE-CONTROLLED are present in the 2116 request, the peer agent may have implemented a previous version of 2117 this specification. There may be a conflict, but it cannot be 2118 detected. 2120 o If the agent is in the controlling role, and the ICE-CONTROLLING 2121 attribute is present in the request: 2123 * If the agent's tie-breaker is larger than or equal to the 2124 contents of the ICE-CONTROLLING attribute, the agent generates 2125 a Binding Error Response and includes an ERROR-CODE attribute 2126 with a value of 487 (Role Conflict) but retains its role. 2128 * If the agent's tie-breaker is less than the contents of the 2129 ICE-CONTROLLING attribute, the agent switches to the controlled 2130 role. 2132 o If the agent is in the controlled role, and the ICE-CONTROLLED 2133 attribute is present in the request: 2135 * If the agent's tie-breaker is larger than or equal to the 2136 contents of the ICE-CONTROLLED attribute, the agent switches to 2137 the controlling role. 2139 * If the agent's tie-breaker is less than the contents of the 2140 ICE-CONTROLLED attribute, the agent generates a Binding Error 2141 Response and includes an ERROR-CODE attribute with a value of 2142 487 (Role Conflict) but retains its role. 2144 o If the agent is in the controlled role and the ICE-CONTROLLING 2145 attribute was present in the request, or the agent was in the 2146 controlling role and the ICE-CONTROLLED attribute was present in 2147 the request, there is no conflict. 2149 A change in roles will require an agent to recompute pair priorities 2150 Section 5.7.2, since those priorities are a function of controlling 2151 and controlled role. The change in role will also impact whether the 2152 agent is responsible for selecting nominated pairs and generated 2153 updated offers upon conclusion of ICE. 2155 The remaining sections in Section 7.2.1 are followed if the server 2156 generated a successful response to the Binding Request, even if the 2157 agent changed roles. 2159 7.2.1.2. Computing Mapped Address 2161 For requests being received on a relayed candidate, the source 2162 transport address used for STUN processing (namely, generation of the 2163 XOR-MAPPED-ADDRESS attribute) is the transport address as seen by the 2164 TURN server. That source transport address will be present in the 2165 REMOTE-ADDRESS attribute of a Data Indication message, if the Binding 2166 Request was delivered through a Data Indication (a TURN server 2167 delivers packets encapsulated in a Data Indication when no active 2168 destination is set). If the Binding Request was not encapsulated in 2169 a Data Indication, that source address is equal to the current active 2170 destination for the TURN session. 2172 7.2.1.3. Learning Peer Reflexive Candidates 2174 If the source transport address of the request does not match any 2175 existing remote candidates, it represents a new peer reflexive remote 2176 candidate. This candidate is constructed as follows: 2178 o The priority of the candidate is set to the PRIORITY attribute 2179 from the request. 2181 o The type of the candidate is set to peer reflexive. 2183 o The foundation of the candidate is set to an arbitrary value, 2184 different from the foundation for all other remote candidates. If 2185 any subsequent offer/answer exchanges contain this peer reflexive 2186 candidate in the SDP, it will signal the actual foundation for the 2187 candidate. 2189 o The component ID of this candidate is set to the component ID for 2190 the local candidate to which the request was sent. 2192 This candidate is added to the list of remote candidates. However, 2193 the agent does not pair this candidate with any local candidates. 2195 7.2.1.4. Triggered Checks 2197 Next, the agent constructs a pair whose local candidate is equal to 2198 the transport address on which the STUN request was received, and a 2199 remote candidate equal to the source transport address where the 2200 request came from (which may be peer-reflexive remote candidate that 2201 was just learned). Since both candidates are known to the agent, it 2202 can obtain their priorities and compute the candidate pair priority. 2203 This pair is then looked up in the check list. There can be one of 2204 several outcomes: 2206 o If the pair is already on the check list: 2208 * If the state of that pair is Waiting or Frozen, a check for 2209 that pair is enqueued into the triggered check queue. 2211 * If the state of that pair is In-Progress, the agent cancels the 2212 in-progress transaction. Cancellation means that the agent 2213 will not retransmit the request, will not treat the lack of 2214 response to be a failure, but will wait the duration of the 2215 transaction timeout for a response. In addition, the agent 2216 MUST create a new connectivity check for that pair 2217 (representing a new STUN Binding Request transaction) by 2218 enqueueing the pair in the triggered check queue. The state of 2219 the pair is then changed to Waiting. 2221 * If the state of the pair is Failed, it is changed to Waiting 2222 and the agent MUST create a new connectivity check for that 2223 pair (representing a new STUN Binding Request transaction), by 2224 enqueueing the pair in the triggered check queue. 2226 * If the state of that pair is Succeeded, nothing further is 2227 done. 2229 o These steps are done to facilitate rapid completion of ICE when 2230 both agents are behind NAT. 2232 o If the pair is not already on the check list: 2234 * The pair is inserted into the check list based on its priority 2236 * Its state is set to Waiting 2238 * The pair is enqueued into the triggered check queue. 2240 When a triggered check is to be sent, it is constructed and processed 2241 as described in Section 7.1.1. These procedures require the agent to 2242 know the transport address, username fragment and password for the 2243 peer. The username fragment for the remote candidate is equal to the 2244 part after the colon of the USERNAME in the Binding Request that was 2245 just received. Using that username fragment, the agent can check the 2246 SDP messages received from its peer (there may be more than one in 2247 cases of forking), and find this username fragment. The 2248 corresponding password is then selected. 2250 7.2.1.5. Updating the Nominated Flag 2252 If the Binding Request received by the agent had the USE-CANDIDATE 2253 attribute set, and the agent is in the controlled role, the agent 2254 looks at the state of the pair computed in Section 7.2.1.4: 2256 o If the state of this pair is Succeeded, it means that the check 2257 generated by this pair produced a successful response. This would 2258 have caused the agent to construct a valid pair when that success 2259 response was received (see Section 7.1.2.2.2). The agent now sets 2260 the nominated flag in the valid pair to true. This may end ICE 2261 processing for this media stream; see Section 8. 2263 o If the state of this pair is In-Progress, if its check produces a 2264 successful result, the resulting valid pair has its nominated flag 2265 set when the response arrives. This may end ICE processing for 2266 this media stream when it arrives; see Section 8. 2268 7.2.2. Additional Procedures for Lite Implementations 2270 If the check that was just received contained a USE-CANDIDATE 2271 attribute, the agent constructs a candidate pair whose local 2272 candidate is equal to the transport address on which the request was 2273 received, and whose remote candidate is equal to the source transport 2274 address of the request that was received. This candidate pair is 2275 assigned an arbitrary priority, and placed into a list of valid 2276 candidates called the valid list. The agent sets the nominated flag 2277 for that pair to true. ICE processing is considered complete for a 2278 media stream if the valid list contains a candidate pair for each 2279 component. 2281 8. Concluding ICE Processing 2283 This section describes how an agent completes ICE. 2285 8.1. Procedures for Full Implementations 2287 Concluding ICE involves nominating pairs by the controlling agent and 2288 updating of state machinery. 2290 8.1.1. Nominating Pairs 2292 The controlling agent nominates pairs to be selected by ICE by using 2293 one of two techniques: regular nomination or aggressive nomination. 2294 If its peer has a lite implementation, an agent MUST use a regular 2295 nomination algorithm. If its peer is using ICE options (present in 2296 an ice-options attribute from the peer) that the agent does not 2297 understand, the agent MUST use a regular nomination algorithm. If 2298 its peer is a full implementation and isn't using any ICE options or 2299 is using ICE options understood by the agent, the agent MAY use 2300 either the aggressive or the regular nomination algorithm. However, 2301 the regular algorithm is RECOMMENDED since it provides greater 2302 stability. 2304 8.1.1.1. Regular Nomination 2306 With regular nomination, the agent lets some number of checks 2307 complete, each of which omit the USE-CANDIDATE attribute. Once one 2308 or more checks complete successfully for a component of a media 2309 stream, valid pairs are generated and added to the valid list. The 2310 agent lets the checks continue until some stopping criteria is met, 2311 and then picks amongst the valid pairs based on an evaluation 2312 criteria. The criteria for stopping the checks and for evaluating 2313 the valid pairs is entirely a matter of local optimization. 2315 When the controlling agent selects the valid pair, it repeats the 2316 check that produced this valid pair (by enqueuing the pair that 2317 generated the check into the triggered check queue), this time with 2318 the USE-CANDIDATE attribute. This check should succeed (since the 2319 previous did), causing the nominated flag of that and only that pair 2320 to be set. Consequently, there will be only a single nominated pair 2321 in the valid list for each component, and when the state of the check 2322 list moves to completed, that exact pair is selected by ICE for 2323 sending and receiving media for that component. 2325 Regular nomination provides the most flexibility, since the agent has 2326 control over the stopping and selection criteria for checks. The 2327 only requirement is that the agent MUST eventually pick one and only 2328 one candidate pair and generate a check for that pair with the USE- 2329 CANDIDATE attribute present. Regular nomination also improves ICE's 2330 resilience to variations in implementation (see Section 14). Regular 2331 nomination is also more stable, allowing both agents to converge on a 2332 single pair for media without any transient selections, which can 2333 happen with the aggressive algorithm. The drawback of regular 2334 nomination is that it is guaranteed to increase latencies because it 2335 requires an additional check to be done. 2337 8.1.1.2. Aggressive Nomination 2339 With aggressive nomination, the controlling agent includes the USE- 2340 CANDIDATE attribute in every check it sends. Once the first check 2341 for a component succeeds, it will be added to the valid list, and 2342 have its nominated flag set. When all components have a nominated 2343 pair in the valid list, it will cause ICE processing to cease for 2344 this check list. However, because the agent included the USE- 2345 CANDIDATE attribute in all of its checks, another check may yet 2346 complete, causing another valid pair to have its nominated flag set. 2347 ICE always selects the highest priority nominated candidate pair from 2348 the valid list as the one used for media. Consequently, the selected 2349 pair may actually change briefly as ICE checks complete, resulting in 2350 a set of transient selections until it stabilizes. 2352 8.1.2. Updating States 2354 For both controlling and controlled agents, the state of ICE 2355 processing depends on the presence of nominated candidate pairs in 2356 the valid list and on the state of the check list. Note that, at any 2357 time, more than one of the following cases can apply: 2359 o If there are no nominated pairs in the valid list for a media 2360 stream and the state of the check list is Running, ICE processing 2361 continues. 2363 o If there is at least one nominated pair in the valid list for a 2364 media stream and the state of the check list is Running: 2366 * The agent MUST remove all Waiting and Frozen pairs in the check 2367 list and triggered check queue for the same component as the 2368 nominated pairs for that media stream 2370 * If an In-Progress pair in the check list is for the same 2371 component as a nominated pair, the agent SHOULD cease 2372 retransmissions for its check if its pair priority is lower 2373 than the lowest priority nominated pair for that component 2375 o Once there is at least one nominated pair in the valid list for 2376 every component of at least one media stream and the state of the 2377 check list is Running: 2379 * The agent MUST change the state of processing for its check 2380 list for that media stream to Completed. 2382 * The agent MUST continue to respond to any checks it may still 2383 receive for that media stream, and MUST perform triggered 2384 checks if required by the processing of Section 7.2. 2386 * The agent MAY begin transmitting media for this media stream as 2387 described in Section 11.1 2389 o Once the state of each check list is Completed: 2391 * The agent sets the state of ICE processing overall to 2392 Completed. 2394 * If an agent is controlling, it examines the highest priority 2395 nominated candidate pair for each component of each media 2396 stream. If any of those candidate pairs differ from the 2397 default candidate pairs in the most recent offer/answer 2398 exchange, the controlling agent MUST generate an updated offer 2399 as described in Section 9. If the controlling agent is using 2400 an aggressive nomination algorithm, this may result in several 2401 updated offers as the pairs selected for media change. An 2402 agent MAY delay sending the offer for a brief interval (one 2403 second is RECOMMENDED) in order to allow the selected pairs to 2404 stabilize. 2406 o If the state of the check list is Failed, ICE has not been able to 2407 complete for this media stream. The correct behavior depends on 2408 the state of the check lists for other media streams: 2410 * If all check lists are Failed, ICE processing overall is 2411 considered to be in the Failed state, and the agent SHOULD 2412 consider the session a failure, SHOULD NOT restart ICE, and the 2413 controlling agent SHOULD terminate the entire session. 2415 * If at least one of the check lists for other media streams is 2416 Completed, the controlling agent SHOULD remove the failed media 2417 stream from the session in its updated offer. 2419 * If none of the check lists for other media streams are 2420 Completed, but at least one is Running, the agent SHOULD let 2421 ICE continue. 2423 8.2. Procedures for Lite Implementations 2425 Concluding ICE for a lite implementation is relatively 2426 straightforward. There are two cases to consider: 2428 The implementation is lite, and its peer is full. 2430 The implementation is lite, and its peer is lite. 2432 The effect of ICE concluding is that the agent can free any allocated 2433 host candidates that were not utilized by ICE, as described in 2434 Section 8.3. 2436 8.2.1. Peer is Full 2438 In this case, the agent will receive connectivity checks from its 2439 peer. When an agent has received a connectivity check that includes 2440 the USE-CANDIDATE attribute for each component of a media stream, the 2441 state of ICE processing for that media stream moves from Running to 2442 Completed. When the state of ICE processing for all media streams is 2443 Completed, the state of ICE processing overall is Completed. 2445 The lite implementation will never itself determine that ICE 2446 processing has failed for a media stream; rather, the full peer will 2447 make that determination and then remove or restart the failed media 2448 stream in a subsequent offer. 2450 8.2.2. Peer is Lite 2452 Once the offer/answer exchange has completed, both agents examine 2453 their candidates and those of its peer. For each media stream, each 2454 agent pairs up its own candidates with the candidates of its peer for 2455 that media stream. Two candidates are paired up when they are for 2456 the same component, utilize the same transport protocol (UDP in this 2457 specification), and are from the same IP address family (IPv4 or 2458 IPv6). 2460 o If there is a single pair per component, that pair is added to the 2461 Valid list. If all of the components for a media stream had one 2462 pair, the state of ICE processing for that media stream is set to 2463 Completed. If all media streams are Completed, the state of ICE 2464 processing is set to Completed overall. This will always be the 2465 case for implementations that are IPv4 only. 2467 o If there is more than one pair per component: 2469 * The agent MUST select a pair based on local policy. Since this 2470 case only arises for IPv6, it is RECOMMENDED that an agent 2471 follow the procedures of RFC 3484 [RFC3484] to select a single 2472 pair. 2474 * The agent adds the selected pair for each component to the 2475 valid list. As described in Section 11.1, this will permit 2476 media to begin flowing. However, it is possible (and in fact 2477 likely) that both agents have chosen different pairs. 2479 * To reconcile this, the controlling agent MUST send an updated 2480 offer as described in Section 9.1.3, which will include the 2481 remote-candidates attribute. 2483 * The agent MUST NOT update the state of ICE processing when the 2484 offer is sent. If this subsequent offer completes, the 2485 controlling agent MUST change the state of ICE processing to 2486 Completed for all media streams, and the state of ICE 2487 processing overall to Completed. The states for the controlled 2488 agent are set based on the logic in Section 9.2.3. 2490 8.3. Freeing Candidates 2492 8.3.1. Full Implementation Procedures 2494 The procedures in Section 8 require that an agent continue to listen 2495 for STUN requests and continue to generate triggered checks for a 2496 media stream, even once processing for that stream completes. The 2497 rules in this section describe when it is safe for an agent to cease 2498 sending or receiving checks on a candidate that was not selected by 2499 ICE, and then free the candidate. 2501 When ICE is used with SIP, and an offer is forked to multiple 2502 recipients, ICE proceeds in parallel and independently with each 2503 answerer, all using the same local candidates. Once ICE processing 2504 has reached the Completed state for all peers for media streams using 2505 those candidates, the agent SHOULD wait an additional three seconds, 2506 and then it MAY cease responding to checks or generating triggered 2507 checks on that candidate. It MAY free the candidate at that time. 2508 Freeing of server reflexive candidates is never explicit; it happens 2509 by lack of a keepalive. The three second delay handles cases when 2510 aggressive nomination is used, and the selected pairs can quickly 2511 change after ICE has completed. 2513 8.3.2. Lite Implementations 2515 A lite implementation MAY free candidates not selected by ICE as soon 2516 as ICE processing has reached the completed state for all peers for 2517 all media streams using those candidates. 2519 9. Subsequent Offer/Answer Exchanges 2521 Either agent MAY generate a subsequent offer at any time allowed by 2522 RFC 3264 [RFC3264]. The rules in Section 8 will cause the 2523 controlling agent to send an updated offer at the conclusion of ICE 2524 processing when ICE has selected different candidate pairs from the 2525 default pairs. This section defines rules for construction of 2526 subsequent offers and answers. 2528 Should a subsequent offer be rejected, ICE processing continues as if 2529 the subsequent offer had never been made. 2531 9.1. Generating the Offer 2533 9.1.1. Procedures for All Implementations 2535 9.1.1.1. ICE Restarts 2537 An agent MAY restart ICE processing for an existing media stream. An 2538 ICE restart, as the name implies, will cause all previous state of 2539 ICE processing to be flushed and checks to start anew. The only 2540 difference between an ICE restart and a brand new media session is 2541 that, during the restart, media can continue to be sent to the 2542 previously validated pair. 2544 An agent MUST restart ICE for a media stream if: 2546 o The offer is being generated for the purposes of changing the 2547 target of the media stream. In other words, if an agent wants to 2548 generated an updated offer which, had ICE not been in use, would 2549 result in a new value for the destination of a media component. 2551 o An agent is changing its implementation level. This typically 2552 only happens in third party call control use cases, where the 2553 entity performing the signaling is not the entity receiving the 2554 media, and it has changed the target of media mid-session to 2555 another entity that has a different ICE implementation. 2557 These rules imply that setting the IP address in the c line to 2558 0.0.0.0 will cause an ICE restart. Consequently, ICE implementations 2559 MUST NOT utilize this mechanism for call hold, and instead MUST use 2560 a=inactive and a=sendonly as described in [RFC3264] 2562 To restart ICE, an agent MUST change both the ice-pwd and the ice- 2563 ufrag for the media stream in an offer. Note that it is permissible 2564 to use a session-level attribute in one offer, but to provide the 2565 same ice-pwd or ice-ufrag as a media-level attribute in a subsequent 2566 offer. This is not a change in password, just a change in its 2567 representation, and does not cause an ICE restart. 2569 An agent sets the rest of the fields in the SDP for this media stream 2570 as it would in an initial offer of this media stream (see 2571 Section 4.3). Consequently, the set of candidates MAY include some, 2572 none, or all of the previous candidates for that stream and MAY 2573 include a totally new set of candidates gathered as described in 2574 Section 4.1.1. 2576 9.1.1.2. Removing a Media Stream 2578 If an agent removes a media stream by setting its port to zero, it 2579 MUST NOT include any candidate attributes for that media stream and 2580 SHOULD NOT include any other ICE-related attributes defined in 2581 Section 15 for that media stream. 2583 9.1.1.3. Adding a Media Stream 2585 If an agent wishes to add a new media stream, it sets the fields in 2586 the SDP for this media stream as if this was an initial offer for 2587 that media stream (see Section 4.3). This will cause ICE processing 2588 to begin for this media stream. 2590 9.1.2. Procedures for Full Implementations 2592 This section describes additional procedures for full 2593 implementations, covering existing media streams. 2595 The username fragments, password, and implementation level MUST 2596 remain the same as used previously. If an agent needs to change one 2597 of these it MUST restart ICE for that media stream. 2599 Additional behavior depends on the state ICE processing for that 2600 media stream. 2602 9.1.2.1. Existing Media Streams with ICE Running 2604 If an agent generates an updated offer including media stream that 2605 was previously established, and for which ICE checks are in the 2606 Running state, the agent follows the procedures defined here. 2608 An agent MUST include candidate attributes for all local candidates 2609 it had signaled previously for that media stream. The properties of 2610 that candidate as signaled in SDP - the priority, foundation, type 2611 and related transport address SHOULD remain the same. The IP 2612 address, port and transport protocol, which fundamentally identify 2613 that candidate, MUST remain the same (if they change, it would be a 2614 new candidate). The component ID MUST remain the same. The agent 2615 MAY include additional candidates it did not offer previously, but 2616 which it has gathered since the last offer/answer exchange, including 2617 peer reflexive candidates. 2619 The agent MAY change the default destination for media. As with 2620 initial offers, there MUST be a set of candidate attributes in the 2621 offer matching this default destination. 2623 9.1.2.2. Existing Media Streams with ICE Completed 2625 If an agent generates an updated offer including media stream that 2626 was previously established, and for which ICE checks are in the 2627 Completed state, the agent follows the procedures defined here. 2629 The default destination for media (i.e., the values of the IP 2630 addresses and ports in the m and c line used for that media stream) 2631 MUST be the local candidate from the highest priority nominated pair 2632 in the valid list for each component. This "fixes" the default 2633 destination for media to equal the destination ICE has selected for 2634 media. 2636 The agent MUST include a candidate attributes for candidates matching 2637 the default destination for each component of the media stream, and 2638 MUST NOT include any other candidates. 2640 In addition, if the agent is controlling, it MUST include the 2641 a=remote-candidates attribute for each media stream whose check list 2642 is in the Completed state. The attribute contains the remote 2643 candidates from the highest priority nominated pair in the valid list 2644 for each component of that media stream. It is needed to avoid a 2645 race condition whereby the controlling agent chooses its pairs, but 2646 the updated offer beats the connectivity checks to the controlled 2647 agent, which doesn't even know these pairs are valid, let alone 2648 selected. See Appendix B.6 for elaboration on this race condition. 2650 9.1.3. Procedures for Lite Implementations 2652 9.1.3.1. Existing Media Streams with ICE Running 2654 This section describes procedures for lite implementations for 2655 existing streams for which ICE is running. 2657 A lite implementation MUST include all of its candidates for each 2658 component of each media stream in an a=candidate attribute in any 2659 subsequent offer. These candidates are formed identically to the 2660 procedures for initial offers, as described in Section 4.2. 2662 A lite implementation MUST NOT add additional host candidates in a 2663 subsequent offer. If an agent needs to offer additional candidates, 2664 it MUST restart ICE. 2666 The username fragments, password, and implementation level MUST 2667 remain the same as used previously. If an agent needs to change one 2668 of these it MUST restart ICE for that media stream. 2670 9.1.3.2. Existing Media Streams with ICE Completed 2672 If ICE has completed for a media stream, the default destination for 2673 that media stream MUST be set to the remote candidate of the 2674 candidate pair for that component in the valid list. For a lite 2675 implementation, there is always just a single candidate pair in the 2676 valid list for each component of a media stream. Additionally, the 2677 agent MUST include a candidate attribute for each default 2678 destination. 2680 Additionally, if the agent is controlling (which only happens when 2681 both agents are lite), the agent MUST include the a=remote-candidates 2682 attribute for each media stream. The attribute contains the remote 2683 candidates from the candidate pairs in the valid list (one pair for 2684 each component of each media stream). 2686 9.2. Receiving the Offer and Generating an Answer 2688 9.2.1. Procedures for All Implementations 2690 When receiving a subsequent offer within an existing session, an 2691 agent MUST re-apply the verification procedures in Section 5.1 2692 without regard to the results of verification from any previous 2693 offer/answer exchanges. Indeed, it is possible that a previous 2694 offer/answer exchange resulted in ICE not being used, but it is used 2695 as a consequence of a subsequent exchange. 2697 9.2.1.1. Detecting ICE Restart 2699 If the offer contained a change in the a=ice-ufrag or a=ice-pwd 2700 attributes compared to the previous SDP from the peer, it indicates 2701 that ICE is restarting for this media stream. If all media streams 2702 are restarting, than ICE is restarting overall. 2704 If ICE is restarting for a media stream: 2706 o The agent MUST change the a=ice-ufrag and a=ice-pwd attributes in 2707 the answer. 2709 o The agent MAY change its implementation level in the answer. 2711 An agent sets the rest of the fields in the SDP for this media stream 2712 as it would in an initial answer to this media stream (see 2713 Section 4.3). Consequently, the set of candidates MAY include some, 2714 none, or all of the previous candidates for that stream and MAY 2715 include a totally new set of candidates gathered as described in 2716 Section 4.1.1. 2718 9.2.1.2. New Media Stream 2720 If the offer contains a new media stream, the agent sets the fields 2721 in the answer as if it had received an initial offer containing that 2722 media stream (see Section 4.3). This will cause ICE processing to 2723 begin for this media stream. 2725 9.2.1.3. Removed Media Stream 2727 If an offer contains a media stream whose port is zero, the agent 2728 MUST NOT include any candidate attributes for that media stream in 2729 its answer and SHOULD NOT include any other ICE-related attributes 2730 defined in Section 15 for that media stream. 2732 9.2.2. Procedures for Full Implementations 2734 Unless the agent has detected an ICE restart from the offer, the 2735 username fragments, password, and implementation level MUST remain 2736 the same as used previously. If an agent needs to change one of 2737 these it MUST restart ICE for that media stream by generating an 2738 offer; ICE cannot be restarted in an answer. 2740 Additional behaviors depend on the state of ICE processing for that 2741 media stream. 2743 9.2.2.1. Existing Media Streams with ICE Running and no remote- 2744 candidates 2746 If ICE is running for a media stream, and the offer for that media 2747 stream lacked the remote-candidates attribute, the rules for 2748 construction of the answer are identical to those for the offerer as 2749 described in Section 9.1.2.1. 2751 9.2.2.2. Existing Media Streams with ICE Completed and no remote- 2752 candidates 2754 If ICE is Completed for a media stream, and the offer for that media 2755 stream lacked the remote-candidates attribute, the rules for 2756 construction of the answer are identical to those for the offerer as 2757 described in Section 9.1.2.2, except that the answerer MUST NOT 2758 include the a=remote-candidates attribute in the answer. 2760 9.2.2.3. Existing Media Streams and remote-candidates 2762 A controlled agent will receive an offer with the a=remote-candidates 2763 attribute for a media stream when its peer has concluded ICE 2764 processing for that media stream. This attribute is present in the 2765 offer to deal with a race condition between the receipt of the offer, 2766 and the receipt of the Binding Response which tells the answerer the 2767 candidate which will be selected by ICE. See Appendix B.6 for an 2768 explanation of this race condition. Consequently, processing of an 2769 offer with this attribute depends on the winner of the race. 2771 The agent forms a candidate pair for each component of the media 2772 stream by: 2774 o Setting the remote candidate equal to the offerers default 2775 destination for that component (e.g., the contents of the m and 2776 c-lines for RTP, and the a=rtcp attribute for RTCP) 2778 o Setting the local candidate equal to the transport address for 2779 that same component in the a=remote-candidates attribute in the 2780 offer. 2782 The agent then sees if each of these candidate pairs are present in 2783 the valid list. If a particular pair is not in the valid list, the 2784 check has "lost" the race. Call such a pair a "losing pair". 2786 The agent finds all the pairs in the check list whose remote 2787 candidates equal the remote candidate in the losing pair: 2789 o If none of the pairs are In-Progress, and at least one is Failed, 2790 it is most likely that a network failure, such as a network 2791 partition or serious packet loss, has occurred. The agent SHOULD 2792 generate an answer for this media stream as if the remote- 2793 candidates attribute had not been present, and then restart ICE 2794 for this stream. 2796 o If at least one of the pairs are In-Progress, the agent SHOULD 2797 wait for those checks to complete, and as each completes, redo the 2798 processing in this section until there are no losing pairs. 2800 Once there are no losing pairs, the agent can generate the answer. 2801 It MUST set the default destination for media to the candidates in 2802 the remote-candidates attribute from the offer (each of which will 2803 now be the local candidate of a candidate pair in the valid list). 2804 It MUST include a candidate attribute in the answer for each 2805 candidate in the remote-candidates attribute in the offer. 2807 9.2.3. Procedures for Lite Implementations 2809 If the received offer contains the remote-candidates attribute for a 2810 media stream, the agent forms a candidate pair for each component of 2811 the media stream by: 2813 o Setting the remote candidate equal to the offerers default 2814 destination for that component (e.g., the contents of the m and 2815 c-lines for RTP, and the a=rtcp attribute for RTCP) 2817 o Setting the local candidate equal to the transport address for 2818 that same component in the a=remote-candidates attribute in the 2819 offer. 2821 It then places those candidates into the Valid list for the media 2822 stream. The state of ICE processing for that media stream is set to 2823 Completed. 2825 Furthermore, if the agent believed it was controlling, but the offer 2826 contained the remote-candidates attribute, both agents believe they 2827 are controlling. In this case, both would have sent updated offers 2828 around the same time. However, the signaling protocol carrying the 2829 offer/answer exchanges will have resolved this glare condition, so 2830 that one agent is always the 'winner' by having its offer received 2831 before its peer has sent an offer. The winner takes the role of 2832 controlled, so that the loser (the answerer under consideration in 2833 this section MUST change its role to controlled. Consequently, if 2834 the agent was going to send an updated offer since, based on the 2835 rules in Section 8.2.2, it was controlling, it no longer needs to. 2837 Besides the potential role change, change in the Valid list, and 2838 state changes, the construction of the answer is performed 2839 identically to the construction of an offer as described in 2840 Section 9.1.3. 2842 9.3. Updating the Check and Valid Lists 2844 9.3.1. Procedures for Full Implementations 2846 9.3.1.1. ICE Restarts 2848 The agent MUST remember the highest priority nominated pairs in the 2849 Valid list for each component of the media stream, called the 2850 previous selected pairs, prior to the restart. The agent will 2851 continue to send media using these pairs, as described in 2852 Section 11.1. Once these destinations are noted, the agent MUST 2853 flush the valid and check lists, and then recompute the check list 2854 and its states as described in Section 5.7. 2856 9.3.1.2. New Media Stream 2858 If the offer/answer exchange added a new media stream, the agent MUST 2859 create a new check list for it (and an empty Valid list to start of 2860 course), as described in Section 5.7. 2862 9.3.1.3. Removed Media Stream 2864 If the offer/answer exchange removed a media stream, or an answer 2865 rejected an offered media stream, an agent MUST flush the Valid list 2866 for that media stream. It MUST terminate any STUN transactions in 2867 progress for that media stream. An agent MUST remove the check list 2868 for that media stream and cancel any pending ordinary checks for it. 2870 9.3.1.4. ICE Continuing for Existing Media Stream 2872 The valid list is not affected by an updated offer/answer exchange 2873 unless ICE is restarting. 2875 If an agent is in the Running state for that media stream, the check 2876 list is updated (the check list is irrelevant if the state is 2877 completed). To do that, the agent recomputes the check list using 2878 the procedures described in Section 5.7. If a pair on the new check 2879 list was also on the previous check list, and its state was Waiting, 2880 In-Progress, Succeeded or Failed, its state is copied over. 2881 Otherwise, its state is set to Frozen. 2883 If none of the check lists are active (meaning that the pairs in each 2884 check list are Frozen), the full-mode agent sets the first pair in 2885 the check list for the first media stream to Waiting, and then sets 2886 the state of all other pairs in that check list for the same 2887 component ID and with the same foundation to Waiting as well. 2889 Next, the agent goes through each check list, starting with the 2890 highest priority pair. If a pair has a state of Succeeded, and it 2891 has a component ID of 1, then all Frozen pairs in the same check list 2892 with the same foundation whose component IDs are not 1, have their 2893 state set to Waiting. If, for a particular check list, there are 2894 pairs for each component of that media stream in the Succeeded state, 2895 the agent moves the state of all Frozen pairs for the first component 2896 of all other media streams (and thus in different check lists) with 2897 the same foundation to Waiting. 2899 9.3.2. Procedures for Lite Implementations 2901 If ICE is restarting for a media stream, the agent MUST start a new 2902 Valid list for that media stream. It MUST remember the pairs in the 2903 previous Valid list for each component of the media stream, called 2904 the previous selected pairs, and continue to send media there as 2905 described in Section 11.1. The state of ICE processing for each 2906 media stream MUST change to Running, and the state of ICE processing 2907 MUST change to running. 2909 10. Keepalives 2911 All endpoints MUST send keepalives for each media session. These 2912 keepalives serve the purpose of keeping NAT bindings alive for the 2913 media session. These keepalives MUST be sent regardless of whether 2914 the media stream is currently inactive, sendonly, recvonly or 2915 sendrecv, and regardless of the presence or value of the bandwidth 2916 attribute. These keepalives MUST be sent even if ICE is not being 2917 utilized for the session at all. The keepalive SHOULD be sent using 2918 a format which is supported by its peer. ICE endpoints allow for 2919 STUN-based keepalives for UDP streams, and as such, STUN keepalives 2920 MUST be used when an agent is a full ICE implementation and is 2921 communicating with a peer that supports ICE (lite or full). An agent 2922 can determine that its peer supports ICE by the presence of 2923 a=candidate attributes for each media session. If the peer does not 2924 support ICE, the choice of a packet format for keepalives is a matter 2925 of local implementation. A format which allows packets to easily be 2926 sent in the absence of actual media content is RECOMMENDED. Examples 2927 of formats which readily meet this goal are RTP No-Op 2928 [I-D.ietf-avt-rtp-no-op], and in cases where both sides support it, 2929 RTP comfort noise [RFC3389]. If the peer doesn't support any formats 2930 that are particularly well suited for keepalives, an agent SHOULD 2931 send RTP packets with an incorrect version number, or some other form 2932 of error which would cause them to be discarded by the peer. 2934 If there has been no packet sent on the candidate pair ICE is using 2935 for a media component for Tr seconds (where packets include those 2936 defined for the component (RTP or RTCP) and previous keepalives), an 2937 agent MUST generate a keepalive on that pair. Tr SHOULD be 2938 configurable and SHOULD have a default of 15 seconds. Tr MUST NOT be 2939 configured to less than 15 seconds. Alternatively, if an agent has a 2940 dynamic way to discover the binding lifetimes of the intervening 2941 NATs, it can use that value to determine Tr. Administrators 2942 deploying ICE in more controlled networking environments SHOULD set 2943 Tr to the longest duration possible in their environment. 2945 If STUN is being used for keepalives, a STUN Binding Indication is 2946 used [I-D.ietf-behave-rfc3489bis]. The Indication MUST NOT utilize 2947 any authentication mechanism, and SHOULD NOT contain any attributes. 2948 It is used solely to keep the NAT bindings alive. The Binding 2949 Indication is sent using the same local and remote candidates that 2950 are being used for media. Though Binding Indications are used for 2951 keepalives, an agent MUST be prepared to receive a connectivity check 2952 as well. If a connectivity check is received, a response is 2953 generated as discussed in [I-D.ietf-behave-rfc3489bis], but there is 2954 no impact on ICE processing otherwise. 2956 An agent MUST begin the keepalive processing once ICE has selected 2957 candidates for usage with media, or media begins to flow, whichever 2958 happens first. Keepalives end once the session terminates or the 2959 media stream is removed. 2961 11. Media Handling 2963 11.1. Sending Media 2965 Procedures for sending media differ for full and lite 2966 implementations. 2968 11.1.1. Procedures for Full Implementations 2970 Agents always send media using a candidate pair, called the selected 2971 candidate pair. An agent will send media to the remote candidate in 2972 the selected pair (setting the destination address and port of the 2973 packet equal to that remote candidate), and will send it from the 2974 local candidate of the selected pair. When the local candidate is 2975 server or peer reflexive, media is originated from the base. Media 2976 sent from a relayed candidate is sent from the base through that TURN 2977 server, using procedures defined in [I-D.ietf-behave-turn]. 2979 The selected pair for a component of a media stream is: 2981 o empty if the state of the check list for that media stream is 2982 Running, and there is no previous selected pair for that component 2983 due to an ICE restart 2985 o equal to the previous selected pair for a component of a media 2986 stream if the state of the check list for that media stream is 2987 Running, and there was a previous selected pair for that component 2988 due to an ICE restart 2990 o equal to the highest priority nominated pair for that component in 2991 the valid list if the state of the check list is Completed 2993 If the selected pair for at least one component of a media stream is 2994 empty, an agent MUST NOT send media for any component of that media 2995 stream. If the selected pair for each component of a media stream 2996 has a value, an agent MAY send media for all components of that media 2997 stream. 2999 Note that the selected pair for a component of a media stream may not 3000 equal the default pair for that same component from the most recent 3001 offer/answer exchange. When this happens, the selected pair is used 3002 for media, not the default pair. When ICE first completes, if the 3003 selected pairs aren't a match for the default pairs, the controlling 3004 agent sends an updated offer/answer exchange to remedy this 3005 disparity. However, until that updated offer arrives, there will not 3006 be a match. Furthermore, in very unusual cases, the default 3007 candidates in the updated offer/answer will not be a match. 3009 11.1.2. Procedures for Lite Implementations 3011 A lite implementation MUST NOT send media until it has a Valid list 3012 that contains a candidate pair for each component of that media 3013 stream. Once that happens, the agent MAY begin sending media 3014 packets. To do that, it sends media to the remote candidate in the 3015 pair (setting the destination address and port of the packet equal to 3016 that remote candidate), and will send it from the local candidate. 3018 11.1.3. Procedures for All Implementations 3020 ICE has interactions with jitter buffer adaptation mechanisms. An 3021 RTP stream can begin using one candidate, and switch to another one, 3022 though this happens rarely with ICE. The newer candidate may result 3023 in RTP packets taking a different path through the network - one with 3024 different delay characteristics. As discussed below, agents are 3025 encouraged to re-adjust jitter buffers when there are changes in 3026 source or destination address of media packets. Furthermore, many 3027 audio codecs use the marker bit to signal the beginning of a 3028 talkspurt, for the purposes of jitter buffer adaptation. For such 3029 codecs, it is RECOMMENDED that the sender set the marker bit 3030 [RFC3550] when an agent switches transmission of media from one 3031 candidate pair to another. 3033 11.2. Receiving Media 3035 ICE implementations MUST be prepared to receive media on each 3036 component on any candidates provided for that component in the most 3037 recent offer/answer exchange (in the case of RTP, this would include 3038 both RTP and RTCP if candidates were provided for both). 3040 It is RECOMMENDED that, when an agent receives an RTP packet with a 3041 new source or destination IP address for a particular media stream, 3042 that the agent re-adjust its jitter buffers. 3044 RFC 3550 [RFC3550] describes an algorithm in Section 8.2 for 3045 detecting SSRC collisions and loops. These algorithms are based, in 3046 part, on seeing different source transport addresses with the same 3047 SSRC. However, when ICE is used, such changes will sometimes occur 3048 as the media streams switch between candidates. An agent will be 3049 able to determine that a media stream is from the same peer as a 3050 consequence of the STUN exchange that proceeds media transmission. 3051 Thus, if there is a change in source transport address, but the media 3052 packets come from the same peer agent, this SHOULD NOT be treated as 3053 an SSRC collision. 3055 12. Usage with SIP 3057 12.1. Latency Guidelines 3059 ICE requires a series of STUN-based connectivity checks to take place 3060 between endpoints. These checks start from the answerer on 3061 generation of its answer, and start from the offerer when it receives 3062 the answer. These checks can take time to complete, and as such, the 3063 selection of messages to use with offers and answers can effect 3064 perceived user latency. Two latency figures are of particular 3065 interest. These are the post-pickup delay and the post-dial delay. 3066 The post-pickup delay refers to the time between when a user "answers 3067 the phone" and when any speech they utter can be delivered to the 3068 caller. The post-dial delay refers to the time between when a user 3069 enters the destination address for the user, and ringback begins as a 3070 consequence of having successfully started ringing the phone of the 3071 called party. 3073 Two cases can be considered - one where the offer is present in the 3074 initial INVITE, and one where it is in a response. 3076 12.1.1. Offer in INVITE 3078 To reduce post-dial delays, it is RECOMMENDED that the caller begin 3079 gathering candidates prior to actually sending its initial INVITE. 3080 This can be started upon user interface cues that a call is pending, 3081 such as activity on a keypad or the phone going offhook. 3083 If an offer is received in an INVITE request, the answerer SHOULD 3084 begin to gather its candidates on receipt of the offer and then 3085 generate an answer in a provisional response once it has completed 3086 that process. ICE requires that a provisional response with an SDP 3087 be transmitted reliably. This can be done through the existing PRACK 3088 mechanism [RFC3262], or through an optimization that is specific to 3089 ICE. With this optimization, provisional responses containing an SDP 3090 answer that begins ICE processing for one or more media streams can 3091 be sent reliably without RFC 3262. To do this, the agent retransmits 3092 the provisional response with the exponential backoff timers 3093 described in RFC 3262. Retransmits MUST cease on receipt of a STUN 3094 Binding Request for one of the media streams signaled in that SDP 3095 (because receipt of a binding request indicates the offerer has 3096 received the answer) or on transmission of the answer in a 2xx 3097 response. If the peer agent is lite, there will never be a STUN 3098 Binding Request. In such a case, the agent MUST cease retransmitting 3099 the 18x after sending it four times (ICE will actually work even if 3100 the peer never receives the 18x; however, experience has shown that 3101 sending it is important for middleboxes and firewall traversal). If 3102 no Binding Request is received prior to the last retransmit, the 3103 agent does not consider the session terminated. Despite the fact 3104 that the provisional response will be delivered reliably, the rules 3105 for when an agent can send an updated offer or answer do not change 3106 from those specified in RFC 3262. Specifically, if the INVITE 3107 contained an offer, the same answer appears in all of the 1xx and in 3108 the 2xx response to the INVITE. Only after that 2xx has been sent 3109 can an updated offer/answer exchange occur. This optimization SHOULD 3110 NOT be used if both agents support PRACK. Note that the optimization 3111 is very specific to provisional response carrying answers that start 3112 ICE processing; it is not a general technique for 1xx reliability. 3114 Alternatively, an agent MAY delay sending an answer until the 200 OK, 3115 however this results in a poor user experience and is NOT 3116 RECOMMENDED. 3118 Once the answer has been sent, the agent SHOULD begin its 3119 connectivity checks. Once candidate pairs for each component of a 3120 media stream enter the valid list, the answerer can begin sending 3121 media on that media stream. 3123 However, prior to this point, any media that needs to be sent towards 3124 the caller (such as SIP early media [RFC3960] MUST NOT be 3125 transmitted. For this reason, implementations SHOULD delay alerting 3126 the called party until candidates for each component of each media 3127 stream have entered the valid list. In the case of a PSTN gateway, 3128 this would mean that the setup message into the PSTN is delayed until 3129 this point. Doing this increases the post-dial delay, but has the 3130 effect of eliminating 'ghost rings'. Ghost rings are cases where the 3131 called party hears the phone ring, picks up, but hears nothing and 3132 cannot be heard. This technique works without requiring support for, 3133 or usage of, preconditions [RFC3312], since its a localized decision. 3134 It also has the benefit of guaranteeing that not a single packet of 3135 media will get clipped, so that post-pickup delay is zero. If an 3136 agent chooses to delay local alerting in this way, it SHOULD generate 3137 a 180 response once alerting begins. 3139 12.1.2. Offer in Response 3141 In addition to uses where the offer is in an INVITE, and the answer 3142 is in the provisional and/or 200 OK response, ICE works with cases 3143 where the offer appears in the response. In such cases, which are 3144 common in third party call control [RFC3725], ICE agents SHOULD 3145 generate their offers in a reliable provisional response (which MUST 3146 utilize RFC 3262), and not alert the user on receipt of the INVITE. 3148 The answer will arrive in a PRACK. This allows for ICE processing to 3149 take place prior to alerting, so that there is no post-pickup delay, 3150 at the expense of increased call setup delays. Once ICE completes, 3151 the callee can alert the user and then generate a 200 OK when they 3152 answer. The 200 OK would contain no SDP, since the offer/answer 3153 exchange has completed. 3155 Alternatively, agents MAY place the offer in a 2xx instead (in which 3156 case the answer comes in the ACK). When this happens, the callee 3157 will alert the user on receipt of the INVITE, and the ICE exchanges 3158 will take place only after the user answers. This has the effect of 3159 reducing call setup delay, but can cause substantial post-pickup 3160 delays and media clipping. 3162 12.2. SIP Option Tags and Media Feature Tags 3164 [I-D.ietf-sip-ice-option-tag] specifies a SIP option tag and media 3165 feature tag for usage with ICE. ICE implementations using SIP SHOULD 3166 support this specification, which uses a feature tag in registrations 3167 to facilitate interoperability through signaling intermediaries 3169 12.3. Interactions with Forking 3171 ICE interacts very well with forking. Indeed, ICE fixes some of the 3172 problems associated with forking. Without ICE, when a call forks and 3173 the caller receives multiple incoming media streams, it cannot 3174 determine which media stream corresponds to which callee. 3176 With ICE, this problem is resolved. The connectivity checks which 3177 occur prior to transmission of media carry username fragments, which 3178 in turn are correlated to a specific callee. Subsequent media 3179 packets which arrive on the same candidate pair as the connectivity 3180 check will be associated with that same callee. Thus, the caller can 3181 perform this correlation as long as it has received an answer. 3183 12.4. Interactions with Preconditions 3185 Quality of Service (QoS) preconditions, which are defined in RFC 3312 3186 [RFC3312] and RFC 4032 [RFC4032], apply only to the transport 3187 addresses listed as the default targets for media in an offer/answer. 3188 If ICE changes the transport address where media is received, this 3189 change is reflected in an updated offer which changes the default 3190 destination for media to match ICE's selection. As such, it appears 3191 like any other re-INVITE would, and is fully treated in RFC 3312 and 3192 4032, which apply without regard to the fact that the destination for 3193 media is changing due to ICE negotiations occurring "in the 3194 background". 3196 Indeed, an agent SHOULD NOT indicate that Qos preconditions have been 3197 met until the checks have completed and selected the candidate pairs 3198 to be used for media. 3200 ICE also has (purposeful) interactions with connectivity 3201 preconditions [I-D.ietf-mmusic-connectivity-precon]. Those 3202 interactions are described there. Note that the procedures described 3203 in Section 12.1 describe their own type of "preconditions", albeit 3204 with less functionality than those provided by the explicit 3205 preconditions in [I-D.ietf-mmusic-connectivity-precon]. 3207 12.5. Interactions with Third Party Call Control 3209 ICE works with Flows I, III and IV as described in [RFC3725]. Flow I 3210 works without the controller supporting or being aware of ICE. Flow 3211 IV will work as long as the controller passes along the ICE 3212 attributes without alteration. Flow II is fundamentally incompatible 3213 with ICE; each agent will believe itself to be the answerer and thus 3214 never generate a re-INVITE. 3216 The flows for continued operation, as described in Section 7 of RFC 3217 3725, require additional behavior of ICE implementations to support. 3218 In particular, if an agent receives a mid-dialog re-INVITE that 3219 contains no offer, it MUST restart ICE for each media stream and go 3220 through the process of gathering new candidates. Furthermore, that 3221 list of candidates SHOULD include the ones currently being used for 3222 media. 3224 13. Relationship with ANAT 3226 RFC 4091 [RFC4091], the Alternative Network Address Types (ANAT) 3227 Semantics for the SDP grouping framework, defines a mechanism for 3228 indicating that an agent can support both IPv4 and IPv6 for a media 3229 stream, and it does so by including two m-lines, one for v4, and one 3230 for v6. This is similar to ICE, which allows for an agent to 3231 indicate multiple transport addresses using the candidate attribute. 3232 However, ANAT relies on static selection to pick between choices, 3233 rather than a dynamic connectivity check used by ICE. 3235 This specification deprecates RFC 4091. Instead, agents wishing to 3236 support dual-stack will utilize ICE. Because a dual-stack agent will 3237 require at least two candidates, one for IPv4 and one for IPv6, dual- 3238 stack agents MUST be full implementations. However, agents that are 3239 implementing dual-stack and are running on closed networks where it 3240 is known that there are no NAT, MAY include only host candidates in 3241 their offers, skipping server reflexive and relayed candidates. 3243 14. Extensibility Considerations 3245 This specification makes very specific choices about how both agents 3246 in a session coordinate to arrive at the set of candidate pairs that 3247 are selected for media. It is anticipated that future specifications 3248 will want to alter these algorithms, whether they are simple changes 3249 like timer tweaks, or larger changes like a revamp of the priority 3250 algorithm. When such a change is made, providing interoperability 3251 between the two agents in a session is critical. 3253 First, ICE provides the a=ice-options SDP attribute. Each extension 3254 or change to ICE is associated with a token. When an agent 3255 supporting such an extension or change generates an offer or an 3256 answer, it MUST include the token for that extension in this 3257 attribute. This allows each side to know what the other side is 3258 doing. This attribute MUST NOT be present if the agent doesn't 3259 support any ICE extensions or changes. 3261 At this time, no IANA registry or registration procedures are defined 3262 for these option tags. At time of writing, it is unclear whether ICE 3263 changes and extensions will be sufficiently common to warrant a 3264 registry. 3266 One of the complications in achieving interoperability is that ICE 3267 relies on a distributed algorithm running on both agents to converge 3268 on an agreed set of candidate pairs. If the two agents run different 3269 algorithms, it can be difficult to guarantee convergence on the same 3270 candidate pairs. The regular nomination procedure described in 3271 Section 8 eliminates some of the tight coordination by delegating the 3272 selection algorithm completely to the controlling agent. 3273 Consequently, when a controlling agent is communicating with a peer 3274 that supports options it doesn't know about, the agent MUST run a 3275 regular nomination algorithm. When regular nomination is used, ICE 3276 will converge perfectly even when both agents use different pair 3277 prioritization algorithms. One of the keys to such convergence are 3278 triggered checks, which ensure that the nominated pair is validated 3279 by both agents. Consequently, any future ICE enhancements MUST 3280 preserve triggered checks. 3282 ICE is also extensible to other media streams beyond RTP, and for 3283 transport protocols beyond UDP. Extensions to ICE for non-RTP media 3284 streams need to specify how many components they utilize, and assign 3285 component IDs to them, starting at 1 for the most important component 3286 ID. Specifications for new transport protocols must define how, if 3287 at all, various steps in the ICE processing differ from UDP. 3289 15. Grammar 3291 This specification defines seven new SDP attributes - the 3292 "candidate", "remote-candidates", "ice-lite", "ice-mismatch", "ice- 3293 ufrag", "ice-pwd" and "ice-options" attributes. 3295 15.1. "candidate" Attribute 3297 The candidate attribute is a media-level attribute only. It contains 3298 a transport address for a candidate that can be used for connectivity 3299 checks. 3301 The syntax of this attribute is defined using Augmented BNF as 3302 defined in RFC 4234 [RFC4234]: 3304 candidate-attribute = "candidate" ":" foundation SP component-id SP 3305 transport SP 3306 priority SP 3307 connection-address SP ;from RFC 4566 3308 port ;port from RFC 4566 3309 SP cand-type 3310 [SP rel-addr] 3311 [SP rel-port] 3312 *(SP extension-att-name SP 3313 extension-att-value) 3315 foundation = 1*32ice-char 3316 component-id = 1*5DIGIT 3317 transport = "UDP" / transport-extension 3318 transport-extension = token ; from RFC 3261 3319 priority = 1*10DIGIT 3320 cand-type = "typ" SP candidate-types 3321 candidate-types = "host" / "srflx" / "prflx" / "relay" / token 3322 rel-addr = "raddr" SP connection-address 3323 rel-port = "rport" SP port 3324 extension-att-name = byte-string ;from RFC 4566 3325 extension-att-value = byte-string 3326 ice-char = ALPHA / DIGIT / "+" / "/" 3328 This grammar encodes the primary information about a candidate: its 3329 IP address, port and transport protocol, and its properties: the 3330 foundation, component ID, priority, type, and related transport 3331 address: 3333 : is taken from RFC 4566 [RFC4566]. It is the 3334 IP address of the candidate, allowing for IPv4 addresses, IPv6 3335 addresses and FQDNs. An IP address SHOULD be used, but an FQDN 3336 MAY be used in place of an IP address. In that case, when 3337 receiving an offer or answer containing an FQDN in an a=candidate 3338 attribute, the FQDN is looked up in the DNS first using an AAAA 3339 record (assuming the agent supports IPv6), and if no result is 3340 found or the agent only supports IPv4, using an A. If the DNS 3341 query returns more than one IP address, one is chosen, and then 3342 used for the remainder of ICE processing. 3344 : is also taken from RFC 4566 [RFC4566]. It is the port of 3345 the candidate. 3347 : indicates the transport protocol for the candidate. 3348 This specification only defines UDP. However, extensibility is 3349 provided to allow for future transport protocols to be used with 3350 ICE, such as TCP or the Datagram Congestion Control Protocol 3351 (DCCP) [RFC4340]. 3353 : is composed of one to thirty two . It is an 3354 identifier that is equivalent for two candidates that are of the 3355 same type, share the same base, and come from the same STUN 3356 server. The foundation is used to optimize ICE performance in the 3357 Frozen algorithm. 3359 : is a positive integer between 1 and 256 which 3360 identifies the specific component of the media stream for which 3361 this is a candidate. It MUST start at 1 and MUST increment by 1 3362 for each component of a particular candidate. For media streams 3363 based on RTP, candidates for the actual RTP media MUST have a 3364 component ID of 1, and candidates for RTCP MUST have a component 3365 ID of 2. Other types of media streams which require multiple 3366 components MUST develop specifications which define the mapping of 3367 components to component IDs. See Section 14 for additional 3368 discussion on extending ICE to new media streams. 3370 : is a positive integer between 1 and (2**32 - 1). 3372 : encodes the type of candidate. This specification 3373 defines the values "host", "srflx", "prflx" and "relay" for host, 3374 server reflexive, peer reflexive and relayed candidates, 3375 respectively. The set of candidate types is extensible for the 3376 future. 3378 and : convey transport addresses related to the 3379 candidate, useful for diagnostics and other purposes. 3380 and MUST be present for server reflexive, peer 3381 reflexive and relayed candidates. If a candidate is server or 3382 peer reflexive, and is equal to the base for 3383 that server or peer reflexive candidate. If the candidate is 3384 relayed, and is equal to the mapped address 3385 in the Allocate Response that provided the client with that 3386 relayed candidate (see Appendix B.3 for a discussion of its 3387 purpose). If the candidate is a host candidate and 3388 MUST be omitted. 3390 The candidate attribute can itself be extended. The grammar allows 3391 for new name/value pairs to be added at the end of the attribute. An 3392 implementation MUST ignore any name/value pairs it doesn't 3393 understand. 3395 15.2. "remote-candidates" Attribute 3397 The syntax of the "remote-candidates" attribute is defined using 3398 Augmented BNF as defined in RFC 4234 [RFC4234]. The remote- 3399 candidates attribute is a media level attribute only. 3401 remote-candidate-att = "remote-candidates" ":" remote-candidate 3402 0*(SP remote-candidate) 3403 remote-candidate = component-ID SP connection-address SP port 3405 The attribute contains a connection-address and port for each 3406 component. The ordering of components is irrelevant. However, a 3407 value MUST be present for each component of a media stream. This 3408 attribute MUST be included in an offer by a controlling agent for a 3409 media stream that is Completed, and MUST NOT be included in any other 3410 case. 3412 15.3. "ice-lite" and "ice-mismatch" Attributes 3414 The syntax of the "ice-lite" and "ice-mismatch" attributes, both of 3415 which are flags, is: 3417 ice-lite = "ice-lite" 3418 ice-mismatch = "ice-mismatch" 3420 "ice-lite" is a session level attribute only, and indicates that an 3421 agent is a lite implementation. "ice-mismatch" is a media level 3422 attribute only, and when present in an answer, indicates that the 3423 offer arrived with a default destination for a media component that 3424 didn't have a corresponding candidate attribute. 3426 15.4. "ice-ufrag" and "ice-pwd" Attributes 3428 The "ice-ufrag" and "ice-pwd" attributes convey the username fragment 3429 and password used by ICE for message integrity. Their syntax is: 3431 ice-pwd-att = "ice-pwd" ":" password 3432 ice-ufrag-att = "ice-ufrag" ":" ufrag 3433 password = 22*256ice-char 3434 ufrag = 4*256ice-char 3436 The "ice-pwd" and "ice-ufrag" attributes can appear at either the 3437 session-level or media-level. When present in both, the value in the 3438 media-level takes precedence. Thus, the value at the session level 3439 is effectively a default that applies to all media streams, unless 3440 overriden by a media-level value. Whether present at the session or 3441 media level, there MUST be an ice-pwd and ice-ufrag attribute for 3442 each media stream. If two media streams have identical ice-ufrag's, 3443 they MUST have identical ice-pwd's. 3445 The ice-ufrag and ice-pwd attributes MUST be chosen randomly at the 3446 beginning of a session. The ice-ufrag attribute MUST contain at 3447 least 24 bits of randomness, and the ice-pwd attribute MUST contain 3448 at least 128 bits of randomness. This means that the ice-ufrag 3449 attribute will be at least 4 characters long, and the ice-pwd at 3450 least 22 characters long, since the grammar for these attributes 3451 allows for 6 bits of randomness per character. The attributes MAY be 3452 longer than 4 and 22 characters respectively, of course, up to 256 3453 characters. The upper limit allows for buffer sizing in 3454 implementations. Its large upper limit allows for increased amounts 3455 of randomness to be added over time. 3457 15.5. "ice-options" Attribute 3459 The "ice-options" attribute is a session level attribute. It 3460 contains a series of tokens which identify the options supported by 3461 the agent. Its grammar is: 3463 ice-options = "ice-options" ":" ice-option-tag 3464 0*(SP ice-option-tag) 3465 ice-option-tag = 1*ice-char 3467 16. Setting Ta and RTO 3469 During the gathering phase of ICE (Section 4.1.1) and while ICE is 3470 performing connectivity checks (Section 7), an agent sends STUN and 3471 TURN transactions. These transcations are paced at a rate of one 3472 every Ta milliseconds, and utilize a specific RTO. This section 3473 describes how the value of Ta and RTO are computed. This computation 3474 depends on whether ICE is being used with a real time media stream 3475 (such as RTP) or something else. 3477 16.1. RTP Media Streams 3479 The values of RTP and Ta change during the lifetime of ICE 3480 processing. One set of values applies during the gathering phase, 3481 and the other, for connectivity checks. 3483 The value of Ta SHOULD be configurable, and SHOULD have a default of: 3485 For each media stream i: 3486 Ta_i = (stun_packet_size / rtp_packet_size) * rtp_ptime 3488 1 3489 Ta = MAX (20ms, ------------------- ) 3490 k 3491 ---- 3492 \ 1 3493 > ------ 3494 / Ta_i 3495 ---- 3496 i=1 3498 Where k is the number of media streams. During the gathering phase, 3499 Ta is computed based on the number of media streams the agent has 3500 indicated in its offer or answer, and the RTP packet size and RTP 3501 ptime are those of the most preferred codec for each media stream. 3502 Once an offer and answer have been exchanged, the agent recomputes Ta 3503 to pace the connectivity checks. In that case, the value of Ta is 3504 based on the number of media streams that will actually be used in 3505 the session, and the RTP packet size and RTP ptime are those of the 3506 most preferred codec that the agent will send with. 3508 In addition, the retransmission timer for the STUN transactions, RTO, 3509 defined in [I-D.ietf-behave-rfc3489bis], SHOULD be configurable and 3510 during the gathering phase, SHOULD have a default of: 3512 RTO = MAX (100ms, Ta * (number of pairs)) 3514 Where the number of pairs refers to the number of pairs of candidates 3515 with STUN or TURN servers. 3517 For connectivity checks, RTO SHOULD be configurable and SHOULD have a 3518 default of: 3520 RTO = MAX (100ms, Ta*N * (Num-Waiting)) 3522 Where Num-Waiting are the number of checks in the check list in the 3523 Waiting state. Note that the RTO will be different for each 3524 transaction as the number of checks in the Waiting state changes. 3526 These formulas are aimed at causing STUN transactions to be paced at 3527 the same rate as media. This ensures that ICE will work properly 3528 under the same network conditions needed to support the media as 3529 well. See Appendix B.1 for additional discussion and motivations. 3530 Because of this pacing, it will take a certain amount of time to 3531 obtain all of the server reflexive and relayed candidates. 3532 Implementations should be aware of the time required to do this, and 3533 if the application requires a time budget, limit the number of 3534 candidates which are gathered. 3536 16.2. Non-RTP Sessions 3538 In cases where ICE is used to establish some kind of session which is 3539 not real time, and has no fixed rate associated with it that is known 3540 to work on the network in which ICE is deployed, Ta and RTO revert to 3541 more conservative values. Ta SHOULD be configurable and SHOULD have 3542 a default of 500ms. 3544 In addition, the retransmission timer for the STUN transactions, RTO, 3545 SHOULD be configurable and during the gathering phase, SHOULD have a 3546 default of: 3548 RTO = MAX (500ms, Ta * (number of pairs)) 3550 Where the number of pairs refers to the number of pairs of candidates 3551 with STUN or TURN servers. 3553 For connectivity checks, RTO SHOULD be configurable and SHOULD have a 3554 default of: 3556 RTO = MAX (500ms, Ta*N * (Num-Waiting)) 3558 17. Example 3560 The example is based on the simplified topology of Figure 21. 3562 +-----+ 3563 | | 3564 |STUN | 3565 | Srvr| 3566 +-----+ 3567 | 3568 +---------------------+ 3569 | | 3570 | Internet | 3571 | | 3572 | | 3573 +---------------------+ 3574 | | 3575 | | 3576 +---------+ | 3577 | NAT | | 3578 +---------+ | 3579 | | 3580 | | 3581 | | 3582 +-----+ +-----+ 3583 | | | | 3584 | L | | R | 3585 | | | | 3586 +-----+ +-----+ 3588 Figure 21: Example Topology 3590 Two agents, L and R, are using ICE. Both are full-mode ICE 3591 implementations and use aggressive nomination when they are 3592 controlling. Both agents have a single IPv4 address. For agent L, 3593 it is 10.0.1.1 in private address space [RFC1918], and for agent R, 3594 192.0.2.1 on the public Internet. Both are configured with the same 3595 STUN server (shown in this example for simplicity, although in 3596 practice the agents do not need to use the same STUN server), which 3597 is listening for STUN Binding Requests at an IP address of 192.0.2.2 3598 and port 3478. TURN servers are not used in this example. Agent L 3599 is behind a NAT, and agent R is on the public Internet. The NAT has 3600 an endpoint independent mapping property and an address dependent 3601 filtering property. The public side of the NAT has an IP address of 3602 192.0.2.3. 3604 To facilitate understanding, transport addresses are listed using 3605 variables that have mnemonic names. The format of the name is 3606 entity-type-seqno, where entity refers to the entity whose IP address 3607 the transport address is on, and is one of "L", "R", "STUN", or 3608 "NAT". The type is either "PUB" for transport addresses that are 3609 public, and "PRIV" for transport addresses that are private. 3610 Finally, seq-no is a sequence number that is different for each 3611 transport address of the same type on a particular entity. Each 3612 variable has an IP address and port, denoted by varname.IP and 3613 varname.PORT, respectively, where varname is the name of the 3614 variable. 3616 The STUN server has advertised transport address STUN-PUB-1 (which is 3617 192.0.2.2:3478). 3619 In the call flow itself, STUN messages are annotated with several 3620 attributes. The "S=" attribute indicates the source transport 3621 address of the message. The "D=" attribute indicates the destination 3622 transport address of the message. The "MA=" attribute is used in 3623 STUN Binding Response messages and refers to the mapped address. 3624 "USE-CAND" implies the presence of the USE-CANDIDATE attribute. 3626 The call flow examples omit STUN authentication operations and RTCP, 3627 and focus on RTP for a single media stream between two full 3628 implementations. 3630 L NAT STUN R 3631 |RTP STUN alloc. | | 3632 |(1) STUN Req | | | 3633 |S=$L-PRIV-1 | | | 3634 |D=$STUN-PUB-1 | | | 3635 |------------->| | | 3636 | |(2) STUN Req | | 3637 | |S=$NAT-PUB-1 | | 3638 | |D=$STUN-PUB-1 | | 3639 | |------------->| | 3640 | |(3) STUN Res | | 3641 | |S=$STUN-PUB-1 | | 3642 | |D=$NAT-PUB-1 | | 3643 | |MA=$NAT-PUB-1 | | 3644 | |<-------------| | 3645 |(4) STUN Res | | | 3646 |S=$STUN-PUB-1 | | | 3647 |D=$L-PRIV-1 | | | 3648 |MA=$NAT-PUB-1 | | | 3649 |<-------------| | | 3650 |(5) Offer | | | 3651 |------------------------------------------->| 3652 | | | |RTP STUN alloc. 3653 | | |(6) STUN Req | 3654 | | |S=$R-PUB-1 | 3655 | | |D=$STUN-PUB-1 | 3656 | | |<-------------| 3657 | | |(7) STUN Res | 3658 | | |S=$STUN-PUB-1 | 3659 | | |D=$R-PUB-1 | 3660 | | |MA=$R-PUB-1 | 3661 | | |------------->| 3662 |(8) answer | | | 3663 |<-------------------------------------------| 3664 | |(9) Bind Req | |Begin 3665 | |S=$R-PUB-1 | |Connectivity 3666 | |D=L-PRIV-1 | |Checks 3667 | |<----------------------------| 3668 | |Dropped | | 3669 |(10) Bind Req | | | 3670 |S=$L-PRIV-1 | | | 3671 |D=$R-PUB-1 | | | 3672 |USE-CAND | | | 3673 |------------->| | | 3674 | |(11) Bind Req | | 3675 | |S=$NAT-PUB-1 | | 3676 | |D=$R-PUB-1 | | 3677 | |USE-CAND | | 3678 | |---------------------------->| 3679 | |(12) Bind Res | | 3680 | |S=$R-PUB-1 | | 3681 | |D=$NAT-PUB-1 | | 3682 | |MA=$NAT-PUB-1 | | 3683 | |<----------------------------| 3684 |(13) Bind Res | | | 3685 |S=$R-PUB-1 | | | 3686 |D=$L-PRIV-1 | | | 3687 |MA=$NAT-PUB-1 | | | 3688 |<-------------| | | 3689 |RTP flows | | | 3690 | |(14) Bind Req | | 3691 | |S=$R-PUB-1 | | 3692 | |D=$NAT-PUB-1 | | 3693 | |<----------------------------| 3694 |(15) Bind Req | | | 3695 |S=$R-PUB-1 | | | 3696 |D=$L-PRIV-1 | | | 3697 |<-------------| | | 3698 |(16) Bind Res | | | 3699 |S=$L-PRIV-1 | | | 3700 |D=$R-PUB-1 | | | 3701 |MA=$R-PUB-1 | | | 3702 |------------->| | | 3703 | |(17) Bind Res | | 3704 | |S=$NAT-PUB-1 | | 3705 | |D=$R-PUB-1 | | 3706 | |MA=$R-PUB-1 | | 3707 | |---------------------------->| 3708 | | | |RTP flows 3710 Figure 22: Example Flow 3712 First, agent L obtains a host candidate from its local IP address 3713 (not shown), and from that, sends a STUN Binding Request to the STUN 3714 server to get a server reflexive candidate (messages 1-4). Recall 3715 that the NAT has the address and port independent mapping property. 3716 Here, it creates a binding of NAT-PUB-1 for this UDP request, and 3717 this becomes the server reflexive candidate for RTP. 3719 Agent L sets a type preference of 126 for the host candidate and 100 3720 for the server reflexive. The local preference is 65535. Based on 3721 this, the priority of the host candidate is 2130706431 and for the 3722 server reflexive candidate is 1694498815. The host candidate is 3723 assigned a foundation of 1, and the server reflexive, a foundation of 3724 2. It chooses its server reflexive candidate as the default 3725 candidate, and encodes it into the m and c lines. The resulting 3726 offer (message 5) looks like (lines folded for clarity): 3728 v=0 3729 o=jdoe 2890844526 2890842807 IN IP4 $L-PRIV-1.IP 3730 s= 3731 c=IN IP4 $NAT-PUB-1.IP 3732 t=0 0 3733 a=ice-pwd:asd88fgpdd777uzjYhagZg 3734 a=ice-ufrag:8hhY 3735 m=audio $NAT-PUB-1.PORT RTP/AVP 0 3736 b=RS:0 3737 b=RR:0 3738 a=rtpmap:0 PCMU/8000 3739 a=candidate:1 1 UDP 2130706431 $L-PRIV-1.IP $L-PRIV-1.PORT typ host 3740 a=candidate:2 1 UDP 1694498815 $NAT-PUB-1.IP $NAT-PUB-1.PORT typ 3741 srflx raddr $L-PRIV-1.IP rport $L-PRIV-1.PORT 3743 The offer, with the variables replaced with their values, will look 3744 like (lines folded for clarity): 3746 v=0 3747 o=jdoe 2890844526 2890842807 IN IP4 10.0.1.1 3748 s= 3749 c=IN IP4 192.0.2.3 3750 t=0 0 3751 a=ice-pwd:asd88fgpdd777uzjYhagZg 3752 a=ice-ufrag:8hhY 3753 m=audio 45664 RTP/AVP 0 3754 b=RS:0 3755 b=RR:0 3756 a=rtpmap:0 PCMU/8000 3757 a=candidate:1 1 UDP 2130706431 10.0.1.1 8998 typ host 3758 a=candidate:2 1 UDP 1694498815 192.0.2.3 45664 typ srflx raddr 3759 10.0.1.1 rport 8998 3761 This offer is received at agent R. Agent R will obtain a host 3762 candidate, and from it, obtain a server reflexive candidate (messages 3763 6-7). Since R is not behind a NAT, this candidate is identical to 3764 its host candidate, and they share the same base. It therefore 3765 discards this redundant candidate and ends up with a single host 3766 candidate. With identical type and local preferences as L, the 3767 priority for this candidate is 2130706431. It chooses a foundation 3768 of 1 for its single candidate. Its resulting answer looks like: 3770 v=0 3771 o=bob 2808844564 2808844564 IN IP4 $R-PUB-1.IP 3772 s= 3773 c=IN IP4 $R-PUB-1.IP 3774 t=0 0 3775 a=ice-pwd:YH75Fviy6338Vbrhrlp8Yh 3776 a=ice-ufrag:9uB6 3777 m=audio $R-PUB-1.PORT RTP/AVP 0 3778 b=RS:0 3779 b=RR:0 3780 a=rtpmap:0 PCMU/8000 3781 a=candidate:1 1 UDP 2130706431 $R-PUB-1.IP $R-PUB-1.PORT typ host 3783 With the variables filled in: 3785 v=0 3786 o=bob 2808844564 2808844564 IN IP4 192.0.2.1 3787 s= 3788 c=IN IP4 192.0.2.1 3789 t=0 0 3790 a=ice-pwd:YH75Fviy6338Vbrhrlp8Yh 3791 a=ice-ufrag:9uB6 3792 m=audio 3478 RTP/AVP 0 3793 b=RS:0 3794 b=RR:0 3795 a=rtpmap:0 PCMU/8000 3796 a=candidate:1 1 UDP 2130706431 192.0.2.1 3478 typ host 3798 Since neither side indicated that they are lite, the agent which sent 3799 the offer that began ICE processing (agent L) becomes the controlling 3800 agent. 3802 Agents L and R both pair up the candidates. They both initially have 3803 two pairs. However, agent L will prune the pair containing its 3804 server reflexive candidate, resulting in just one. At agent L, this 3805 pair has a local candidate of $L_PRIV_1 and remote candidate of 3806 $R_PUB_1, and has a candidate pair priority of 4.57566E+18 (note that 3807 an implementation would represent this as a 64 bit integer so as not 3808 to lose precision). At agent R, there are two pairs. The highest 3809 priority has a local candidate of $R_PUB_1 and remote candidate of 3810 $L_PRIV_1 and has a priority of 4.57566E+18, and the second has a 3811 local candidate of $R_PUB_1 and remote candidate of $NAT_PUB_1 and 3812 priority 3.63891E+18. 3814 Agent R begins its connectivity check (message 9) for the first pair 3815 (between the two host candidates). Since R is the controlled agent 3816 for this session, the check omits the USE-CANDIDATE attribute. The 3817 host candidate from agent L is private and behind a NAT, and thus 3818 this check won't be successful, because the packet cannot be routed 3819 from R to L. 3821 When agent L gets the answer, it performs its one and only 3822 connectivity check (messages 10-13). It implements the aggressive 3823 nomination algorithm, and thus includes a USE-CANDIDATE attribute in 3824 this check. Since the check succeeds, agent L creates a new pair, 3825 whose local candidate is from the mapped address in the binding 3826 response (NAT-PUB-1 from message 13) and whose remote candidate is 3827 the destination of the request (R-PUB-1 from message 10). This is 3828 added to the valid list. In addition, it is marked as selected since 3829 the Binding Request contained the USE-CANDIDATE attribute. Since 3830 there is a selected candidate in the Valid list for the one component 3831 of this media stream, ICE processing for this stream moves into the 3832 Completed state. Agent L can now send media if it so chooses. 3834 Soon after receipt of the STUN Binding Request from agent L (message 3835 11), agent R will generate its triggered check. This check happens 3836 to match the next one on its check list - from its host candidate to 3837 agent L's server reflexive candidate. This check (messages 14-17) 3838 will succeed. Consequently, agent R constructs a new candidate pair 3839 using the mapped address from the response as the local candidate 3840 (R-PUB-1) and the destination of the request (NAT-PUB-1) as the 3841 remote candidate. This pair is added to the Valid list for that 3842 media stream. Since the check was generated in the reverse direction 3843 of a check that contained the USE-CANDIDATE attribute, the candidate 3844 pair is marked as selected. Consequently, processing for this stream 3845 moves into the Completed state, and agent R can also send media. 3847 18. Security Considerations 3849 There are several types of attacks possible in an ICE system. This 3850 section considers these attacks and their countermeasures. These 3851 countermeasures include: 3853 o Using ICE in conjunction with secure signaling techniques, such as 3854 SIPS 3856 o Limiting the total number of connectivity checks to 100, and 3857 optionally limiting the number of candidates they'll accept in an 3858 offer or answer. 3860 18.1. Attacks on Connectivity Checks 3862 An attacker might attempt to disrupt the STUN connectivity checks. 3863 Ultimately, all of these attacks fool an agent into thinking 3864 something incorrect about the results of the connectivity checks. 3865 The possible false conclusions an attacker can try and cause are: 3867 False Invalid: An attacker can fool a pair of agents into thinking a 3868 candidate pair is invalid, when it isn't. This can be used to 3869 cause an agent to prefer a different candidate (such as one 3870 injected by the attacker), or to disrupt a call by forcing all 3871 candidates to fail. 3873 False Valid: An attacker can fool a pair of agents into thinking a 3874 candidate pair is valid, when it isn't. This can cause an agent 3875 to proceed with a session, but then not be able to receive any 3876 media. 3878 False Peer-Reflexive Candidate: An attacker can cause an agent to 3879 discover a new peer reflexive candidate, when it shouldn't have. 3880 This can be used to redirect media streams to a DoS target or to 3881 the attacker, for eavesdropping or other purposes. 3883 False Valid on False Candidate: An attacker has already convinced an 3884 agent that there is a candidate with an address that doesn't 3885 actually route to that agent (for example, by injecting a false 3886 peer reflexive candidate or false server reflexive candidate). It 3887 must then launch an attack that forces the agents to believe that 3888 this candidate is valid. 3890 If an attacker can cause a false per-reflexive candidate or false 3891 valid on a false candidate, it can launch any of the attacks 3892 described in draft-ietf-behave-rfc3489bis 3893 [I-D.ietf-behave-rfc3489bis]. 3895 To force the false invalid result, the attacker has to wait for the 3896 connectivity check from one of the agents to be sent. When it is, 3897 the attacker needs to inject a fake response with an unrecoverable 3898 error response, such as a 400. However, since the candidate is, in 3899 fact, valid, the original request may reach the peer agent, and 3900 result in a success response. The attacker needs to force this 3901 packet or its response to be dropped, through a DoS attack, layer 2 3902 network disruption, or other technique. If it doesn't do this, the 3903 success response will also reach the originator, alerting it to a 3904 possible attack. Fortunately, this attack is mitigated completely 3905 through the STUN short term credential mechanism. The attacker needs 3906 to inject a fake response, and in order for this response to be 3907 processed, the attacker needs the password. If the offer/answer 3908 signaling is secured, the attacker will not have the password and its 3909 response will be discarded. 3911 Forcing the fake valid result works in a similar way. The agent 3912 needs to wait for the Binding Request from each agent, and inject a 3913 fake success response. The attacker won't need to worry about 3914 disrupting the actual response since, if the candidate is not valid, 3915 it presumably wouldn't be received anyway. However, like the fake 3916 invalid attack, this attack is mitigated by the STUN short term 3917 credential mechanism in conjunction with a secure offer/answer 3918 exchange. 3920 Forcing the false peer reflexive candidate result can be done either 3921 with fake requests or responses, or with replays. We consider the 3922 fake requests and responses case first. It requires the attacker to 3923 send a Binding Request to one agent with a source IP address and port 3924 for the false candidate. In addition, the attacker must wait for a 3925 Binding Request from the other agent, and generate a fake response 3926 with a XOR-MAPPED-ADDRESS attribute containing the false candidate. 3927 Like the other attacks described here, this attack is mitigated by 3928 the STUN message integrity mechanisms and secure offer/answer 3929 exchanges. 3931 Forcing the false peer reflexive candidate result with packet replays 3932 is different. The attacker waits until one of the agents sends a 3933 check. It intercepts this request, and replays it towards the other 3934 agent with a faked source IP address. It must also prevent the 3935 original request from reaching the remote agent, either by launching 3936 a DoS attack to cause the packet to be dropped, or forcing it to be 3937 dropped using layer 2 mechanisms. The replayed packet is received at 3938 the other agent, and accepted, since the integrity check passes (the 3939 integrity check cannot and does not cover the source IP address and 3940 port). It is then responded to. This response will contain a XOR- 3941 MAPPED-ADDRESS with the false candidate, and will be sent to that 3942 false candidate. The attacker must then receive it and relay it 3943 towards the originator. 3945 The other agent will then initiate a connectivity check towards that 3946 false candidate. This validation needs to succeed. This requires 3947 the attacker to force a false valid on a false candidate. Injecting 3948 of fake requests or responses to achieve this goal is prevented using 3949 the integrity mechanisms of STUN and the offer/answer exchange. 3950 Thus, this attack can only be launched through replays. To do that, 3951 the attacker must intercept the check towards this false candidate, 3952 and replay it towards the other agent. Then, it must intercept the 3953 response and replay that back as well. 3955 This attack is very hard to launch unless the attacker is identified 3956 by the fake candidate. This is because it requires the attacker to 3957 intercept and replay packets sent by two different hosts. If both 3958 agents are on different networks (for example, across the public 3959 Internet), this attack can be hard to coordinate, since it needs to 3960 occur against two different endpoints on different parts of the 3961 network at the same time. 3963 If the attacker themself is identified by the fake candidate the 3964 attack is easier to coordinate. However, if SRTP is used [RFC3711], 3965 the attacker will not be able to play the media packets, they will 3966 only be able to discard them, effectively disabling the media stream 3967 for the call. However, this attack requires the agent to disrupt 3968 packets in order to block the connectivity check from reaching the 3969 target. In that case, if the goal is to disrupt the media stream, 3970 its much easier to just disrupt it with the same mechanism, rather 3971 than attack ICE. 3973 18.2. Attacks on Server Reflexive Address Gathering 3975 ICE endpoints make use of STUN Binding requests for gathering server 3976 reflexive candidates from a STUN server. These requests are not 3977 authenticated in any way. As a consequence, there are numerous 3978 techniques an attacker can employ to provide the client with a false 3979 server reflexive candidate: 3981 o An attacker can compromise the DNS, causing DNS queries to return 3982 a rogue STUN server address. That server can provide the client 3983 with fake server reflexive candidates. This attack is mitigated 3984 by DNS security, though DNS-SEC is not required to address it. 3986 o An attacker that can observe STUN messages (such as an attacker on 3987 a shared network segment, like WiFi), can inject a fake response 3988 that is valid and will be accepted by the client. 3990 o An attacker can compromise a STUN server by means of a virus, and 3991 cause it to send responses with incorrect mapped addresses. 3993 A false mapped address learned by these attacks will be used as a 3994 server reflexive candidate in the ICE exchange. For this candidate 3995 to actually be used for media, the attacker must also attack the 3996 connectivity checks, and in particular, force a false valid on a 3997 false candidate. This attack is very hard to launch if the false 3998 address identifies a fourth party (neither the offerer, answerer, or 3999 attacker), since it requires attacking the checks generated by each 4000 agent in the session, and is prevented by SRTP if it identifies the 4001 attacker themself. 4003 If the attacker elects not to attack the connectivity checks, the 4004 worst it can do is prevent the server reflexive candidate from being 4005 used. However, if the peer agent has at least one candidate that is 4006 reachable by the agent under attack, the STUN connectivity checks 4007 themselves will provide a peer reflexive candidate that can be used 4008 for the exchange of media. Peer reflexive candidates are generally 4009 preferred over server reflexive candidates. As such, an attack 4010 solely on the STUN address gathering will normally have no impact on 4011 a session at all. 4013 18.3. Attacks on Relayed Candidate Gathering 4015 An attacker might attempt to disrupt the gathering of relayed 4016 candidates, forcing the client to believe it has a false relayed 4017 candidate. Exchanges with the TURN server are authenticated using a 4018 long term credential. Consequently, injection of fake responses or 4019 requests will not work. In addition, unlike Binding requests, 4020 Allocate requests are not susceptible to replay attacks with modified 4021 source IP addresses and ports, since the source IP address and port 4022 is not utilized to provide the client with its relayed candidate. 4024 However, TURN servers are susceptible to DNS attacks, or to viruses 4025 aimed at the TURN server, for purposes of turning it into a zombie or 4026 rogue server. These attacks can be mitigated by DNS-SEC and through 4027 good box and software security on TURN servers. 4029 Even if an attacker has caused the client to believe in a false 4030 relayed candidate, the connectivity checks cause such a candidate to 4031 be used only if they succeed. Thus, an attacker must launch a false 4032 valid on a false candidate, per above, which is a very difficult 4033 attack to coordinate. 4035 18.4. Attacks on the Offer/Answer Exchanges 4037 An attacker that can modify or disrupt the offer/answer exchanges 4038 themselves can readily launch a variety of attacks with ICE. They 4039 could direct media to a target of a DoS attack, they could insert 4040 themselves into the media stream, and so on. These are similar to 4041 the general security considerations for offer/answer exchanges, and 4042 the security considerations in RFC 3264 [RFC3264] apply. These 4043 require techniques for message integrity and encryption for offers 4044 and answers, which are satisfied by the SIPS mechanism [RFC3261] when 4045 SIP is used. As such, the usage of SIPS with ICE is RECOMMENDED. 4047 18.5. Insider Attacks 4049 In addition to attacks where the attacker is a third party trying to 4050 insert fake offers, answers or stun messages, there are several 4051 attacks possible with ICE when the attacker is an authenticated and 4052 valid participant in the ICE exchange. 4054 18.5.1. The Voice Hammer Attack 4056 The voice hammer attack is an amplification attack. In this attack, 4057 the attacker initiates sessions to other agents, and maliciously 4058 includes the IP address and port of a DoS target as the destination 4059 for media traffic signaled in the SDP. This causes substantial 4060 amplification; a single offer/answer exchange can create a continuing 4061 flood of media packets, possibly at high rates (consider video 4062 sources). This attack is not specific to ICE, but ICE can help 4063 provide remediation. 4065 Specifically, if ICE is used, the agent receiving the malicious SDP 4066 will first perform connectivity checks to the target of media before 4067 sending media there. If this target is a third party host, the 4068 checks will not succeed, and media is never sent. 4070 Unfortunately, ICE doesn't help if its not used, in which case an 4071 attacker could simply send the offer without the ICE parameters. 4072 However, in environments where the set of clients are known, and 4073 limited to ones that support ICE, the server can reject any offers or 4074 answers that don't indicate ICE support. 4076 18.5.2. STUN Amplification Attack 4078 The STUN amplification attack is similar to the voice hammer. 4079 However, instead of voice packets being directed to the target, STUN 4080 connectivity checks are directed to the target. The attacker sends 4081 an offer with a large number of candidates, say 50. The answerer 4082 receives the offer, and starts its checks, which are directed at the 4083 target, and consequently, never generate a response. The answerer 4084 will start a new connectivity check every Ta ms (say Ta=20ms). 4085 However, the retransmission timers are set to a large number due to 4086 the large number of candidates. As a consequence, packets will be 4087 sent at an interval of one every Ta milliseconds, and then with 4088 increasing intervals after that. Thus, STUN will not send packets at 4089 a rate faster than media would be sent, and the STUN packets persist 4090 only briefly, until ICE fails for the session. Nonetheless, this is 4091 an amplification mechanism. 4093 It is impossible to eliminate the amplification, but the volume can 4094 be reduced through a variety of heuristics. Agents SHOULD limit the 4095 total number of connectivity checks they perform to 100. 4096 Additionally, agents MAY limit the number of candidates they'll 4097 accept in an offer or answer. 4099 Frequently, protocols that wish to avoid these kinds of attacks force 4100 the initiator to wait for a response prior to sending the next 4101 message. However, in the case of ICE, this is not possible. It is 4102 not possible to differentiate the following two cases: 4104 o There was no response because the initiator is being used to 4105 launch a DoS attack against an unsuspecting target that will not 4106 respond 4108 o There was no response because the IP address and port is not 4109 reachable by the initiator 4111 In the second case, another check should be sent at the next 4112 opportunity, while in the former case, no further checks should be 4113 sent. 4115 18.6. Interactions with Application Layer Gateways and SIP 4117 Application Layer Gateways (ALGs) are functions present in a NAT 4118 device which inspect the contents of packets and modify them, in 4119 order to facilitate NAT traversal for application protocols. Session 4120 Border Controllers (SBC) are close cousins of ALGs, but are less 4121 transparent since they actually exist as application layer SIP 4122 intermediaries. ICE has interactions with SBCs and ALGs. 4124 If an ALG is SIP aware but not ICE aware, ICE will work through it as 4125 long as the ALG correctly modifies the SDP. A correct ALG 4126 implementation behaves as follows: 4128 o The ALG does not modify the m and c lines or the rtcp attribute if 4129 they contain external addresses. 4131 o If the m and c lines contain internal addresses, the modification 4132 depends on the state of the ALG: 4134 If the ALG already has a binding established that maps an 4135 external port to an internal IP address and port matching the 4136 values in the m and c lines or rtcp attribute, the ALG uses 4137 that binding instead of creating a new one. 4139 If the ALG does not already have a binding, it creates a new 4140 one and modifies the SDP, rewriting the m and c lines and rtcp 4141 attribute. 4143 Unfortunately, many ALG are known to work poorly in these corner 4144 cases. ICE does not try to work around broken ALGs, as this is 4145 outside the scope of its functionality. ICE can help diagnose these 4146 conditions, which often show up as a mismatch between the set of 4147 candidates and the m and c lines and rtcp attributes. The ice- 4148 mismatch attribute is used for this purpose. 4150 ICE works best through ALGs when the signaling is run over TLS. This 4151 prevents the ALG from manipulating the SDP messages and interfering 4152 with ICE operation. Implementations which are expected to be 4153 deployed behind ALGs SHOULD provide for TLS transport of the SDP. 4155 If an SBC is SIP aware but not ICE aware, the result depends on the 4156 behavior of the SBC. If it is acting as a proper Back-to-Back User 4157 Agent (B2BUA), the SBC will remove any SDP attributes it doesn't 4158 understand, including the ICE attributes. Consequently, the call 4159 will appear to both endpoints as if the other side doesn't support 4160 ICE. This will result in ICE being disabled, and media flowing 4161 through the SBC, if the SBC has requested it. If, however, the SBC 4162 passes the ICE attributes without modification, yet modifies the 4163 default destination for media (contained in the m and c lines and 4164 rtcp attribute), this will be detected as an ICE mismatch, and ICE 4165 processing is aborted for the call. It is outside of the scope of 4166 ICE for it to act as a tool for "working around" SBCs. If one is 4167 present, ICE will not be used and the SBC techniques take precedence. 4169 19. STUN Extensions 4171 19.1. New Attributes 4173 This specification defines four new attributes, PRIORITY, USE- 4174 CANDIDATE, ICE-CONTROLLED and ICE-CONTROLLING. 4176 The PRIORITY attribute indicates the priority that is to be 4177 associated with a peer reflexive candidate, should one be discovered 4178 by this check. It is a 32 bit unsigned integer, and has an attribute 4179 value of 0x0024. 4181 The USE-CANDIDATE attribute indicates that the candidate pair 4182 resulting from this check should be used for transmission of media. 4183 The attribute has no content (the Length field of the attribute is 4184 zero); it serves as a flag. It has an attribute value of 0x0025. 4186 The ICE-CONTROLLED attribute is present in a Binding Request, and 4187 indicates that the client believes it is currently in the controlled 4188 role. The content of the attribute is a 64 bit unsigned integer in 4189 network byte ordering, which contains a random number used for tie- 4190 breaking of role conflicts. 4192 The ICE-CONTROLLING attribute is present in a Binding Request, and 4193 indicates that the client believes it is currently in the controlling 4194 role. The content of the attribute is a 64 bit unsigned integer in 4195 network byte ordering, which contains a random number used for tie- 4196 breaking of role conflicts. 4198 19.2. New Error Response Codes 4200 This specification defines a single error response code: 4202 487 (Role Conflict): The Binding Request contained either the ICE- 4203 CONTROLLING or ICE-CONTROLLED attribute, indicating a role that 4204 conflicted with the server. The server ran a tie-breaker based on 4205 the tie-breaker value in the request, and determined that the 4206 client needs to switch roles. 4208 20. Operational Considerations 4210 This section discusses issues relevant to network operators looking 4211 to deploy ICE. 4213 20.1. NAT and Firewall Types 4215 ICE was designed to work with existing NAT and firewall equipment. 4216 Consequently, it is not neccesary to replace or reconfigure existing 4217 firewall and NAT equipment in order to facilitate deployment of ICE. 4218 Indeed, ICE was developed to be deployed in environments where the 4219 VoIP operator has no control over the IP network infrastructure, 4220 including firewalls and NAT. 4222 That said, ICE works best in environments where the NAT devices are 4223 "behave" compliant, meeting the recommendations defined in [RFC4787] 4224 and [I-D.ietf-behave-tcp]. In networks with behave-compliant NAT, 4225 ICE will work without the need for a TURN server, thus improving 4226 voice quality, increasing call setup times, and reducing the 4227 bandwidth demands on the network operator. 4229 20.2. Bandwidth Requirements 4231 Deployment of ICE can have several interactions with available 4232 network capacity that operators should take into consideration. 4234 20.2.1. STUN and TURN Server Capacity Planning 4236 First and foremost, ICE makes use of TURN and STUN servers, which 4237 would typically be located in the network operator's data centers. 4238 The STUN servers require relatively little bandwidth. For each 4239 component of each media stream, there will be one or more STUN 4240 transactions from each client to the STUN server. In a basic voice- 4241 only IPv4 VoIP deployment, there will be four transactions per call 4242 (one for RTP and one for RTCP, for both caller and callee). Each 4243 transaction is a single request and a single response, the former 4244 being 20 bytes long, and the latter, 28. Consequently, if a system 4245 has N users, and each makes four calls in a busy hour, this would 4246 require N*1.7bps. For one million users, this is 1.7 Mbps, a very 4247 small number (relatively speaking). 4249 TURN traffic is more substantial. The TURN server will see traffic 4250 volume equal to the STUN volume (indeed, if TURN servers are 4251 deployed, there is no need for a separate STUN server), in addition 4252 to the traffic for the actual media traffic. The amount of calls 4253 requiring TURN for media relay is highly dependent on network 4254 topologies, and can and will vary over time. In a network with 100% 4255 behave compliant NAT, it is exactly zero. At time of writing, large- 4256 scale consumer deployments were seeing between 5 and 10 percent of 4257 calls requiring TURN servers. Considering a voice-only deployment 4258 using G.711 (so 80kbps in each direction), with .2 erlangs during the 4259 busy hour, this is N*3.2kbps. For a population of one million users, 4260 this is 3.2Gbps, assuming a 10% usage of TURN servers. 4262 20.2.2. Gathering and Connectivity Checks 4264 The process of gathering of candidates and performing of connectivity 4265 checks can be banwdidth intensive. ICE has been designed to pace 4266 both of these processes. The gathering phase and the connectivity 4267 check phase are meant to generate traffic at roughly the same 4268 bandwidth as the media traffic itself. This was done to ensure that, 4269 if a network is designed to support multimedia traffic of a certain 4270 type (voice, video or just text), it will have sufficient capacity to 4271 support the ICE checks for that media. Of course, the ICE checks 4272 will cause a marginal increase in the total utilization; however this 4273 will typically be an extremely small increase. 4275 Congestion due to the gathering and check phases has proven to be a 4276 problem in deployments that did not utilize pacing. Typically, 4277 access links became congested as the endpoints flooded the network 4278 with checks as fast as they can send them. Consequently, network 4279 operators should make sure that their ICE implementations support the 4280 pacing feature. Though this pacing does increase call setup times, 4281 it makes ICE network friendly and easier to deploy. 4283 20.2.3. Keepalives 4285 STUN keepalives (in the form of STUN Binding Indications) are sent in 4286 the middle of a media session. However, they are sent only in the 4287 absence of actual media traffic. In deployments that are not 4288 utilizing Voice Activity Detection (VAD), the keepalives are never 4289 used and there is no increase in bandwidth usage. When VAD is being 4290 used, keepalives will be sent during silence periods. This involves 4291 a single packet every 15-20 seconds, far less than the packet every 4292 20-30ms that is sent when there is voice. Therefore, keepalives 4293 don't have any real impact on capacity planning. 4295 20.3. ICE and ICE-lite 4297 Deployments utilizing a mix of ICE and ICE-lite interoperate 4298 perfectly. They have been explicitly designed to do so, without loss 4299 of function. 4301 However, ICE-lite can only be deployed in limited use cases. Those 4302 cases, and the caveats involved in doing so, are documented in 4303 Appendix A. 4305 20.4. Troubleshooting and Performance Management 4307 ICE utilizes end-to-end connectivity checks, and places much of the 4308 processing in the endpoints. This introduces a challenge to the 4309 network operator - how can they troubleshoot ICE deployments? How 4310 can they know how ICE is performing? 4312 ICE has built in features to help deal with these problems. SIP 4313 servers on the signaling path, typically deployed in the data centers 4314 of the network operator, will see the contents of the offer/answer 4315 exchanges that convey the ICE parameters. These parameters include 4316 the type of each candidate (host, server reflexive, or relayed), 4317 along with their related addresses. Once ICE processing has 4318 completed, an updated offer/answer exchange takes place, signaling 4319 the selected address (and its type). This updated re-INVITE is 4320 performed exactly for the purposes of educating network equipment 4321 (such as a diagnostic tool attached to a SIP server) about the 4322 results of ICE processing. 4324 As a consequence, through the logs generated by the SIP server, a 4325 network operator can observe what types of candidates are being used 4326 for each call, and what address was selected by ICE. This is the 4327 primary information that helps evaluate how ICE is performing. 4329 20.5. Endpoint Configuration 4331 ICE relies on several pieces of data being configured into the 4332 endpoints. This configuration data includes timers, credentials for 4333 TURN servers, and hostnames for STUN and TURN servers. ICE itself 4334 does not provide a mechanism for this configuration. Instead, it is 4335 assumed that this information is attached to whatever mechanism is 4336 used to configure all of the other parameters in the endpoint. For 4337 SIP phones, standard solutions such as the configuration framework 4338 [I-D.ietf-sipping-config-framework] have been defined. 4340 21. IANA Considerations 4342 This specification registers new SDP attributes, four new STUN 4343 attributes and one new STUN error response. 4345 21.1. SDP Attributes 4347 This specification defines seven new SDP attributes per the 4348 procedures of Section 8.2.4 of [RFC4566]. The required information 4349 for the registrations are included here. 4351 21.1.1. candidate Attribute 4353 Contact Name: Jonathan Rosenberg, jdrosen@jdrosen.net. 4355 Attribute Name: candidate 4357 Long Form: candidate 4359 Type of Attribute: media level 4361 Charset Considerations: The attribute is not subject to the charset 4362 attribute. 4364 Purpose: This attribute is used with Interactive Connectivity 4365 Establishment (ICE), and provides one of many possible candidate 4366 addresses for communication. These addresses are validated with 4367 an end-to-end connectivity check using Simple Traversal Underneath 4368 NAT (STUN). 4370 Appropriate Values: See Section 15 of RFC XXXX [Note to RFC-ed: 4371 please replace XXXX with the RFC number of this specification]. 4373 21.1.2. remote-candidates Attribute 4375 Contact Name: Jonathan Rosenberg, jdrosen@jdrosen.net. 4377 Attribute Name: remote-candidates 4379 Long Form: remote-candidates 4381 Type of Attribute: media level 4383 Charset Considerations: The attribute is not subject to the charset 4384 attribute. 4386 Purpose: This attribute is used with Interactive Connectivity 4387 Establishment (ICE), and provides the identity of the remote 4388 candidates that the offerer wishes the answerer to use in its 4389 answer. 4391 Appropriate Values: See Section 15 of RFC XXXX [Note to RFC-ed: 4392 please replace XXXX with the RFC number of this specification]. 4394 21.1.3. ice-lite Attribute 4395 Contact Name: Jonathan Rosenberg, jdrosen@jdrosen.net. 4397 Attribute Name: ice-lite 4399 Long Form: ice-lite 4401 Type of Attribute: session level 4403 Charset Considerations: The attribute is not subject to the charset 4404 attribute. 4406 Purpose: This attribute is used with Interactive Connectivity 4407 Establishment (ICE), and indicates that an agent has the minimum 4408 functionality required to support ICE inter-operation with a peer 4409 that has a full implementation. 4411 Appropriate Values: See Section 15 of RFC XXXX [Note to RFC-ed: 4412 please replace XXXX with the RFC number of this specification]. 4414 21.1.4. ice-mismatch Attribute 4416 Contact Name: Jonathan Rosenberg, jdrosen@jdrosen.net. 4418 Attribute Name: ice-mismatch 4420 Long Form: ice-mismatch 4422 Type of Attribute: session level 4424 Charset Considerations: The attribute is not subject to the charset 4425 attribute. 4427 Purpose: This attribute is used with Interactive Connectivity 4428 Establishment (ICE), and indicates that an agent is ICE capable, 4429 but did not proceed with ICE due to a mismatch of candidates with 4430 the default destination for media signaled in the SDP. 4432 Appropriate Values: See Section 15 of RFC XXXX [Note to RFC-ed: 4433 please replace XXXX with the RFC number of this specification]. 4435 21.1.5. ice-pwd Attribute 4437 Contact Name: Jonathan Rosenberg, jdrosen@jdrosen.net. 4439 Attribute Name: ice-pwd 4440 Long Form: ice-pwd 4442 Type of Attribute: session or media level 4444 Charset Considerations: The attribute is not subject to the charset 4445 attribute. 4447 Purpose: This attribute is used with Interactive Connectivity 4448 Establishment (ICE), and provides the password used to protect 4449 STUN connectivity checks. 4451 Appropriate Values: See Section 15 of RFC XXXX [Note to RFC-ed: 4452 please replace XXXX with the RFC number of this specification]. 4454 21.1.6. ice-ufrag Attribute 4456 Contact Name: Jonathan Rosenberg, jdrosen@jdrosen.net. 4458 Attribute Name: ice-ufrag 4460 Long Form: ice-ufrag 4462 Type of Attribute: session or media level 4464 Charset Considerations: The attribute is not subject to the charset 4465 attribute. 4467 Purpose: This attribute is used with Interactive Connectivity 4468 Establishment (ICE), and provides the fragments used to construct 4469 the username in STUN connectivity checks. 4471 Appropriate Values: See Section 15 of RFC XXXX [Note to RFC-ed: 4472 please replace XXXX with the RFC number of this specification]. 4474 21.1.7. ice-options Attribute 4476 Contact Name: Jonathan Rosenberg, jdrosen@jdrosen.net. 4478 Attribute Name: ice-options 4480 Long Form: ice-options 4482 Type of Attribute: session level 4484 Charset Considerations: The attribute is not subject to the charset 4485 attribute. 4487 Purpose: This attribute is used with Interactive Connectivity 4488 Establishment (ICE), and indicates the ICE options or extensions 4489 used by the agent. 4491 Appropriate Values: See Section 15 of RFC XXXX [Note to RFC-ed: 4492 please replace XXXX with the RFC number of this specification]. 4494 21.2. STUN Attributes 4496 This section registers four new STUN attributes per the procedures in 4497 [I-D.ietf-behave-rfc3489bis]. 4499 0x0024 PRIORITY 4500 0x0025 USE-CANDIDATE 4501 0x8029 ICE-CONTROLLED 4502 0x802a ICE-CONTROLLING 4504 21.3. STUN Error Responses 4506 This section registers one new STUN error response code per the 4507 procedures in [I-D.ietf-behave-rfc3489bis]. 4509 487 Role Conflict: The client asserted an ICE role (controlling or 4510 controlled) that is in conflict with the role of the server. 4512 22. IAB Considerations 4514 The IAB has studied the problem of "Unilateral Self Address Fixing", 4515 which is the general process by which a agent attempts to determine 4516 its address in another realm on the other side of a NAT through a 4517 collaborative protocol reflection mechanism [RFC3424]. ICE is an 4518 example of a protocol that performs this type of function. 4519 Interestingly, the process for ICE is not unilateral, but bilateral, 4520 and the difference has a significant impact on the issues raised by 4521 IAB. Indeed, ICE can be considered a B-SAF (Bilateral Self-Address 4522 Fixing) protocol, rather than an UNSAF protocol. Regardless, the IAB 4523 has mandated that any protocols developed for this purpose document a 4524 specific set of considerations. This section meets those 4525 requirements. 4527 22.1. Problem Definition 4529 From RFC 3424 any UNSAF proposal must provide: 4531 Precise definition of a specific, limited-scope problem that is to 4532 be solved with the UNSAF proposal. A short term fix should not be 4533 generalized to solve other problems; this is why "short term fixes 4534 usually aren't". 4536 The specific problems being solved by ICE are: 4538 Provide a means for two peers to determine the set of transport 4539 addresses which can be used for communication. 4541 Provide a means for a agent to determine an address that is 4542 reachable by another peer with which it wishes to communicate. 4544 22.2. Exit Strategy 4546 From RFC 3424, any UNSAF proposal must provide: 4548 Description of an exit strategy/transition plan. The better short 4549 term fixes are the ones that will naturally see less and less use 4550 as the appropriate technology is deployed. 4552 ICE itself doesn't easily get phased out. However, it is useful even 4553 in a globally connected Internet, to serve as a means for detecting 4554 whether a router failure has temporarily disrupted connectivity, for 4555 example. ICE also helps prevent certain security attacks which have 4556 nothing to do with NAT. However, what ICE does is help phase out 4557 other UNSAF mechanisms. ICE effectively selects amongst those 4558 mechanisms, prioritizing ones that are better, and deprioritizing 4559 ones that are worse. Local IPv6 addresses can be preferred. As NATs 4560 begin to dissipate as IPv6 is introduced, server reflexive and 4561 relayed candidates (both forms of UNSAF addresses) simply never get 4562 used, because higher priority connectivity exists to the native host 4563 candidates. Therefore, the servers get used less and less, and can 4564 eventually be remove when their usage goes to zero. 4566 Indeed, ICE can assist in the transition from IPv4 to IPv6. It can 4567 be used to determine whether to use IPv6 or IPv4 when two dual-stack 4568 hosts communicate with SIP (IPv6 gets used). It can also allow a 4569 network with both 6to4 and native v6 connectivity to determine which 4570 address to use when communicating with a peer. 4572 22.3. Brittleness Introduced by ICE 4574 From RFC3424, any UNSAF proposal must provide: 4576 Discussion of specific issues that may render systems more 4577 "brittle". For example, approaches that involve using data at 4578 multiple network layers create more dependencies, increase 4579 debugging challenges, and make it harder to transition. 4581 ICE actually removes brittleness from existing UNSAF mechanisms. In 4582 particular, classic STUN (as described in RFC 3489 [RFC3489]) has 4583 several points of brittleness. One of them is the discovery process 4584 which requires a agent to try and classify the type of NAT it is 4585 behind. This process is error-prone. With ICE, that discovery 4586 process is simply not used. Rather than unilaterally assessing the 4587 validity of the address, its validity is dynamically determined by 4588 measuring connectivity to a peer. The process of determining 4589 connectivity is very robust. 4591 Another point of brittleness in classic STUN and any other unilateral 4592 mechanism is its absolute reliance on an additional server. ICE 4593 makes use of a server for allocating unilateral addresses, but allows 4594 agents to directly connect if possible. Therefore, in some cases, 4595 the failure of a STUN server would still allow for a call to progress 4596 when ICE is used. 4598 Another point of brittleness in classic STUN is that it assumes that 4599 the STUN server is on the public Internet. Interestingly, with ICE, 4600 that is not necessary. There can be a multitude of STUN servers in a 4601 variety of address realms. ICE will discover the one that has 4602 provided a usable address. 4604 The most troubling point of brittleness in classic STUN is that it 4605 doesn't work in all network topologies. In cases where there is a 4606 shared NAT between each agent and the STUN server, traditional STUN 4607 may not work. With ICE, that restriction is removed. 4609 Classic STUN also introduces some security considerations. 4610 Fortunately, those security considerations are also mitigated by ICE. 4612 Consequently, ICE serves to repair the brittleness introduced in 4613 classic STUN, and does not introduce any additional brittleness into 4614 the system. 4616 The penalty of these improvements is that ICE increases session 4617 establishment times. 4619 22.4. Requirements for a Long Term Solution 4621 From RFC 3424, any UNSAF proposal must provide: 4623 Identify requirements for longer term, sound technical solutions 4624 -- contribute to the process of finding the right longer term 4625 solution. 4627 Our conclusions from RFC 3489 remain unchanged. However, we feel ICE 4628 actually helps because we believe it can be part of the long term 4629 solution. 4631 22.5. Issues with Existing NAPT Boxes 4633 From RFC 3424, any UNSAF proposal must provide: 4635 Discussion of the impact of the noted practical issues with 4636 existing, deployed NA[P]Ts and experience reports. 4638 A number of NAT boxes are now being deployed into the market which 4639 try and provide "generic" ALG functionality. These generic ALGs hunt 4640 for IP addresses, either in text or binary form within a packet, and 4641 rewrite them if they match a binding. This interferes with classic 4642 STUN. However, the update to STUN [I-D.ietf-behave-rfc3489bis] uses 4643 an encoding which hides these binary addresses from generic ALGs. 4645 Existing NAPT boxes have non-deterministic and typically short 4646 expiration times for UDP-based bindings. This requires 4647 implementations to send periodic keepalives to maintain those 4648 bindings. ICE uses a default of 15s, which is a very conservative 4649 estimate. Eventually, over time, as NAT boxes become compliant to 4650 behave [RFC4787], this minimum keepalive will become deterministic 4651 and well-known, and the ICE timers can be adjusted. Having a way to 4652 discover and control the minimum keepalive interval would be far 4653 better still. 4655 23. Acknowledgements 4657 The authors would like to thank Dan Wing, Eric Rescorla, Flemming 4658 Andreasen, Rohan Mahy, Dean Willis, Eric Cooper, Jason Fischl, 4659 Douglas Otis, Tim Moore, Jean-Francois Mule, Kevin Johns, Jonathan 4660 Lennox and Francois Audet for their comments and input. A special 4661 thanks goes to Bill May, who suggested several of the concepts in 4662 this specification, Philip Matthews, who suggested many of the key 4663 performance optimizations in this specification, Eric Rescorla, who 4664 drafted the text in the introduction, and Magnus Westerlund, for 4665 doing several detailed reviews on the various revisions of this 4666 specification. 4668 24. References 4669 24.1. Normative References 4671 [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate 4672 Requirement Levels", BCP 14, RFC 2119, March 1997. 4674 [RFC3605] Huitema, C., "Real Time Control Protocol (RTCP) attribute 4675 in Session Description Protocol (SDP)", RFC 3605, 4676 October 2003. 4678 [RFC3261] Rosenberg, J., Schulzrinne, H., Camarillo, G., Johnston, 4679 A., Peterson, J., Sparks, R., Handley, M., and E. 4680 Schooler, "SIP: Session Initiation Protocol", RFC 3261, 4681 June 2002. 4683 [RFC3264] Rosenberg, J. and H. Schulzrinne, "An Offer/Answer Model 4684 with Session Description Protocol (SDP)", RFC 3264, 4685 June 2002. 4687 [RFC3556] Casner, S., "Session Description Protocol (SDP) Bandwidth 4688 Modifiers for RTP Control Protocol (RTCP) Bandwidth", 4689 RFC 3556, July 2003. 4691 [RFC3312] Camarillo, G., Marshall, W., and J. Rosenberg, 4692 "Integration of Resource Management and Session Initiation 4693 Protocol (SIP)", RFC 3312, October 2002. 4695 [RFC4032] Camarillo, G. and P. Kyzivat, "Update to the Session 4696 Initiation Protocol (SIP) Preconditions Framework", 4697 RFC 4032, March 2005. 4699 [RFC4234] Crocker, D. and P. Overell, "Augmented BNF for Syntax 4700 Specifications: ABNF", RFC 4234, October 2005. 4702 [RFC3262] Rosenberg, J. and H. Schulzrinne, "Reliability of 4703 Provisional Responses in Session Initiation Protocol 4704 (SIP)", RFC 3262, June 2002. 4706 [RFC4566] Handley, M., Jacobson, V., and C. Perkins, "SDP: Session 4707 Description Protocol", RFC 4566, July 2006. 4709 [RFC4091] Camarillo, G. and J. Rosenberg, "The Alternative Network 4710 Address Types (ANAT) Semantics for the Session Description 4711 Protocol (SDP) Grouping Framework", RFC 4091, June 2005. 4713 [RFC3484] Draves, R., "Default Address Selection for Internet 4714 Protocol version 6 (IPv6)", RFC 3484, February 2003. 4716 [I-D.ietf-behave-rfc3489bis] 4717 Rosenberg, J., Huitema, C., Mahy, R., Matthews, P., and D. 4718 Wing, "Session Traversal Utilities for (NAT) (STUN)", 4719 draft-ietf-behave-rfc3489bis-08 (work in progress), 4720 July 2007. 4722 [I-D.ietf-behave-turn] 4723 Rosenberg, J., "Traversal Using Relays around NAT (TURN): 4724 Relay Extensions to Session Traversal Utilities for NAT 4725 (STUN)", draft-ietf-behave-turn-04 (work in progress), 4726 July 2007. 4728 [I-D.ietf-sip-ice-option-tag] 4729 Rosenberg, J., "Indicating Support for Interactive 4730 Connectivity Establishment (ICE) in the Session 4731 Initiation Protocol (SIP)", 4732 draft-ietf-sip-ice-option-tag-02 (work in progress), 4733 June 2007. 4735 24.2. Informative References 4737 [RFC3489] Rosenberg, J., Weinberger, J., Huitema, C., and R. Mahy, 4738 "STUN - Simple Traversal of User Datagram Protocol (UDP) 4739 Through Network Address Translators (NATs)", RFC 3489, 4740 March 2003. 4742 [RFC3235] Senie, D., "Network Address Translator (NAT)-Friendly 4743 Application Design Guidelines", RFC 3235, January 2002. 4745 [RFC3303] Srisuresh, P., Kuthan, J., Rosenberg, J., Molitor, A., and 4746 A. Rayhan, "Middlebox communication architecture and 4747 framework", RFC 3303, August 2002. 4749 [RFC3725] Rosenberg, J., Peterson, J., Schulzrinne, H., and G. 4750 Camarillo, "Best Current Practices for Third Party Call 4751 Control (3pcc) in the Session Initiation Protocol (SIP)", 4752 BCP 85, RFC 3725, April 2004. 4754 [RFC3102] Borella, M., Lo, J., Grabelsky, D., and G. Montenegro, 4755 "Realm Specific IP: Framework", RFC 3102, October 2001. 4757 [RFC3103] Borella, M., Grabelsky, D., Lo, J., and K. Taniguchi, 4758 "Realm Specific IP: Protocol Specification", RFC 3103, 4759 October 2001. 4761 [RFC3424] Daigle, L. and IAB, "IAB Considerations for UNilateral 4762 Self-Address Fixing (UNSAF) Across Network Address 4763 Translation", RFC 3424, November 2002. 4765 [RFC3550] Schulzrinne, H., Casner, S., Frederick, R., and V. 4766 Jacobson, "RTP: A Transport Protocol for Real-Time 4767 Applications", RFC 3550, July 2003. 4769 [RFC3711] Baugher, M., McGrew, D., Naslund, M., Carrara, E., and K. 4770 Norrman, "The Secure Real-time Transport Protocol (SRTP)", 4771 RFC 3711, March 2004. 4773 [RFC3056] Carpenter, B. and K. Moore, "Connection of IPv6 Domains 4774 via IPv4 Clouds", RFC 3056, February 2001. 4776 [RFC3389] Zopf, R., "Real-time Transport Protocol (RTP) Payload for 4777 Comfort Noise (CN)", RFC 3389, September 2002. 4779 [RFC3960] Camarillo, G. and H. Schulzrinne, "Early Media and Ringing 4780 Tone Generation in the Session Initiation Protocol (SIP)", 4781 RFC 3960, December 2004. 4783 [RFC2475] Blake, S., Black, D., Carlson, M., Davies, E., Wang, Z., 4784 and W. Weiss, "An Architecture for Differentiated 4785 Services", RFC 2475, December 1998. 4787 [RFC1918] Rekhter, Y., Moskowitz, R., Karrenberg, D., Groot, G., and 4788 E. Lear, "Address Allocation for Private Internets", 4789 BCP 5, RFC 1918, February 1996. 4791 [RFC4787] Audet, F. and C. Jennings, "Network Address Translation 4792 (NAT) Behavioral Requirements for Unicast UDP", BCP 127, 4793 RFC 4787, January 2007. 4795 [I-D.ietf-mmusic-connectivity-precon] 4796 Andreasen, F., "Connectivity Preconditions for Session 4797 Description Protocol Media Streams", 4798 draft-ietf-mmusic-connectivity-precon-02 (work in 4799 progress), June 2006. 4801 [I-D.ietf-avt-rtp-no-op] 4802 Andreasen, F., "A No-Op Payload Format for RTP", 4803 draft-ietf-avt-rtp-no-op-04 (work in progress), May 2007. 4805 [I-D.ietf-avt-rtp-and-rtcp-mux] 4806 Perkins, C. and M. Westerlund, "Multiplexing RTP Data and 4807 Control Packets on a Single Port", 4808 draft-ietf-avt-rtp-and-rtcp-mux-07 (work in progress), 4809 August 2007. 4811 [RFC4340] Kohler, E., Handley, M., and S. Floyd, "Datagram 4812 Congestion Control Protocol (DCCP)", RFC 4340, March 2006. 4814 [RFC4103] Hellstrom, G. and P. Jones, "RTP Payload for Text 4815 Conversation", RFC 4103, June 2005. 4817 [I-D.ietf-sip-outbound] 4818 Jennings, C. and R. Mahy, "Managing Client Initiated 4819 Connections in the Session Initiation Protocol (SIP)", 4820 draft-ietf-sip-outbound-10 (work in progress), July 2007. 4822 [I-D.ietf-behave-tcp] 4823 Guha, S., "NAT Behavioral Requirements for TCP", 4824 draft-ietf-behave-tcp-07 (work in progress), April 2007. 4826 [I-D.ietf-sipping-config-framework] 4827 Petrie, D. and S. Channabasappa, "A Framework for Session 4828 Initiation Protocol User Agent Profile Delivery", 4829 draft-ietf-sipping-config-framework-12 (work in progress), 4830 June 2007. 4832 Appendix A. Lite and Full Implementations 4834 ICE allows for two types of implementations. A full implementation 4835 supports the controlling and controlled roles in a session, and can 4836 also perform address gathering. In contrast, a lite implementation 4837 is a minimalist implementation that does little but respond to STUN 4838 checks. 4840 Because ICE requires both endpoints to support it in order to bring 4841 benefits to either endpoint, incremental deployment of ICE in a 4842 network is more complicated. Many sessions involve an endpoint which 4843 is, by itself, not behind a NAT and not one that would worry about 4844 NAT traversal. A very common case is to have one endpoint that 4845 requires NAT traversal (such as a VoIP hard phone or soft phone) make 4846 a call to one of these devices. Even if the phone supports a full 4847 ICE implementation, ICE won't be used at all if the other device 4848 doesn't support it. The lite implementation allows for a low-cost 4849 entry point for these devices. Once they support the lite 4850 implementation, full implementations can connect to them and get the 4851 full benefits of ICE. 4853 Consequently, a lite implementation is only appropriate for devices 4854 that will *always* be connected to the public Internet and have a 4855 public IP address at which it can receive packets from any 4856 correspondent. ICE will not function when a lite implementation is 4857 placed behind a NAT. 4859 ICE allows a lite implementation to have a single IPv4 host candidate 4860 and several IPv6 addresses. In that case, candidate pairs are 4861 selected by the controlling agent using a static algorithm, such as 4862 the one in RFC 3484, which is recommended by this specification. 4863 However, static mechanisms for address selection are always prone to 4864 error, since they cannot ever reflect the actual topology and can 4865 never provide actual guarantees on connectivity. They are always 4866 heuristics. Consequently, if an agent is implementing ICE just to 4867 select between its IPv4 and IPv6 addresses, and it is none of its IP 4868 addresses are behind NAT, usage of full ICE is still RECOMMENDED in 4869 order to provide the most robust form of address selection possible. 4871 It is important to note that the lite implementation was added to 4872 this specification to provide a stepping stone to full 4873 implementation. Even for devices that are always connected to the 4874 public Internet with just a single IPv4 address, a full 4875 implementation is preferable if achievable. A full implementation 4876 will reduce call setup times, since ICE's aggressive mode can be 4877 used. Full implementations also obtain the security benefits of ICE 4878 unrelated to NAT traversal; in particular, the voice hammer attack 4879 described in Section 18 is prevented only for full implementations, 4880 not lite. Finally, it is often the case that a device which finds 4881 itself with a public address today will be placed in a network 4882 tomorrow where it will be behind a NAT. It is difficult to 4883 definitively know, over the lifetime of a device or product, that it 4884 will always be used on the public Internet. Full implementation 4885 provides assurance that communications will always work. 4887 Appendix B. Design Motivations 4889 ICE contains a number of normative behaviors which may themselves be 4890 simple, but derive from complicated or non-obvious thinking or use 4891 cases which merit further discussion. Since these design motivations 4892 are not neccesary to understand for purposes of implementation, they 4893 are discussed here in an appendix to the specification. This section 4894 is non-normative. 4896 B.1. Pacing of STUN Transactions 4898 STUN transactions used to gather candidates and to verify 4899 connectivity are paced out at an approximate rate of one new 4900 transaction every Ta milliseconds. Each transaction, in turn, has a 4901 retransmission timer RTO that is a function of Ta as well. Why are 4902 these transactions paced, and why are these formulas used? 4904 Sending of these STUN requests will often have the effect of creating 4905 bindings on NAT devices between the client and the STUN servers. 4906 Experience has shown that many NAT devices have upper limits on the 4907 rate at which they will create new bindings. Experiments have shown 4908 that once every 20ms is well supported, but not much lower than that. 4909 This is why Ta has a lower bound of 20ms. Furthermore, transmission 4910 of these packets on the network makes use of bandwidth and needs to 4911 be rate limited by the agent. As a consequence, the pacing ensures 4912 that the NAT devices does not get overloaded and that traffic is kept 4913 at a reasonable rate. 4915 The definition of a "reasonable" rate is that STUN should not use 4916 more bandwidth than the RTP itself will use, once media starts 4917 flowing. The formula for Ta is designed so that, if a STUN packet 4918 were sent every Ta seconds, it would consume the same amount of 4919 bandwidth as RTP packets, summed across all media streams. Of 4920 course, STUN has retransmits, and the desire is to pace those as 4921 well. For this reason, RTO is set such that the first retransmit on 4922 the first transaction happens just as the first STUN request on the 4923 last transaction occurs. Pictorially: 4925 First Packets Retransmits 4927 | | 4928 | | 4929 -------+------ -------+------ 4930 / \ / \ 4931 / \ / \ 4933 +--+ +--+ +--+ +--+ +--+ +--+ 4934 |A1| |B1| |C1| |A2| |B2| |C2| 4935 +--+ +--+ +--+ +--+ +--+ +--+ 4937 ---+-------+-------+-------+-------+-------+------------ Time 4938 0 Ta 2Ta 3Ta 4Ta 5Ta 4940 In this picture, there are three transactions that will be sent (for 4941 example, in the case of candidate gathering, there are three host 4942 candidate/STUN server pairs). These are transactions A, B and C. The 4943 retransmit timer is set so that the first retransmission on the first 4944 transaction (packet A2) is sent at time 3Ta. 4946 Subsequent retransmits after the first will occur even less 4947 frequently than Ta milliseconds apart, since STUN uses an exponential 4948 back-off on its retransmissions. 4950 B.2. Candidates with Multiple Bases 4952 Section 4.1.3 talks about eliminating candidates that have the same 4953 transport address and base. However, candidates with the same 4954 transport addresses but different bases are not redundant . When can 4955 an agent have two candidates that have the same IP address and port, 4956 but different bases? Consider the topology of Figure 30: 4958 +----------+ 4959 | STUN Srvr| 4960 +----------+ 4961 | 4962 | 4963 ----- 4964 // \\ 4965 | | 4966 | B:net10 | 4967 | | 4968 \\ // 4969 ----- 4970 | 4971 | 4972 +----------+ 4973 | NAT | 4974 +----------+ 4975 | 4976 | 4977 ----- 4978 // \\ 4979 | A | 4980 |192.168/16 | 4981 | | 4982 \\ // 4983 ----- 4984 | 4985 | 4986 |192.168.1.100 ----- 4987 +----------+ // \\ +----------+ 4988 | | | | | | 4989 | Offerer |---------| C:net10 |-----------| Answerer | 4990 | |10.0.1.100| | 10.0.1.101 | | 4991 +----------+ \\ // +----------+ 4992 ----- 4994 Figure 30: Identical Candidates with Different Bases 4996 In this case, the offerer is multi-homed. It has one IP address, 4997 10.0.1.100, on network C, which is a net 10 private network. The 4998 Answerer is on this same network. The offerer is also connected to 4999 network A, which is 192.168/16. The offerer has an IP address of 5000 192.168.1.100 on this network. There is a NAT on this network, 5001 natting into network B, which is another net 10 private network, but 5002 not connected to network C. There is a STUN server on network B. 5004 The offerer obtains a host candidate on its IP address on network C 5005 (10.0.1.100:2498) and a host candidate on its IP address on network A 5006 (192.168.1.100:3344). It performs a STUN query to its configured 5007 STUN server from 192.168.1.100:3344. This query passes through the 5008 NAT, which happens to assign the binding 10.0.1.100:2498. The STUN 5009 server reflects this in the STUN Binding Response. Now, the offerer 5010 has obtained a server reflexive candidate with a transport address 5011 that is identical to a host candidate (10.0.1.100:2498). However, 5012 the server reflexive candidate has a base of 192.168.1.100:3344, and 5013 the host candidate has a base of 10.0.1.100:2498. 5015 B.3. Purpose of the and Attributes 5017 The candidate attribute contains two values that are not used at all 5018 by ICE itself - and . Why is it present? 5020 There are two motivations for its inclusion. The first is 5021 diagnostic. It is very useful to know the relationship between the 5022 different types of candidates. By including it, an agent can know 5023 which relayed candidate is associated with which reflexive candidate, 5024 which in turn is associated with a specific host candidate. When 5025 checks for one candidate succeed and not the others, this provides 5026 useful diagnostics on what is going on in the network. 5028 The second reason has to do with off-path Quality of Service (QoS) 5029 mechanisms. When ICE is used in environments such as PacketCable 5030 2.0, proxies will, in addition to performing normal SIP operations, 5031 inspect the SDP in SIP messages, and extract the IP address and port 5032 for media traffic. They can then interact, through policy servers, 5033 with access routers in the network, to establish guaranteed QoS for 5034 the media flows. This QoS is provided by classifying the RTP traffic 5035 based on 5-tuple, and then providing it a guaranteed rate, or marking 5036 its Diffserv codepoints appropriately. When a residential NAT is 5037 present, and a relayed candidate gets selected for media, this 5038 relayed candidate will be a transport address on an actual TURN 5039 server. That address says nothing about the actual transport address 5040 in the access router that would be used to classify packets for QoS 5041 treatment. Rather, the server reflexive candidate towards the TURN 5042 server is needed. By carrying the translation in the SDP, the proxy 5043 can use that transport address to request QoS from the access router. 5045 B.4. Importance of the STUN Username 5047 ICE requires the usage of message integrity with STUN using its short 5048 term credential functionality. The actual short term credential is 5049 formed by exchanging username fragments in the SDP offer/answer 5050 exchange. The need for this mechanism goes beyond just security; it 5051 is actual required for correct operation of ICE in the first place. 5053 Consider agents L, R, and Z. L and R are within private enterprise 1, 5054 which is using 10.0.0.0/8. Z is within private enterprise 2, which 5055 is also using 10.0.0.0/8. As it turns out, R and Z both have IP 5056 address 10.0.1.1. L sends an offer to Z. Z, in its answer, provides 5057 L with its host candidates. In this case, those candidates are 5058 10.0.1.1:8866 and 10.0.1.1:8877. As it turns out, R is in a session 5059 at that same time, and is also using 10.0.1.1:8866 and 10.0.1.1:8877 5060 as host candidates. This means that R is prepared to accept STUN 5061 messages on those ports, just as Z is. L will send a STUN request to 5062 10.0.1.1:8866 and and another to 10.0.1.1:8877. However, these do 5063 not go to Z as expected. Instead, they go to R! If R just replied 5064 to them, L would believe it has connectivity to Z, when in fact it 5065 has connectivity to a completely different user, R. To fix this, the 5066 STUN short term credential mechanisms are used. The username 5067 fragments are sufficiently random that it is highly unlikely that R 5068 would be using the same values as Z. Consequently, R would reject the 5069 STUN request since the credentials were invalid. In essence, the 5070 STUN username fragments provide a form of transient host identifiers, 5071 bound to a particular offer/answer session. 5073 An unfortunate consequence of the non-uniqueness of IP addresses is 5074 that, in the above example, R might not even be an ICE agent. It 5075 could be any host, and the port to which the STUN packet is directed 5076 could be any ephemeral port on that host. If there is an application 5077 listening on this socket for packets, and it is not prepared to 5078 handle malformed packets for whatever protocol is in use, the 5079 operation of that application could be affected. Fortunately, since 5080 the ports exchanged in SDP are ephemeral and usually drawn from the 5081 dynamic or registered range, the odds are good that the port is not 5082 used to run a server on host R, but rather is the agent side of some 5083 protocol. This decreases the probability of hitting an allocated 5084 port, due to the transient nature of port usage in this range. 5085 However, the possibility of a problem does exist, and network 5086 deployers should be prepared for it. Note that this is not a problem 5087 specific to ICE; stray packets can arrive at a port at any time for 5088 any type of protocol, especially ones on the public Internet. As 5089 such, this requirement is just restating a general design guideline 5090 for Internet applications - be prepared for unknown packets on any 5091 port. 5093 B.5. The Candidate Pair Priority Formula 5095 The priority for a candidate pair has an odd form. It is: 5097 pair priority = 2^32*MIN(G,D) + 2*MAX(G,D) + (G>D?1:0) 5099 Why is this? When the candidate pairs are sorted based on this 5100 value, the resulting sorting has the MAX/MIN property. This means 5101 that the pairs are first sorted based on decreasing value of the 5102 minimum of the two priorities. For pairs that have the same value of 5103 the minimum priority, the maximum priority is used to sort amongst 5104 them. If the max and the min priorities are the same, the 5105 controlling agent's priority is used as the tie breaker in the last 5106 part of the expression. The factor of 2*32 is used since the 5107 priority of a single candidate is always less than 2*32, resulting in 5108 the pair priority being a "concatenation" of the two component 5109 priorities. This creates the MAX/MIN sorting. MAX/MIN ensures that, 5110 for a particular agent, a lower priority candidate is never used 5111 until all higher priority candidates have been tried. 5113 B.6. The remote-candidates attribute 5115 The a=remote-candidates attribute exists to eliminate a race 5116 condition between the updated offer and the response to the STUN 5117 Binding Request that moved a candidate into the Valid list. This 5118 race condition is shown in Figure 31. On receipt of message 4, agent 5119 L adds a candidate pair to the valid list. If there was only a 5120 single media stream with a single component, agent L could now send 5121 an updated offer. However, the check from agent R has not yet 5122 generated a response, and agent R receives the updated offer (message 5123 7) before getting the response (message 9). Thus, it does not yet 5124 know that this particular pair is valid. To eliminate this 5125 condition, the actual candidates at R that were selected by the 5126 offerer (the remote candidates) are included in the offer itself, and 5127 the answerer delays its answer until those pairs validate. 5129 Agent A Network Agent B 5130 |(1) Offer | | 5131 |------------------------------------------>| 5132 |(2) Answer | | 5133 |<------------------------------------------| 5134 |(3) STUN Req. | | 5135 |------------------------------------------>| 5136 |(4) STUN Res. | | 5137 |<------------------------------------------| 5138 |(5) STUN Req. | | 5139 |<------------------------------------------| 5140 |(6) STUN Res. | | 5141 |-------------------->| | 5142 | |Lost | 5143 |(7) Offer | | 5144 |------------------------------------------>| 5145 |(8) STUN Req. | | 5146 |<------------------------------------------| 5147 |(9) STUN Res. | | 5148 |------------------------------------------>| 5149 |(10) Answer | | 5150 |<------------------------------------------| 5152 Figure 31: Race Condition Flow 5154 B.7. Why are Keepalives Needed? 5156 Once media begins flowing on a candidate pair, it is still necessary 5157 to keep the bindings alive at intermediate NATs for the duration of 5158 the session. Normally, the media stream packets themselves (e.g., 5159 RTP) meet this objective. However, several cases merit further 5160 discussion. Firstly, in some RTP usages, such as SIP, the media 5161 streams can be "put on hold". This is accomplished by using the SDP 5162 "sendonly" or "inactive" attributes, as defined in RFC 3264 5163 [RFC3264]. RFC 3264 directs implementations to cease transmission of 5164 media in these cases. However, doing so may cause NAT bindings to 5165 timeout, and media won't be able to come off hold. 5167 Secondly, some RTP payload formats, such as the payload format for 5168 text conversation [RFC4103], may send packets so infrequently that 5169 the interval exceeds the NAT binding timeouts. 5171 Thirdly, if silence suppression is in use, long periods of silence 5172 may cause media transmission to cease sufficiently long for NAT 5173 bindings to time out. 5175 For these reasons, the media packets themselves cannot be relied 5176 upon. ICE defines a simple periodic keepalive that operates 5177 independently of media transmission. This makes its bandwidth 5178 requirements highly predictable, and thus amenable to QoS 5179 reservations. 5181 B.8. Why Prefer Peer Reflexive Candidates? 5183 Section 4.1.2 describes procedures for computing the priority of 5184 candidate based on its type and local preferences. That section 5185 requires that the type preference for peer reflexive candidates 5186 always be higher than server reflexive. Why is that? The reason has 5187 to do with the security considerations in Section 18. It is much 5188 easier for an attacker to cause an agent to use a false server 5189 reflexive candidate than it is for an attacker to cause an agent to 5190 use a false peer reflexive candidate. Consequently, attacks against 5191 address gathering with Binding requests are thwarted by ICE by 5192 preferring the peer reflexive candidates. 5194 B.9. Why Send an Updated Offer? 5196 Section 11.1 describes rules for sending media. Both agents can send 5197 media once ICE checks complete, without waiting for an updated offer. 5198 Indeed, the only purpose of the updated offer is to "correct" the SDP 5199 so that the default destination for media matches where media is 5200 being sent based on ICE procedures (which will be the highest 5201 priority nominated candidate pair). 5203 This begs the question - why is the updated offer/answer exchange 5204 needed at all? Indeed, in a pure offer/answer environment, it would 5205 not be. The offerer and answerer will agree on the candidates to use 5206 through ICE, and then can begin using them. As far as the agents 5207 themselves are concerned, the updated offer/answer provides no new 5208 information. However, in practice, numerous components along the 5209 signaling path look at the SDP information. These include entities 5210 performing off-path QoS reservations, NAT traversal components such 5211 as ALGs and Session Border Controllers (SBCs) and diagnostic tools 5212 that passively monitor the network. For these tools to continue to 5213 function without change, the core property of SDP - that the 5214 existing, pre-ICE definitions of the addresses used for media - the m 5215 and c lines and the rtcp attribute - must be retained. For this 5216 reason, an updated offer must be sent. 5218 B.10. Why are Binding Indications Used for Keepalives? 5220 Media keepalives are described in Section 10. These keepalives make 5221 use of STUN when both endpoints are ICE capable. However, rather 5222 than using a Binding Request transaction (which generates a 5223 response), the keepalives use an Indication. Why is that? 5224 The primary reason has to do with network QoS mechanisms. Once media 5225 begins flowing, network elements will assume that the media stream 5226 has a fairly regular structure, making use of periodic packets at 5227 fixed intervals, with the possibility of jitter. If an agent is 5228 sending media packets, and then receives a Binding Request, it would 5229 need to generate a response packet along with its media packets. 5230 This will increase the actual bandwidth requirements for the 5-tuple 5231 carrying the media packets, and introduce jitter in the delivery of 5232 those packets. Analysis has shown that this is a concern in certain 5233 layer 2 access networks that use fairly tight packet schedulers for 5234 media. 5236 Additionally, using a Binding Indication allows integrity to be 5237 disabled, allowing for better performance. This is useful for large 5238 scale endpoints, such as PSTN gateways and SBCs. 5240 B.11. Why is the Conflict Resolution Mechanism Needed? 5242 When ICE runs between two peers, one agent acts as controlled, and 5243 the other as controlling. Rules are defined as a function of 5244 implementation type and offerer/answerer to determine who is 5245 controlling and who is controlled. However, the specification 5246 mentions that, in some cases, both sides might believe they are 5247 controlling, or both sides might believe they are controlled. How 5248 can this happen? 5250 The condition when both agents believe they are controlled shows up 5251 in third party call control cases. Consider the following flow: 5253 A Controller B 5254 |(1) INV() | | 5255 |<-------------| | 5256 |(2) 200(SDP1) | | 5257 |------------->| | 5258 | |(3) INV() | 5259 | |------------->| 5260 | |(4) 200(SDP2) | 5261 | |<-------------| 5262 |(5) ACK(SDP2) | | 5263 |<-------------| | 5264 | |(6) ACK(SDP1) | 5265 | |------------->| 5267 Figure 32: Role Conflict Flow 5269 This flow is a variation on flow III of RFC 3725 [RFC3725]. In fact, 5270 it works better than flow III since it produces fewer messages. In 5271 this flow, the controller sends an offerless INVITE to agent A, which 5272 responds with its offer, SDP1. The agent then sends an offerless 5273 INVITE to agent B, which it responds to with its offer, SDP2. The 5274 controller then uses the offer from each agent to generate the 5275 answers. When this flow is used, ICE will run between agents A and 5276 B, but both will believe they are in the controlling role. With the 5277 role conflict resolution procedures, this flow will function properly 5278 when ICE is used. 5280 At this time, there are no documented flows which can result in the 5281 case where both agents believe they are controlled. However, the 5282 conflict resolution procedures allow for this case, should a flow 5283 arise which would fit into this category. 5285 Author's Address 5287 Jonathan Rosenberg 5288 Cisco 5289 Edison, NJ 5290 US 5292 Phone: +1 973 952-5000 5293 Email: jdrosen@cisco.com 5294 URI: http://www.jdrosen.net 5296 Full Copyright Statement 5298 Copyright (C) The IETF Trust (2007). 5300 This document is subject to the rights, licenses and restrictions 5301 contained in BCP 78, and except as set forth therein, the authors 5302 retain all their rights. 5304 This document and the information contained herein are provided on an 5305 "AS IS" basis and THE CONTRIBUTOR, THE ORGANIZATION HE/SHE REPRESENTS 5306 OR IS SPONSORED BY (IF ANY), THE INTERNET SOCIETY, THE IETF TRUST AND 5307 THE INTERNET ENGINEERING TASK FORCE DISCLAIM ALL WARRANTIES, EXPRESS 5308 OR IMPLIED, INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF 5309 THE INFORMATION HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED 5310 WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE. 5312 Intellectual Property 5314 The IETF takes no position regarding the validity or scope of any 5315 Intellectual Property Rights or other rights that might be claimed to 5316 pertain to the implementation or use of the technology described in 5317 this document or the extent to which any license under such rights 5318 might or might not be available; nor does it represent that it has 5319 made any independent effort to identify any such rights. Information 5320 on the procedures with respect to rights in RFC documents can be 5321 found in BCP 78 and BCP 79. 5323 Copies of IPR disclosures made to the IETF Secretariat and any 5324 assurances of licenses to be made available, or the result of an 5325 attempt made to obtain a general license or permission for the use of 5326 such proprietary rights by implementers or users of this 5327 specification can be obtained from the IETF on-line IPR repository at 5328 http://www.ietf.org/ipr. 5330 The IETF invites any interested party to bring to its attention any 5331 copyrights, patents or patent applications, or other proprietary 5332 rights that may cover technology that may be required to implement 5333 this standard. Please address the information to the IETF at 5334 ietf-ipr@ietf.org. 5336 Acknowledgment 5338 Funding for the RFC Editor function is provided by the IETF 5339 Administrative Support Activity (IASA).