idnits 2.17.1 draft-keranen-mmusic-rfc5245bis-00.txt: Checking boilerplate required by RFC 5378 and the IETF Trust (see https://trustee.ietf.org/license-info): ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/1id-guidelines.txt: ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/checklist : ---------------------------------------------------------------------------- ** There is 1 instance of too long lines in the document, the longest one being 2 characters in excess of 72. == There are 20 instances of lines with private range IPv4 addresses in the document. If these are generic example addresses, they should be changed to use any of the ranges defined in RFC 6890 (or successor): 192.0.2.x, 198.51.100.x or 203.0.113.x. -- The document has examples using IPv4 documentation addresses according to RFC6890, but does not use any IPv6 documentation addresses. Maybe there should be IPv6 examples, too? -- The draft header indicates that this document obsoletes RFC5245, but the abstract doesn't seem to mention this, which it should. Miscellaneous warnings: ---------------------------------------------------------------------------- == The copyright year in the IETF Trust and authors Copyright Line does not match the current year == The document seems to contain a disclaimer for pre-RFC5378 work, but was first submitted on or after 10 November 2008. The disclaimer is usually necessary only for documents that revise or obsolete older RFCs, and that take significant amounts of text from those RFCs. If you can contact all authors of the source material and they are willing to grant the BCP78 rights to the IETF Trust, you can and should remove the disclaimer. Otherwise, the disclaimer is needed and you can ignore this comment. (See the Legal Provisions document at https://trustee.ietf.org/license-info for more information.) -- The document date (February 18, 2013) is 4085 days in the past. Is this intentional? Checking references for intended status: Proposed Standard ---------------------------------------------------------------------------- (See RFCs 3967 and 4897 for information about using normative references to lower-maturity documents in RFCs) == Unused Reference: 'RFC5382' is defined on line 4886, but no explicit reference was found in the text ** Obsolete normative reference: RFC 4566 (Obsoleted by RFC 8866) ** Obsolete normative reference: RFC 4091 (Obsoleted by RFC 5245) ** Obsolete normative reference: RFC 4092 (Obsoleted by RFC 5245) ** Obsolete normative reference: RFC 3484 (Obsoleted by RFC 6724) ** Obsolete normative reference: RFC 5389 (Obsoleted by RFC 8489) ** Obsolete normative reference: RFC 5766 (Obsoleted by RFC 8656) -- Obsolete informational reference (is this intentional?): RFC 3489 (Obsoleted by RFC 5389) Summary: 7 errors (**), 0 flaws (~~), 4 warnings (==), 4 comments (--). Run idnits with the --verbose option for more detailed information about the items above. -------------------------------------------------------------------------------- 2 MMUSIC A. Keranen 3 Internet-Draft Ericsson 4 Obsoletes: 5245 (if approved) J. Rosenberg 5 Intended status: Standards Track jdrosen.net 6 Expires: August 22, 2013 February 18, 2013 8 Interactive Connectivity Establishment (ICE): A Protocol for Network 9 Address Translator (NAT) Traversal for Offer/Answer Protocols 10 draft-keranen-mmusic-rfc5245bis-00 12 Abstract 14 This document describes a protocol for Network Address Translator 15 (NAT) traversal for UDP-based multimedia sessions established with 16 the offer/answer model. This protocol is called Interactive 17 Connectivity Establishment (ICE). ICE makes use of the Session 18 Traversal Utilities for NAT (STUN) protocol and its extension, 19 Traversal Using Relay NAT (TURN). ICE can be used by any protocol 20 utilizing the offer/answer model, such as the Session Initiation 21 Protocol (SIP). 23 Status of this Memo 25 This Internet-Draft is submitted in full conformance with the 26 provisions of BCP 78 and BCP 79. 28 Internet-Drafts are working documents of the Internet Engineering 29 Task Force (IETF). Note that other groups may also distribute 30 working documents as Internet-Drafts. The list of current Internet- 31 Drafts is at http://datatracker.ietf.org/drafts/current/. 33 Internet-Drafts are draft documents valid for a maximum of six months 34 and may be updated, replaced, or obsoleted by other documents at any 35 time. It is inappropriate to use Internet-Drafts as reference 36 material or to cite them other than as "work in progress." 38 This Internet-Draft will expire on August 22, 2013. 40 Copyright Notice 42 Copyright (c) 2013 IETF Trust and the persons identified as the 43 document authors. All rights reserved. 45 This document is subject to BCP 78 and the IETF Trust's Legal 46 Provisions Relating to IETF Documents 47 (http://trustee.ietf.org/license-info) in effect on the date of 48 publication of this document. Please review these documents 49 carefully, as they describe your rights and restrictions with respect 50 to this document. Code Components extracted from this document must 51 include Simplified BSD License text as described in Section 4.e of 52 the Trust Legal Provisions and are provided without warranty as 53 described in the Simplified BSD License. 55 This document may contain material from IETF Documents or IETF 56 Contributions published or made publicly available before November 57 10, 2008. The person(s) controlling the copyright in some of this 58 material may not have granted the IETF Trust the right to allow 59 modifications of such material outside the IETF Standards Process. 60 Without obtaining an adequate license from the person(s) controlling 61 the copyright in such materials, this document may not be modified 62 outside the IETF Standards Process, and derivative works of it may 63 not be created outside the IETF Standards Process, except to format 64 it for publication as an RFC or to translate it into languages other 65 than English. 67 Table of Contents 69 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 8 70 2. Overview of ICE . . . . . . . . . . . . . . . . . . . . . . . 9 71 2.1. Gathering Candidate Addresses . . . . . . . . . . . . . . 11 72 2.2. Connectivity Checks . . . . . . . . . . . . . . . . . . . 13 73 2.3. Sorting Candidates . . . . . . . . . . . . . . . . . . . 14 74 2.4. Frozen Candidates . . . . . . . . . . . . . . . . . . . . 15 75 2.5. Security for Checks . . . . . . . . . . . . . . . . . . . 16 76 2.6. Concluding ICE . . . . . . . . . . . . . . . . . . . . . 16 77 2.7. Lite Implementations . . . . . . . . . . . . . . . . . . 18 78 3. Terminology . . . . . . . . . . . . . . . . . . . . . . . . . 18 79 4. Sending the Initial Offer . . . . . . . . . . . . . . . . . . 21 80 4.1. Full Implementation Requirements . . . . . . . . . . . . 21 81 4.1.1. Gathering Candidates . . . . . . . . . . . . . . . . 21 82 4.1.1.1. Host Candidates . . . . . . . . . . . . . . . . . 22 83 4.1.1.2. Server Reflexive and Relayed Candidates . . . . . 22 84 4.1.1.3. Computing Foundations . . . . . . . . . . . . . . 24 85 4.1.1.4. Keeping Candidates Alive . . . . . . . . . . . . 24 86 4.1.2. Prioritizing Candidates . . . . . . . . . . . . . . . 24 87 4.1.2.1. Recommended Formula . . . . . . . . . . . . . . . 25 88 4.1.2.2. Guidelines for Choosing Type and Local 89 Preferences . . . . . . . . . . . . . . . . . . . 25 90 4.1.3. Eliminating Redundant Candidates . . . . . . . . . . 27 91 4.1.4. Choosing Default Candidates . . . . . . . . . . . . . 27 92 4.2. Lite Implementation Requirements . . . . . . . . . . . . 27 93 4.3. Encoding the SDP . . . . . . . . . . . . . . . . . . . . 28 94 5. Receiving the Initial Offer . . . . . . . . . . . . . . . . . 30 95 5.1. Verifying ICE Support . . . . . . . . . . . . . . . . . . 30 96 5.2. Determining Role . . . . . . . . . . . . . . . . . . . . 31 97 5.3. Gathering Candidates . . . . . . . . . . . . . . . . . . 32 98 5.4. Prioritizing Candidates . . . . . . . . . . . . . . . . . 32 99 5.5. Choosing Default Candidates . . . . . . . . . . . . . . . 32 100 5.6. Encoding the SDP . . . . . . . . . . . . . . . . . . . . 33 101 5.7. Forming the Check Lists . . . . . . . . . . . . . . . . . 33 102 5.7.1. Forming Candidate Pairs . . . . . . . . . . . . . . . 33 103 5.7.2. Computing Pair Priority and Ordering Pairs . . . . . 36 104 5.7.3. Pruning the Pairs . . . . . . . . . . . . . . . . . . 36 105 5.7.4. Computing States . . . . . . . . . . . . . . . . . . 36 106 5.8. Scheduling Checks . . . . . . . . . . . . . . . . . . . . 39 107 6. Receipt of the Initial Answer . . . . . . . . . . . . . . . . 41 108 6.1. Verifying ICE Support . . . . . . . . . . . . . . . . . . 41 109 6.2. Determining Role . . . . . . . . . . . . . . . . . . . . 41 110 6.3. Forming the Check List . . . . . . . . . . . . . . . . . 42 111 6.4. Performing Ordinary Checks . . . . . . . . . . . . . . . 42 112 7. Performing Connectivity Checks . . . . . . . . . . . . . . . 42 113 7.1. STUN Client Procedures . . . . . . . . . . . . . . . . . 42 114 7.1.1. Creating Permissions for Relayed Candidates . . . . . 42 115 7.1.2. Sending the Request . . . . . . . . . . . . . . . . . 42 116 7.1.2.1. PRIORITY and USE-CANDIDATE . . . . . . . . . . . 43 117 7.1.2.2. ICE-CONTROLLED and ICE-CONTROLLING . . . . . . . 43 118 7.1.2.3. Forming Credentials . . . . . . . . . . . . . . . 43 119 7.1.2.4. DiffServ Treatment . . . . . . . . . . . . . . . 44 120 7.1.3. Processing the Response . . . . . . . . . . . . . . . 44 121 7.1.3.1. Failure Cases . . . . . . . . . . . . . . . . . . 44 122 7.1.3.2. Success Cases . . . . . . . . . . . . . . . . . . 45 123 7.1.3.2.1. Discovering Peer Reflexive Candidates . . . . 45 124 7.1.3.2.2. Constructing a Valid Pair . . . . . . . . . . 46 125 7.1.3.2.3. Updating Pair States . . . . . . . . . . . . 47 126 7.1.3.2.4. Updating the Nominated Flag . . . . . . . . . 48 127 7.1.3.3. Check List and Timer State Updates . . . . . . . 48 128 7.2. STUN Server Procedures . . . . . . . . . . . . . . . . . 48 129 7.2.1. Additional Procedures for Full Implementations . . . 49 130 7.2.1.1. Detecting and Repairing Role Conflicts . . . . . 49 131 7.2.1.2. Computing Mapped Address . . . . . . . . . . . . 50 132 7.2.1.3. Learning Peer Reflexive Candidates . . . . . . . 51 133 7.2.1.4. Triggered Checks . . . . . . . . . . . . . . . . 51 134 7.2.1.5. Updating the Nominated Flag . . . . . . . . . . . 52 135 7.2.2. Additional Procedures for Lite Implementations . . . 53 136 8. Concluding ICE Processing . . . . . . . . . . . . . . . . . . 53 137 8.1. Procedures for Full Implementations . . . . . . . . . . . 53 138 8.1.1. Nominating Pairs . . . . . . . . . . . . . . . . . . 53 139 8.1.1.1. Regular Nomination . . . . . . . . . . . . . . . 53 140 8.1.1.2. Aggressive Nomination . . . . . . . . . . . . . . 54 141 8.1.2. Updating States . . . . . . . . . . . . . . . . . . . 54 142 8.2. Procedures for Lite Implementations . . . . . . . . . . . 56 143 8.2.1. Peer Is Full . . . . . . . . . . . . . . . . . . . . 56 144 8.2.2. Peer Is Lite . . . . . . . . . . . . . . . . . . . . 57 145 8.3. Freeing Candidates . . . . . . . . . . . . . . . . . . . 57 146 8.3.1. Full Implementation Procedures . . . . . . . . . . . 57 147 8.3.2. Lite Implementation Procedures . . . . . . . . . . . 58 148 9. Subsequent Offer/Answer Exchanges . . . . . . . . . . . . . . 58 149 9.1. Generating the Offer . . . . . . . . . . . . . . . . . . 58 150 9.1.1. Procedures for All Implementations . . . . . . . . . 58 151 9.1.1.1. ICE Restarts . . . . . . . . . . . . . . . . . . 58 152 9.1.1.2. Removing a Media Stream . . . . . . . . . . . . . 59 153 9.1.1.3. Adding a Media Stream . . . . . . . . . . . . . . 59 154 9.1.2. Procedures for Full Implementations . . . . . . . . . 59 155 9.1.2.1. Existing Media Streams with ICE Running . . . . . 60 156 9.1.2.2. Existing Media Streams with ICE Completed . . . . 60 157 9.1.3. Procedures for Lite Implementations . . . . . . . . . 61 158 9.1.3.1. Existing Media Streams with ICE Running . . . . . 61 159 9.1.3.2. Existing Media Streams with ICE Completed . . . . 61 160 9.2. Receiving the Offer and Generating an Answer . . . . . . 61 161 9.2.1. Procedures for All Implementations . . . . . . . . . 62 162 9.2.1.1. Detecting ICE Restart . . . . . . . . . . . . . . 62 163 9.2.1.2. New Media Stream . . . . . . . . . . . . . . . . 62 164 9.2.1.3. Removed Media Stream . . . . . . . . . . . . . . 62 165 9.2.2. Procedures for Full Implementations . . . . . . . . . 62 166 9.2.2.1. Existing Media Streams with ICE Running and no 167 remote-candidates . . . . . . . . . . . . . . . . 63 168 9.2.2.2. Existing Media Streams with ICE Completed and 169 no remote-candidates . . . . . . . . . . . . . . 63 170 9.2.2.3. Existing Media Streams and remote-candidates . . 63 171 9.2.3. Procedures for Lite Implementations . . . . . . . . . 64 172 9.3. Updating the Check and Valid Lists . . . . . . . . . . . 65 173 9.3.1. Procedures for Full Implementations . . . . . . . . . 65 174 9.3.1.1. ICE Restarts . . . . . . . . . . . . . . . . . . 65 175 9.3.1.2. New Media Stream . . . . . . . . . . . . . . . . 65 176 9.3.1.3. Removed Media Stream . . . . . . . . . . . . . . 65 177 9.3.1.4. ICE Continuing for Existing Media Stream . . . . 65 178 9.3.2. Procedures for Lite Implementations . . . . . . . . . 66 179 10. Keepalives . . . . . . . . . . . . . . . . . . . . . . . . . 66 180 11. Media Handling . . . . . . . . . . . . . . . . . . . . . . . 67 181 11.1. Sending Media . . . . . . . . . . . . . . . . . . . . . . 67 182 11.1.1. Procedures for Full Implementations . . . . . . . . . 67 183 11.1.2. Procedures for Lite Implementations . . . . . . . . . 68 184 11.1.3. Procedures for All Implementations . . . . . . . . . 69 185 11.2. Receiving Media . . . . . . . . . . . . . . . . . . . . . 69 186 12. Usage with SIP . . . . . . . . . . . . . . . . . . . . . . . 69 187 12.1. Latency Guidelines . . . . . . . . . . . . . . . . . . . 69 188 12.1.1. Offer in INVITE . . . . . . . . . . . . . . . . . . . 70 189 12.1.2. Offer in Response . . . . . . . . . . . . . . . . . . 71 190 12.2. SIP Option Tags and Media Feature Tags . . . . . . . . . 72 191 12.3. Interactions with Forking . . . . . . . . . . . . . . . . 72 192 12.4. Interactions with Preconditions . . . . . . . . . . . . . 72 193 12.5. Interactions with Third Party Call Control . . . . . . . 73 194 13. Relationship with ANAT . . . . . . . . . . . . . . . . . . . 73 195 14. Extensibility Considerations . . . . . . . . . . . . . . . . 73 196 15. Grammar . . . . . . . . . . . . . . . . . . . . . . . . . . . 74 197 15.1. "candidate" Attribute . . . . . . . . . . . . . . . . . . 74 198 15.2. "remote-candidates" Attribute . . . . . . . . . . . . . . 77 199 15.3. "ice-lite" and "ice-mismatch" Attributes . . . . . . . . 77 200 15.4. "ice-ufrag" and "ice-pwd" Attributes . . . . . . . . . . 77 201 15.5. "ice-options" Attribute . . . . . . . . . . . . . . . . . 78 202 16. Setting Ta and RTO . . . . . . . . . . . . . . . . . . . . . 78 203 16.1. RTP Media Streams . . . . . . . . . . . . . . . . . . . . 79 204 16.2. Non-RTP Sessions . . . . . . . . . . . . . . . . . . . . 80 205 17. Example . . . . . . . . . . . . . . . . . . . . . . . . . . . 81 206 18. Security Considerations . . . . . . . . . . . . . . . . . . . 87 207 18.1. Attacks on Connectivity Checks . . . . . . . . . . . . . 88 208 18.2. Attacks on Server Reflexive Address Gathering . . . . . . 90 209 18.3. Attacks on Relayed Candidate Gathering . . . . . . . . . 91 210 18.4. Attacks on the Offer/Answer Exchanges . . . . . . . . . . 91 211 18.5. Insider Attacks . . . . . . . . . . . . . . . . . . . . . 91 212 18.5.1. The Voice Hammer Attack . . . . . . . . . . . . . . . 92 213 18.5.2. STUN Amplification Attack . . . . . . . . . . . . . . 92 214 18.6. Interactions with Application Layer Gateways and SIP . . 93 215 19. STUN Extensions . . . . . . . . . . . . . . . . . . . . . . . 94 216 19.1. New Attributes . . . . . . . . . . . . . . . . . . . . . 94 217 19.2. New Error Response Codes . . . . . . . . . . . . . . . . 95 218 20. Operational Considerations . . . . . . . . . . . . . . . . . 95 219 20.1. NAT and Firewall Types . . . . . . . . . . . . . . . . . 95 220 20.2. Bandwidth Requirements . . . . . . . . . . . . . . . . . 95 221 20.2.1. STUN and TURN Server Capacity Planning . . . . . . . 95 222 20.2.2. Gathering and Connectivity Checks . . . . . . . . . . 96 223 20.2.3. Keepalives . . . . . . . . . . . . . . . . . . . . . 96 224 20.3. ICE and ICE-lite . . . . . . . . . . . . . . . . . . . . 97 225 20.4. Troubleshooting and Performance Management . . . . . . . 97 226 20.5. Endpoint Configuration . . . . . . . . . . . . . . . . . 97 227 21. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 98 228 21.1. SDP Attributes . . . . . . . . . . . . . . . . . . . . . 98 229 21.1.1. candidate Attribute . . . . . . . . . . . . . . . . . 98 230 21.1.2. remote-candidates Attribute . . . . . . . . . . . . . 98 231 21.1.3. ice-lite Attribute . . . . . . . . . . . . . . . . . 99 232 21.1.4. ice-mismatch Attribute . . . . . . . . . . . . . . . 99 233 21.1.5. ice-pwd Attribute . . . . . . . . . . . . . . . . . . 100 234 21.1.6. ice-ufrag Attribute . . . . . . . . . . . . . . . . . 100 235 21.1.7. ice-options Attribute . . . . . . . . . . . . . . . . 100 236 21.2. STUN Attributes . . . . . . . . . . . . . . . . . . . . . 101 237 21.3. STUN Error Responses . . . . . . . . . . . . . . . . . . 101 238 22. IAB Considerations . . . . . . . . . . . . . . . . . . . . . 101 239 22.1. Problem Definition . . . . . . . . . . . . . . . . . . . 102 240 22.2. Exit Strategy . . . . . . . . . . . . . . . . . . . . . . 102 241 22.3. Brittleness Introduced by ICE . . . . . . . . . . . . . . 103 242 22.4. Requirements for a Long-Term Solution . . . . . . . . . . 104 243 22.5. Issues with Existing NAPT Boxes . . . . . . . . . . . . . 104 244 23. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . 104 245 24. References . . . . . . . . . . . . . . . . . . . . . . . . . 105 246 24.1. Normative References . . . . . . . . . . . . . . . . . . 105 247 24.2. Informative References . . . . . . . . . . . . . . . . . 106 248 Appendix A. Lite and Full Implementations . . . . . . . . . . . 108 249 Appendix B. Design Motivations . . . . . . . . . . . . . . . . . 109 250 B.1. Pacing of STUN Transactions . . . . . . . . . . . . . . . 109 251 B.2. Candidates with Multiple Bases . . . . . . . . . . . . . 111 252 B.3. Purpose of the and Attributes . . . 112 253 B.4. Importance of the STUN Username . . . . . . . . . . . . . 113 254 B.5. The Candidate Pair Priority Formula . . . . . . . . . . . 114 255 B.6. The remote-candidates Attribute . . . . . . . . . . . . . 114 256 B.7. Why Are Keepalives Needed? . . . . . . . . . . . . . . . 115 257 B.8. Why Prefer Peer Reflexive Candidates? . . . . . . . . . . 116 258 B.9. Why Send an Updated Offer? . . . . . . . . . . . . . . . 116 259 B.10. Why Are Binding Indications Used for Keepalives? . . . . 116 260 B.11. Why Is the Conflict Resolution Mechanism Needed? . . . . 117 261 Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 118 263 1. Introduction 265 RFC 3264 [RFC3264] defines a two-phase exchange of Session 266 Description Protocol (SDP) messages [RFC4566] for the purposes of 267 establishment of multimedia sessions. This offer/answer mechanism is 268 used by protocols such as the Session Initiation Protocol (SIP) 269 [RFC3261]. 271 Protocols using offer/answer are difficult to operate through Network 272 Address Translators (NATs). Because their purpose is to establish a 273 flow of media packets, they tend to carry the IP addresses and ports 274 of media sources and sinks within their messages, which is known to 275 be problematic through NAT [RFC3235]. The protocols also seek to 276 create a media flow directly between participants, so that there is 277 no application layer intermediary between them. This is done to 278 reduce media latency, decrease packet loss, and reduce the 279 operational costs of deploying the application. However, this is 280 difficult to accomplish through NAT. A full treatment of the reasons 281 for this is beyond the scope of this specification. 283 Numerous solutions have been defined for allowing these protocols to 284 operate through NAT. These include Application Layer Gateways 285 (ALGs), the Middlebox Control Protocol [RFC3303], the original Simple 286 Traversal of UDP Through NAT (STUN) [RFC3489] specification, and 287 Realm Specific IP [RFC3102] [RFC3103] along with session description 288 extensions needed to make them work, such as the Session Description 289 Protocol (SDP) [RFC4566] attribute for the Real Time Control Protocol 290 (RTCP) [RFC3605]. Unfortunately, these techniques all have pros and 291 cons which, make each one optimal in some network topologies, but a 292 poor choice in others. The result is that administrators and 293 implementors are making assumptions about the topologies of the 294 networks in which their solutions will be deployed. This introduces 295 complexity and brittleness into the system. What is needed is a 296 single solution that is flexible enough to work well in all 297 situations. 299 This specification defines Interactive Connectivity Establishment 300 (ICE) as a technique for NAT traversal for UDP-based media streams 301 (though ICE can be extended to handle other transport protocols, such 302 as TCP [RFC6544]) established by the offer/answer model. ICE is an 303 extension to the offer/answer model, and works by including a 304 multiplicity of IP addresses and ports in SDP offers and answers, 305 which are then tested for connectivity by peer-to-peer connectivity 306 checks. The IP addresses and ports included in the SDP and the 307 connectivity checks are performed using the revised STUN 308 specification [RFC5389], now renamed to Session Traversal Utilities 309 for NAT. The new name and new specification reflect its new role as 310 a tool that is used with other NAT traversal techniques (namely ICE) 311 rather than a standalone NAT traversal solution, as the original STUN 312 specification was. ICE also makes use of Traversal Using Relays 313 around NAT (TURN) [RFC5766], an extension to STUN. Because ICE 314 exchanges a multiplicity of IP addresses and ports for each media 315 stream, it also allows for address selection for multihomed and dual- 316 stack hosts, and for this reason it deprecates [RFC4091] and 317 [RFC4092]. 319 2. Overview of ICE 321 In a typical ICE deployment, we have two endpoints (known as AGENTS 322 in RFC 3264 terminology) that want to communicate. They are able to 323 communicate indirectly via some signaling protocol (such as SIP), by 324 which they can perform an offer/answer exchange of SDP [RFC3264] 325 messages. Note that ICE is not intended for NAT traversal for SIP, 326 which is assumed to be provided via another mechanism [RFC5626]. At 327 the beginning of the ICE process, the agents are ignorant of their 328 own topologies. In particular, they might or might not be behind a 329 NAT (or multiple tiers of NATs). ICE allows the agents to discover 330 enough information about their topologies to potentially find one or 331 more paths by which they can communicate. 333 Figure 1 shows a typical environment for ICE deployment. The two 334 endpoints are labelled L and R (for left and right, which helps 335 visualize call flows). Both L and R are behind their own respective 336 NATs though they may not be aware of it. The type of NAT and its 337 properties are also unknown. Agents L and R are capable of engaging 338 in an offer/answer exchange by which they can exchange SDP messages, 339 whose purpose is to set up a media session between L and R. 340 Typically, this exchange will occur through a SIP server. 342 In addition to the agents, a SIP server and NATs, ICE is typically 343 used in concert with STUN or TURN servers in the network. Each agent 344 can have its own STUN or TURN server, or they can be the same. 346 +-------+ 347 | SIP | 348 +-------+ | Srvr | +-------+ 349 | STUN | | | | STUN | 350 | Srvr | +-------+ | Srvr | 351 | | / \ | | 352 +-------+ / \ +-------+ 353 / \ 354 / \ 355 / \ 356 / \ 357 / <- Signaling -> \ 358 / \ 359 / \ 360 +--------+ +--------+ 361 | NAT | | NAT | 362 +--------+ +--------+ 363 / \ 364 / \ 365 / \ 366 +-------+ +-------+ 367 | Agent | | Agent | 368 | L | | R | 369 | | | | 370 +-------+ +-------+ 372 Figure 1: ICE Deployment Scenario 374 The basic idea behind ICE is as follows: each agent has a variety of 375 candidate TRANSPORT ADDRESSES (combination of IP address and port for 376 a particular transport protocol, which is always UDP in this 377 specification)) it could use to communicate with the other agent. 378 These might include: 380 o A transport address on a directly attached network interface 382 o A translated transport address on the public side of a NAT (a 383 "server reflexive" address) 385 o A transport address allocated from a TURN server (a "relayed 386 address"). 388 Potentially, any of L's candidate transport addresses can be used to 389 communicate with any of R's candidate transport addresses. In 390 practice, however, many combinations will not work. For instance, if 391 L and R are both behind NATs, their directly attached interface 392 addresses are unlikely to be able to communicate directly (this is 393 why ICE is needed, after all!). The purpose of ICE is to discover 394 which pairs of addresses will work. The way that ICE does this is to 395 systematically try all possible pairs (in a carefully sorted order) 396 until it finds one or more that work. 398 2.1. Gathering Candidate Addresses 400 In order to execute ICE, an agent has to identify all of its address 401 candidates. A CANDIDATE is a transport address -- a combination of 402 IP address and port for a particular transport protocol (with only 403 UDP specified here). This document defines three types of 404 candidates, some derived from physical or logical network interfaces, 405 others discoverable via STUN and TURN. Naturally, one viable 406 candidate is a transport address obtained directly from a local 407 interface. Such a candidate is called a HOST CANDIDATE. The local 408 interface could be Ethernet or WiFi, or it could be one that is 409 obtained through a tunnel mechanism, such as a Virtual Private 410 Network (VPN) or Mobile IP (MIP). In all cases, such a network 411 interface appears to the agent as a local interface from which ports 412 (and thus candidates) can be allocated. 414 If an agent is multihomed, it obtains a candidate from each IP 415 address. Depending on the location of the PEER (the other agent in 416 the session) on the IP network relative to the agent, the agent may 417 be reachable by the peer through one or more of those IP addresses. 418 Consider, for example, an agent that has a local IP address on a 419 private net 10 network (I1), and a second connected to the public 420 Internet (I2). A candidate from I1 will be directly reachable when 421 communicating with a peer on the same private net 10 network, while a 422 candidate from I2 will be directly reachable when communicating with 423 a peer on the public Internet. Rather than trying to guess which IP 424 address will work prior to sending an offer, the offering agent 425 includes both candidates in its offer. 427 Next, the agent uses STUN or TURN to obtain additional candidates. 428 These come in two flavors: translated addresses on the public side of 429 a NAT (SERVER REFLEXIVE CANDIDATES) and addresses on TURN servers 430 (RELAYED CANDIDATES). When TURN servers are utilized, both types of 431 candidates are obtained from the TURN server. If only STUN servers 432 are utilized, only server reflexive candidates are obtained from 433 them. The relationship of these candidates to the host candidate is 434 shown in Figure 2. In this figure, both types of candidates are 435 discovered using TURN. In the figure, the notation X:x means IP 436 address X and UDP port x. 438 To Internet 440 | 441 | 442 | /------------ Relayed 443 Y:y | / Address 444 +--------+ 445 | | 446 | TURN | 447 | Server | 448 | | 449 +--------+ 450 | 451 | 452 | /------------ Server 453 X1':x1'|/ Reflexive 454 +------------+ Address 455 | NAT | 456 +------------+ 457 | 458 | /------------ Local 459 X:x |/ Address 460 +--------+ 461 | | 462 | Agent | 463 | | 464 +--------+ 466 Figure 2: Candidate Relationships 468 When the agent sends the TURN Allocate request from IP address and 469 port X:x, the NAT (assuming there is one) will create a binding 470 X1':x1', mapping this server reflexive candidate to the host 471 candidate X:x. Outgoing packets sent from the host candidate will be 472 translated by the NAT to the server reflexive candidate. Incoming 473 packets sent to the server reflexive candidate will be translated by 474 the NAT to the host candidate and forwarded to the agent. We call 475 the host candidate associated with a given server reflexive candidate 476 the BASE. 478 Note: "Base" refers to the address an agent sends from for a 479 particular candidate. Thus, as a degenerate case host candidates 480 also have a base, but it's the same as the host candidate. 482 When there are multiple NATs between the agent and the TURN server, 483 the TURN request will create a binding on each NAT, but only the 484 outermost server reflexive candidate (the one nearest the TURN 485 server) will be discovered by the agent. If the agent is not behind 486 a NAT, then the base candidate will be the same as the server 487 reflexive candidate and the server reflexive candidate is redundant 488 and will be eliminated. 490 The Allocate request then arrives at the TURN server. The TURN 491 server allocates a port y from its local IP address Y, and generates 492 an Allocate response, informing the agent of this relayed candidate. 493 The TURN server also informs the agent of the server reflexive 494 candidate, X1':x1' by copying the source transport address of the 495 Allocate request into the Allocate response. The TURN server acts as 496 a packet relay, forwarding traffic between L and R. In order to send 497 traffic to L, R sends traffic to the TURN server at Y:y, and the TURN 498 server forwards that to X1':x1', which passes through the NAT where 499 it is mapped to X:x and delivered to L. 501 When only STUN servers are utilized, the agent sends a STUN Binding 502 request [RFC5389] to its STUN server. The STUN server will inform 503 the agent of the server reflexive candidate X1':x1' by copying the 504 source transport address of the Binding request into the Binding 505 response. 507 2.2. Connectivity Checks 509 Once L has gathered all of its candidates, it orders them in highest 510 to lowest-priority and sends them to R over the signaling channel. 511 The candidates are carried in attributes in the SDP offer. When R 512 receives the offer, it performs the same gathering process and 513 responds with its own list of candidates. At the end of this 514 process, each agent has a complete list of both its candidates and 515 its peer's candidates. It pairs them up, resulting in CANDIDATE 516 PAIRS. To see which pairs work, each agent schedules a series of 517 CHECKS. Each check is a STUN request/response transaction that the 518 client will perform on a particular candidate pair by sending a STUN 519 request from the local candidate to the remote candidate. 521 The basic principle of the connectivity checks is simple: 523 1. Sort the candidate pairs in priority order. 525 2. Send checks on each candidate pair in priority order. 527 3. Acknowledge checks received from the other agent. 529 With both agents performing a check on a candidate pair, the result 530 is a 4-way handshake: 532 L R 533 - - 534 STUN request -> \ L's 535 <- STUN response / check 537 <- STUN request \ R's 538 STUN response -> / check 540 Figure 3: Basic Connectivity Check 542 It is important to note that the STUN requests are sent to and from 543 the exact same IP addresses and ports that will be used for media 544 (e.g., RTP and RTCP). Consequently, agents demultiplex STUN and RTP/ 545 RTCP using contents of the packets, rather than the port on which 546 they are received. Fortunately, this demultiplexing is easy to do, 547 especially for RTP and RTCP. 549 Because a STUN Binding request is used for the connectivity check, 550 the STUN Binding response will contain the agent's translated 551 transport address on the public side of any NATs between the agent 552 and its peer. If this transport address is different from other 553 candidates the agent already learned, it represents a new candidate, 554 called a PEER REFLEXIVE CANDIDATE, which then gets tested by ICE just 555 the same as any other candidate. 557 As an optimization, as soon as R gets L's check message, R schedules 558 a connectivity check message to be sent to L on the same candidate 559 pair. This accelerates the process of finding a valid candidate, and 560 is called a TRIGGERED CHECK. 562 At the end of this handshake, both L and R know that they can send 563 (and receive) messages end-to-end in both directions. 565 2.3. Sorting Candidates 567 Because the algorithm above searches all candidate pairs, if a 568 working pair exists it will eventually find it no matter what order 569 the candidates are tried in. In order to produce faster (and better) 570 results, the candidates are sorted in a specified order. The 571 resulting list of sorted candidate pairs is called the CHECK LIST. 572 The algorithm is described in Section 4.1.2 but follows two general 573 principles: 575 o Each agent gives its candidates a numeric priority, which is sent 576 along with the candidate to the peer. 578 o The local and remote priorities are combined so that each agent 579 has the same ordering for the candidate pairs. 581 The second property is important for getting ICE to work when there 582 are NATs in front of L and R. Frequently, NATs will not allow packets 583 in from a host until the agent behind the NAT has sent a packet 584 towards that host. Consequently, ICE checks in each direction will 585 not succeed until both sides have sent a check through their 586 respective NATs. 588 The agent works through this check list by sending a STUN request for 589 the next candidate pair on the list periodically. These are called 590 ORDINARY CHECKS. 592 In general, the priority algorithm is designed so that candidates of 593 similar type get similar priorities and so that more direct routes 594 (that is, through fewer media relays and through fewer NATs) are 595 preferred over indirect ones (ones with more media relays and more 596 NATs). Within those guidelines, however, agents have a fair amount 597 of discretion about how to tune their algorithms. 599 2.4. Frozen Candidates 601 The previous description only addresses the case where the agents 602 wish to establish a media session with one COMPONENT (a piece of a 603 media stream requiring a single transport address; a media stream may 604 require multiple components, each of which has to work for the media 605 stream as a whole to be work). Typically (e.g., with RTP and RTCP), 606 the agents actually need to establish connectivity for more than one 607 flow. 609 The network properties are likely to be very similar for each 610 component (especially because RTP and RTCP are sent and received from 611 the same IP address). It is usually possible to leverage information 612 from one media component in order to determine the best candidates 613 for another. ICE does this with a mechanism called "frozen 614 candidates". 616 Each candidate is associated with a property called its FOUNDATION. 617 Two candidates have the same foundation when they are "similar" -- of 618 the same type and obtained from the same host candidate and STUN 619 server using the same protocol. Otherwise, their foundation is 620 different. A candidate pair has a foundation too, which is just the 621 concatenation of the foundations of its two candidates. Initially, 622 only the candidate pairs with unique foundations are tested. The 623 other candidate pairs are marked "frozen". When the connectivity 624 checks for a candidate pair succeed, the other candidate pairs with 625 the same foundation are unfrozen. This avoids repeated checking of 626 components that are superficially more attractive but in fact are 627 likely to fail. 629 While we've described "frozen" here as a separate mechanism for 630 expository purposes, in fact it is an integral part of ICE and the 631 ICE prioritization algorithm automatically ensures that the right 632 candidates are unfrozen and checked in the right order. 634 2.5. Security for Checks 636 Because ICE is used to discover which addresses can be used to send 637 media between two agents, it is important to ensure that the process 638 cannot be hijacked to send media to the wrong location. Each STUN 639 connectivity check is covered by a message authentication code (MAC) 640 computed using a key exchanged in the signaling channel. This MAC 641 provides message integrity and data origin authentication, thus 642 stopping an attacker from forging or modifying connectivity check 643 messages. Furthermore, if the SIP [RFC3261] caller is using ICE, and 644 their call forks, the ICE exchanges happen independently with each 645 forked recipient. In such a case, the keys exchanged in the 646 signaling help associate each ICE exchange with each forked 647 recipient. 649 2.6. Concluding ICE 651 ICE checks are performed in a specific sequence, so that high- 652 priority candidate pairs are checked first, followed by lower- 653 priority ones. One way to conclude ICE is to declare victory as soon 654 as a check for each component of each media stream completes 655 successfully. Indeed, this is a reasonable algorithm, and details 656 for it are provided below. However, it is possible that a packet 657 loss will cause a higher-priority check to take longer to complete. 658 In that case, allowing ICE to run a little longer might produce 659 better results. More fundamentally, however, the prioritization 660 defined by this specification may not yield "optimal" results. As an 661 example, if the aim is to select low-latency media paths, usage of a 662 relay is a hint that latencies may be higher, but it is nothing more 663 than a hint. An actual round-trip time (RTT) measurement could be 664 made, and it might demonstrate that a pair with lower priority is 665 actually better than one with higher priority. 667 Consequently, ICE assigns one of the agents in the role of the 668 CONTROLLING AGENT, and the other of the CONTROLLED AGENT. The 669 controlling agent gets to nominate which candidate pairs will get 670 used for media amongst the ones that are valid. It can do this in 671 one of two ways -- using REGULAR NOMINATION or AGGRESSIVE NOMINATION. 673 With regular nomination, the controlling agent lets the checks 674 continue until at least one valid candidate pair for each media 675 stream is found. Then, it picks amongst those that are valid, and 676 sends a second STUN request on its NOMINATED candidate pair, but this 677 time with a flag set to tell the peer that this pair has been 678 nominated for use. This is shown in Figure 4. 680 L R 681 - - 682 STUN request -> \ L's 683 <- STUN response / check 685 <- STUN request \ R's 686 STUN response -> / check 688 STUN request + flag -> \ L's 689 <- STUN response / check 691 Figure 4: Regular Nomination 693 Once the STUN transaction with the flag completes, both sides cancel 694 any future checks for that media stream. ICE will now send media 695 using this pair. The pair an ICE agent is using for media is called 696 the SELECTED PAIR. 698 In aggressive nomination, the controlling agent puts the flag in 699 every STUN request it sends. This way, once the first check 700 succeeds, ICE processing is complete for that media stream and the 701 controlling agent doesn't have to send a second STUN request. The 702 selected pair will be the highest-priority valid pair whose check 703 succeeded. Aggressive nomination is faster than regular nomination, 704 but gives less flexibility. Aggressive nomination is shown in 705 Figure 5. 707 L R 708 - - 709 STUN request + flag -> \ L's 710 <- STUN response / check 712 <- STUN request \ R's 713 STUN response -> / check 715 Figure 5: Aggressive Nomination 717 Once all of the media streams are completed, the controlling endpoint 718 sends an updated offer if the candidates in the m and c lines for the 719 media stream (called the DEFAULT CANDIDATES) don't match ICE's 720 SELECTED CANDIDATES. 722 Once ICE is concluded, it can be restarted at any time for one or all 723 of the media streams by either agent. This is done by sending an 724 updated offer indicating a restart. 726 2.7. Lite Implementations 728 In order for ICE to be used in a call, both agents need to support 729 it. However, certain agents will always be connected to the public 730 Internet and have a public IP address at which it can receive packets 731 from any correspondent. To make it easier for these devices to 732 support ICE, ICE defines a special type of implementation called LITE 733 (in contrast to the normal FULL implementation). A lite 734 implementation doesn't gather candidates; it includes only host 735 candidates for any media stream. Lite agents do not generate 736 connectivity checks or run the state machines, though they need to be 737 able to respond to connectivity checks. When a lite implementation 738 connects with a full implementation, the full agent takes the role of 739 the controlling agent, and the lite agent takes on the controlled 740 role. When two lite implementations connect, no checks are sent. 742 For guidance on when a lite implementation is appropriate, see the 743 discussion in Appendix A. 745 It is important to note that the lite implementation was added to 746 this specification to provide a stepping stone to full 747 implementation. Even for devices that are always connected to the 748 public Internet, a full implementation is preferable if achievable. 750 3. Terminology 752 The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", 753 "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and 754 "OPTIONAL" in this document are to be interpreted as described in RFC 755 2119 [RFC2119]. 757 Readers should be familiar with the terminology defined in the offer/ 758 answer model [RFC3264], STUN [RFC5389], and NAT Behavioral 759 requirements for UDP [RFC4787]. 761 This specification makes use of the following additional terminology: 763 Agent: As defined in RFC 3264, an agent is the protocol 764 implementation involved in the offer/answer exchange. There are 765 two agents involved in an offer/answer exchange. 767 Peer: From the perspective of one of the agents in a session, its 768 peer is the other agent. Specifically, from the perspective of 769 the offerer, the peer is the answerer. From the perspective of 770 the answerer, the peer is the offerer. 772 Transport Address: The combination of an IP address and transport 773 protocol (such as UDP or TCP) port. 775 Candidate: A transport address that is a potential point of contact 776 for receipt of media. Candidates also have properties -- their 777 type (server reflexive, relayed or host), priority, foundation, 778 and base. 780 Component: A component is a piece of a media stream requiring a 781 single transport address; a media stream may require multiple 782 components, each of which has to work for the media stream as a 783 whole to work. For media streams based on RTP, there are two 784 components per media stream -- one for RTP, and one for RTCP. 786 Host Candidate: A candidate obtained by binding to a specific port 787 from an IP address on the host. This includes IP addresses on 788 physical interfaces and logical ones, such as ones obtained 789 through Virtual Private Networks (VPNs) and Realm Specific IP 790 (RSIP) [RFC3102] (which lives at the operating system level). 792 Server Reflexive Candidate: A candidate whose IP address and port 793 are a binding allocated by a NAT for an agent when it sent a 794 packet through the NAT to a server. Server reflexive candidates 795 can be learned by STUN servers using the Binding request, or TURN 796 servers, which provides both a relayed and server reflexive 797 candidate. 799 Peer Reflexive Candidate: A candidate whose IP address and port are 800 a binding allocated by a NAT for an agent when it sent a STUN 801 Binding request through the NAT to its peer. 803 Relayed Candidate: A candidate obtained by sending a TURN Allocate 804 request from a host candidate to a TURN server. The relayed 805 candidate is resident on the TURN server, and the TURN server 806 relays packets back towards the agent. 808 Base: The base of a server reflexive candidate is the host candidate 809 from which it was derived. A host candidate is also said to have 810 a base, equal to that candidate itself. Similarly, the base of a 811 relayed candidate is that candidate itself. 813 Foundation: An arbitrary string that is the same for two candidates 814 that have the same type, base IP address, protocol (UDP, TCP, 815 etc.), and STUN or TURN server. If any of these are different, 816 then the foundation will be different. Two candidate pairs with 817 the same foundation pairs are likely to have similar network 818 characteristics. Foundations are used in the frozen algorithm. 820 Local Candidate: A candidate that an agent has obtained and included 821 in an offer or answer it sent. 823 Remote Candidate: A candidate that an agent received in an offer or 824 answer from its peer. 826 Default Destination/Candidate: The default destination for a 827 component of a media stream is the transport address that would be 828 used by an agent that is not ICE aware. For the RTP component, 829 the default IP address is in the c line of the SDP, and the port 830 is in the m line. For the RTCP component, it is in the rtcp 831 attribute when present, and when not present, the IP address is in 832 the c line and 1 plus the port is in the m line. A default 833 candidate for a component is one whose transport address matches 834 the default destination for that component. 836 Candidate Pair: A pairing containing a local candidate and a remote 837 candidate. 839 Check, Connectivity Check, STUN Check: A STUN Binding request 840 transaction for the purposes of verifying connectivity. A check 841 is sent from the local candidate to the remote candidate of a 842 candidate pair. 844 Check List: An ordered set of candidate pairs that an agent will use 845 to generate checks. 847 Ordinary Check: A connectivity check generated by an agent as a 848 consequence of a timer that fires periodically, instructing it to 849 send a check. 851 Triggered Check: A connectivity check generated as a consequence of 852 the receipt of a connectivity check from the peer. 854 Valid List: An ordered set of candidate pairs for a media stream 855 that have been validated by a successful STUN transaction. 857 Full: An ICE implementation that performs the complete set of 858 functionality defined by this specification. 860 Lite: An ICE implementation that omits certain functions, 861 implementing only as much as is necessary for a peer 862 implementation that is full to gain the benefits of ICE. Lite 863 implementations do not maintain any of the state machines and do 864 not generate connectivity checks. 866 Controlling Agent: The ICE agent that is responsible for selecting 867 the final choice of candidate pairs and signaling them through 868 STUN and an updated offer, if needed. In any session, one agent 869 is always controlling. The other is the controlled agent. 871 Controlled Agent: An ICE agent that waits for the controlling agent 872 to select the final choice of candidate pairs. 874 Regular Nomination: The process of picking a valid candidate pair 875 for media traffic by validating the pair with one STUN request, 876 and then picking it by sending a second STUN request with a flag 877 indicating its nomination. 879 Aggressive Nomination: The process of picking a valid candidate pair 880 for media traffic by including a flag in every STUN request, such 881 that the first one to produce a valid candidate pair is used for 882 media. 884 Nominated: If a valid candidate pair has its nominated flag set, it 885 means that it may be selected by ICE for sending and receiving 886 media. 888 Selected Pair, Selected Candidate: The candidate pair selected by 889 ICE for sending and receiving media is called the selected pair, 890 and each of its candidates is called the selected candidate. 892 4. Sending the Initial Offer 894 In order to send the initial offer in an offer/answer exchange, an 895 agent must (1) gather candidates, (2) prioritize them, (3) eliminate 896 redundant candidates, (4) choose default candidates, and then (5) 897 formulate and send the SDP offer. All but the last of these five 898 steps differ for full and lite implementations. 900 4.1. Full Implementation Requirements 902 4.1.1. Gathering Candidates 904 An agent gathers candidates when it believes that communication is 905 imminent. An offerer can do this based on a user interface cue, or 906 based on an explicit request to initiate a session. Every candidate 907 is a transport address. It also has a type and a base. Four types 908 are defined and gathered by this specification -- host candidates, 909 server reflexive candidates, peer reflexive candidates, and relayed 910 candidates. The server reflexive candidates are gathered using STUN 911 or TURN, and relayed candidates are obtained through TURN. Peer 912 reflexive candidates are obtained in later phases of ICE, as a 913 consequence of connectivity checks. The base of a candidate is the 914 candidate that an agent must send from when using that candidate. 916 4.1.1.1. Host Candidates 918 The first step is to gather host candidates. Host candidates are 919 obtained by binding to ports (typically ephemeral) on a IP address 920 attached to an interface (physical or virtual, including VPN 921 interfaces) on the host. 923 For each UDP media stream the agent wishes to use, the agent SHOULD 924 obtain a candidate for each component of the media stream on each IP 925 address that the host has. It obtains each candidate by binding to a 926 UDP port on the specific IP address. A host candidate (and indeed 927 every candidate) is always associated with a specific component for 928 which it is a candidate. Each component has an ID assigned to it, 929 called the component ID. For RTP-based media streams, the RTP itself 930 has a component ID of 1, and RTCP a component ID of 2. If an agent 931 is using RTCP, it MUST obtain a candidate for it. If an agent is 932 using both RTP and RTCP, it would end up with 2*K host candidates if 933 an agent has K IP addresses. 935 The base for each host candidate is set to the candidate itself. 937 4.1.1.2. Server Reflexive and Relayed Candidates 939 Agents SHOULD obtain relayed candidates and SHOULD obtain server 940 reflexive candidates. These requirements are at SHOULD strength to 941 allow for provider variation. Use of STUN and TURN servers may be 942 unnecessary in closed networks where agents are never connected to 943 the public Internet or to endpoints outside of the closed network. 944 In such cases, a full implementation would be used for agents that 945 are dual-stack or multihomed, to select a host candidate. Use of 946 TURN servers is expensive, and when ICE is being used, they will only 947 be utilized when both endpoints are behind NATs that perform address 948 and port dependent mapping. Consequently, some deployments might 949 consider this use case to be marginal, and elect not to use TURN 950 servers. If an agent does not gather server reflexive or relayed 951 candidates, it is RECOMMENDED that the functionality be implemented 952 and just disabled through configuration, so that it can be re-enabled 953 through configuration if conditions change in the future. 955 If an agent is gathering both relayed and server reflexive 956 candidates, it uses a TURN server. If it is gathering just server 957 reflexive candidates, it uses a STUN server. 959 The agent next pairs each host candidate with the STUN or TURN server 960 with which it is configured or has discovered by some means. If a 961 STUN or TURN server is configured, it is RECOMMENDED that a domain 962 name be configured, and the DNS procedures in [RFC5389] (using SRV 963 records with the "stun" service) be used to discover the STUN server, 964 and the DNS procedures in [RFC5766] (using SRV records with the 965 "turn" service) be used to discover the TURN server. 967 This specification only considers usage of a single STUN or TURN 968 server. When there are multiple choices for that single STUN or TURN 969 server (when, for example, they are learned through DNS records and 970 multiple results are returned), an agent SHOULD use a single STUN or 971 TURN server (based on its IP address) for all candidates for a 972 particular session. This improves the performance of ICE. The 973 result is a set of pairs of host candidates with STUN or TURN 974 servers. The agent then chooses one pair, and sends a Binding or 975 Allocate request to the server from that host candidate. Binding 976 requests to a STUN server are not authenticated, and any ALTERNATE- 977 SERVER attribute in a response is ignored. Agents MUST support the 978 backwards compatibility mode for the Binding request defined in 979 [RFC5389]. Allocate requests SHOULD be authenticated using a long- 980 term credential obtained by the client through some other means. 982 Every Ta milliseconds thereafter, the agent can generate another new 983 STUN or TURN transaction. This transaction can either be a retry of 984 a previous transaction that failed with a recoverable error (such as 985 authentication failure), or a transaction for a new host candidate 986 and STUN or TURN server pair. The agent SHOULD NOT generate 987 transactions more frequently than one every Ta milliseconds. See 988 Section 16 for guidance on how to set Ta and the STUN retransmit 989 timer, RTO. 991 The agent will receive a Binding or Allocate response. A successful 992 Allocate response will provide the agent with a server reflexive 993 candidate (obtained from the mapped address) and a relayed candidate 994 in the XOR-RELAYED-ADDRESS attribute. If the Allocate request is 995 rejected because the server lacks resources to fulfill it, the agent 996 SHOULD instead send a Binding request to obtain a server reflexive 997 candidate. A Binding response will provide the agent with only a 998 server reflexive candidate (also obtained from the mapped address). 999 The base of the server reflexive candidate is the host candidate from 1000 which the Allocate or Binding request was sent. The base of a 1001 relayed candidate is that candidate itself. If a relayed candidate 1002 is identical to a host candidate (which can happen in rare cases), 1003 the relayed candidate MUST be discarded. 1005 4.1.1.3. Computing Foundations 1007 Finally, the agent assigns each candidate a foundation. The 1008 foundation is an identifier, scoped within a session. Two candidates 1009 MUST have the same foundation ID when all of the following are true: 1011 o they are of the same type (host, relayed, server reflexive, or 1012 peer reflexive). 1014 o their bases have the same IP address (the ports can be different). 1016 o for reflexive and relayed candidates, the STUN or TURN servers 1017 used to obtain them have the same IP address. 1019 o they were obtained using the same transport protocol (TCP, UDP, 1020 etc.). 1022 Similarly, two candidates MUST have different foundations if their 1023 types are different, their bases have different IP addresses, the 1024 STUN or TURN servers used to obtain them have different IP addresses, 1025 or their transport protocols are different. 1027 4.1.1.4. Keeping Candidates Alive 1029 Once server reflexive and relayed candidates are allocated, they MUST 1030 be kept alive until ICE processing has completed, as described in 1031 Section 8.3. For server reflexive candidates learned through a 1032 Binding request, the bindings MUST be kept alive by additional 1033 Binding requests to the server. Refreshes for allocations are done 1034 using the Refresh transaction, as described in [RFC5766]. The 1035 Refresh requests will also refresh the server reflexive candidate. 1037 4.1.2. Prioritizing Candidates 1039 The prioritization process results in the assignment of a priority to 1040 each candidate. Each candidate for a media stream MUST have a unique 1041 priority that MUST be a positive integer between 1 and (2**31 - 1). 1042 This priority will be used by ICE to determine the order of the 1043 connectivity checks and the relative preference for candidates. 1045 An agent SHOULD compute this priority using the formula in 1046 Section 4.1.2.1 and choose its parameters using the guidelines in 1047 Section 4.1.2.2. If an agent elects to use a different formula, ICE 1048 will take longer to converge since both agents will not be 1049 coordinated in their checks. 1051 4.1.2.1. Recommended Formula 1053 When using the formula, an agent computes the priority by determining 1054 a preference for each type of candidate (server reflexive, peer 1055 reflexive, relayed, and host), and, when the agent is multihomed, 1056 choosing a preference for its IP addresses. These two preferences 1057 are then combined to compute the priority for a candidate. That 1058 priority is computed using the following formula: 1060 priority = (2^24)*(type preference) + 1061 (2^8)*(local preference) + 1062 (2^0)*(256 - component ID) 1064 The type preference MUST be an integer from 0 to 126 inclusive, and 1065 represents the preference for the type of the candidate (where the 1066 types are local, server reflexive, peer reflexive, and relayed). A 1067 126 is the highest preference, and a 0 is the lowest. Setting the 1068 value to a 0 means that candidates of this type will only be used as 1069 a last resort. The type preference MUST be identical for all 1070 candidates of the same type and MUST be different for candidates of 1071 different types. The type preference for peer reflexive candidates 1072 MUST be higher than that of server reflexive candidates. Note that 1073 candidates gathered based on the procedures of Section 4.1.1 will 1074 never be peer reflexive candidates; candidates of these type are 1075 learned from the connectivity checks performed by ICE. 1077 The local preference MUST be an integer from 0 to 65535 inclusive. 1078 It represents a preference for the particular IP address from which 1079 the candidate was obtained, in cases where an agent is multihomed. 1080 65535 represents the highest preference, and a zero, the lowest. 1081 When there is only a single IP address, this value SHOULD be set to 1082 65535. More generally, if there are multiple candidates for a 1083 particular component for a particular media stream that have the same 1084 type, the local preference MUST be unique for each one. In this 1085 specification, this only happens for multihomed hosts. If a host is 1086 multihomed because it is dual-stack, the local preference SHOULD be 1087 set equal to the precedence value for IP addresses described in RFC 1088 3484 [RFC3484]. 1090 The component ID is the component ID for the candidate, and MUST be 1091 between 1 and 256 inclusive. 1093 4.1.2.2. Guidelines for Choosing Type and Local Preferences 1095 One criterion for selection of the type and local preference values 1096 is the use of a media intermediary, such as a TURN server, VPN 1097 server, or NAT. With a media intermediary, if media is sent to that 1098 candidate, it will first transit the media intermediary before being 1099 received. Relayed candidates are one type of candidate that involves 1100 a media intermediary. Another are host candidates obtained from a 1101 VPN interface. When media is transited through a media intermediary, 1102 it can increase the latency between transmission and reception. It 1103 can increase the packet losses, because of the additional router hops 1104 that may be taken. It may increase the cost of providing service, 1105 since media will be routed in and right back out of a media 1106 intermediary run by a provider. If these concerns are important, the 1107 type preference for relayed candidates SHOULD be lower than host 1108 candidates. The RECOMMENDED values are 126 for host candidates, 100 1109 for server reflexive candidates, 110 for peer reflexive candidates, 1110 and 0 for relayed candidates. Furthermore, if an agent is multihomed 1111 and has multiple IP addresses, the local preference for host 1112 candidates from a VPN interface SHOULD have a priority of 0. 1114 Another criterion for selection of preferences is IP address family. 1115 ICE works with both IPv4 and IPv6. It therefore provides a 1116 transition mechanism that allows dual-stack hosts to prefer 1117 connectivity over IPv6, but to fall back to IPv4 in case the v6 1118 networks are disconnected (due, for example, to a failure in a 6to4 1119 relay) [RFC3056]. It can also help with hosts that have both a 1120 native IPv6 address and a 6to4 address. In such a case, higher local 1121 preferences could be assigned to the v6 addresses, followed by the 1122 6to4 addresses, followed by the v4 addresses. This allows a site to 1123 obtain and begin using native v6 addresses immediately, yet still 1124 fall back to 6to4 addresses when communicating with agents in other 1125 sites that do not yet have native v6 connectivity. 1127 Another criterion for selecting preferences is security. If a user 1128 is a telecommuter, and therefore connected to a corporate network and 1129 a local home network, the user may prefer their voice traffic to be 1130 routed over the VPN in order to keep it on the corporate network when 1131 communicating within the enterprise, but use the local network when 1132 communicating with users outside of the enterprise. In such a case, 1133 a VPN address would have a higher local preference than any other 1134 address. 1136 Another criterion for selecting preferences is topological awareness. 1137 This is most useful for candidates that make use of intermediaries. 1138 In those cases, if an agent has preconfigured or dynamically 1139 discovered knowledge of the topological proximity of the 1140 intermediaries to itself, it can use that to assign higher local 1141 preferences to candidates obtained from closer intermediaries. 1143 4.1.3. Eliminating Redundant Candidates 1145 Next, the agent eliminates redundant candidates. A candidate is 1146 redundant if its transport address equals another candidate, and its 1147 base equals the base of that other candidate. Note that two 1148 candidates can have the same transport address yet have different 1149 bases, and these would not be considered redundant. Frequently, a 1150 server reflexive candidate and a host candidate will be redundant 1151 when the agent is not behind a NAT. The agent SHOULD eliminate the 1152 redundant candidate with the lower priority. 1154 4.1.4. Choosing Default Candidates 1156 A candidate is said to be default if it would be the target of media 1157 from a non-ICE peer; that target is called the DEFAULT DESTINATION. 1158 If the default candidates are not selected by the ICE algorithm when 1159 communicating with an ICE-aware peer, an updated offer/answer will be 1160 required after ICE processing completes in order to "fix up" the SDP 1161 so that the default destination for media matches the candidates 1162 selected by ICE. If ICE happens to select the default candidates, no 1163 updated offer/answer is required. 1165 An agent MUST choose a set of candidates, one for each component of 1166 each in-use media stream, to be default. A media stream is in-use if 1167 it does not have a port of zero (which is used in RFC 3264 to reject 1168 a media stream). Consequently, a media stream is in-use even if it 1169 is marked as a=inactive [RFC4566] or has a bandwidth value of zero. 1171 It is RECOMMENDED that default candidates be chosen based on the 1172 likelihood of those candidates to work with the peer that is being 1173 contacted. It is RECOMMENDED that the default candidates are the 1174 relayed candidates (if relayed candidates are available), server 1175 reflexive candidates (if server reflexive candidates are available), 1176 and finally host candidates. 1178 4.2. Lite Implementation Requirements 1180 Lite implementations only utilize host candidates. A lite 1181 implementation MUST, for each component of each media stream, 1182 allocate zero or one IPv4 candidates. It MAY allocate zero or more 1183 IPv6 candidates, but no more than one per each IPv6 address utilized 1184 by the host. Since there can be no more than one IPv4 candidate per 1185 component of each media stream, if an agent has multiple IPv4 1186 addresses, it MUST choose one for allocating the candidate. If a 1187 host is dual-stack, it is RECOMMENDED that it allocate one IPv4 1188 candidate and one global IPv6 address. With the lite implementation, 1189 ICE cannot be used to dynamically choose amongst candidates. 1190 Therefore, including more than one candidate from a particular scope 1191 is NOT RECOMMENDED, since only a connectivity check can truly 1192 determine whether to use one address or the other. 1194 Each component has an ID assigned to it, called the component ID. 1195 For RTP-based media streams, the RTP itself has a component ID of 1, 1196 and RTCP a component ID of 2. If an agent is using RTCP, it MUST 1197 obtain candidates for it. 1199 Each candidate is assigned a foundation. The foundation MUST be 1200 different for two candidates allocated from different IP addresses, 1201 and MUST be the same otherwise. A simple integer that increments for 1202 each IP address will suffice. In addition, each candidate MUST be 1203 assigned a unique priority amongst all candidates for the same media 1204 stream. This priority SHOULD be equal to: 1206 priority = (2^24)*(126) + 1207 (2^8)*(IP precedence) + 1208 (2^0)*(256 - component ID) 1210 If a host is v4-only, it SHOULD set the IP precedence to 65535. If a 1211 host is v6 or dual-stack, the IP precedence SHOULD be the precedence 1212 value for IP addresses described in RFC 3484 [RFC3484]. 1214 Next, an agent chooses a default candidate for each component of each 1215 media stream. If a host is IPv4-only, there would only be one 1216 candidate for each component of each media stream, and therefore that 1217 candidate is the default. If a host is IPv6 or dual-stack, the 1218 selection of default is a matter of local policy. This default 1219 SHOULD be chosen such that it is the candidate most likely to be used 1220 with a peer. For IPv6-only hosts, this would typically be a globally 1221 scoped IPv6 address. For dual-stack hosts, the IPv4 address is 1222 RECOMMENDED. 1224 4.3. Encoding the SDP 1226 The process of encoding the SDP is identical between full and lite 1227 implementations. 1229 The agent will include an m line for each media stream it wishes to 1230 use. The ordering of media streams in the SDP is relevant for ICE. 1231 ICE will perform its connectivity checks for the first m line first, 1232 and consequently media will be able to flow for that stream first. 1233 Agents SHOULD place their most important media stream, if there is 1234 one, first in the SDP. 1236 There will be a candidate attribute for each candidate for a 1237 particular media stream. Section 15 provides detailed rules for 1238 constructing this attribute. The attribute carries the IP address, 1239 port, and transport protocol for the candidate, in addition to its 1240 properties that need to be signaled to the peer for ICE to work: the 1241 priority, foundation, and component ID. The candidate attribute also 1242 carries information about the candidate that is useful for 1243 diagnostics and other functions: its type and related transport 1244 addresses. 1246 STUN connectivity checks between agents are authenticated using the 1247 short-term credential mechanism defined for STUN [RFC5389]. This 1248 mechanism relies on a username and password that are exchanged 1249 through protocol machinery between the client and server. With ICE, 1250 the offer/answer exchange is used to exchange them. The username 1251 part of this credential is formed by concatenating a username 1252 fragment from each agent, separated by a colon. Each agent also 1253 provides a password, used to compute the message integrity for 1254 requests it receives. The username fragment and password are 1255 exchanged in the ice-ufrag and ice-pwd attributes, respectively. In 1256 addition to providing security, the username provides disambiguation 1257 and correlation of checks to media streams. See Appendix B.4 for 1258 motivation. 1260 If an agent is a lite implementation, it MUST include an "a=ice-lite" 1261 session-level attribute in its SDP. If an agent is a full 1262 implementation, it MUST NOT include this attribute. 1264 The default candidates are added to the SDP as the default 1265 destination for media. For streams based on RTP, this is done by 1266 placing the IP address and port of the RTP candidate into the c and m 1267 lines, respectively. If the agent is utilizing RTCP, it MUST encode 1268 the RTCP candidate using the a=rtcp attribute as defined in RFC 3605 1269 [RFC3605]. If RTCP is not in use, the agent MUST signal that using 1270 b=RS:0 and b=RR:0 as defined in RFC 3556 [RFC3556]. 1272 The transport addresses that will be the default destination for 1273 media when communicating with non-ICE peers MUST also be present as 1274 candidates in one or more a=candidate lines. 1276 ICE provides for extensibility by allowing an offer or answer to 1277 contain a series of tokens that identify the ICE extensions used by 1278 that agent. If an agent supports an ICE extension, it MUST include 1279 the token defined for that extension in the ice-options attribute. 1281 The following is an example SDP message that includes ICE attributes 1282 (lines folded for readability): 1284 v=0 1285 o=jdoe 2890844526 2890842807 IN IP4 10.0.1.1 1286 s= 1287 c=IN IP4 192.0.2.3 1288 t=0 0 1289 a=ice-pwd:asd88fgpdd777uzjYhagZg 1290 a=ice-ufrag:8hhY 1291 m=audio 45664 RTP/AVP 0 1292 b=RS:0 1293 b=RR:0 1294 a=rtpmap:0 PCMU/8000 1295 a=candidate:1 1 UDP 2130706431 10.0.1.1 8998 typ host 1296 a=candidate:2 1 UDP 1694498815 192.0.2.3 45664 typ srflx raddr 1297 10.0.1.1 rport 8998 1299 Once an agent has sent its offer or its answer, that agent MUST be 1300 prepared to receive both STUN and media packets on each candidate. 1301 As discussed in Section 11.1, media packets can be sent to a 1302 candidate prior to its appearance as the default destination for 1303 media in an offer or answer. 1305 5. Receiving the Initial Offer 1307 When an agent receives an initial offer, it will check if the offerer 1308 supports ICE, determine its own role, gather candidates, prioritize 1309 them, choose default candidates, encode and send an answer, and for 1310 full implementations, form the check lists and begin connectivity 1311 checks. 1313 5.1. Verifying ICE Support 1315 The agent will proceed with the ICE procedures defined in this 1316 specification if, for each media stream in the SDP it received, the 1317 default destination for each component of that media stream appears 1318 in a candidate attribute. For example, in the case of RTP, the IP 1319 address and port in the c and m lines, respectively, appear in a 1320 candidate attribute and the value in the rtcp attribute appears in a 1321 candidate attribute. 1323 If this condition is not met, the agent MUST process the SDP based on 1324 normal RFC 3264 procedures, without using any of the ICE mechanisms 1325 described in the remainder of this specification with the following 1326 exceptions: 1328 1. The agent MUST follow the rules of Section 10, which describe 1329 keepalive procedures for all agents. 1331 2. If the agent is not proceeding with ICE because there were 1332 a=candidate attributes, but none that matched the default 1333 destination of the media stream, the agent MUST include an a=ice- 1334 mismatch attribute in its answer. 1336 3. If the default candidates were relayed candidates learned through 1337 a TURN server, the agent MUST create permissions in the TURN 1338 server for the IP addresses learned from its peer in the SDP it 1339 just received. If this is not done, initial packets in the media 1340 stream from the peer may be lost. 1342 5.2. Determining Role 1344 For each session, each agent takes on a role. There are two roles -- 1345 controlling and controlled. The controlling agent is responsible for 1346 the choice of the final candidate pairs used for communications. For 1347 a full agent, this means nominating the candidate pairs that can be 1348 used by ICE for each media stream, and for generating the updated 1349 offer based on ICE's selection, when needed. For a lite 1350 implementation, being the controlling agent means selecting a 1351 candidate pair based on the ones in the offer and answer (for IPv4, 1352 there is only ever one pair), and then generating an updated offer 1353 reflecting that selection, when needed (it is never needed for an 1354 IPv4-only host). The controlled agent is told which candidate pairs 1355 to use for each media stream, and does not generate an updated offer 1356 to signal this information. The sections below describe in detail 1357 the actual procedures followed by controlling and controlled nodes. 1359 The rules for determining the role and the impact on behavior are as 1360 follows: 1362 Both agents are full: The agent that generated the offer which 1363 started the ICE processing MUST take the controlling role, and the 1364 other MUST take the controlled role. Both agents will form check 1365 lists, run the ICE state machines, and generate connectivity 1366 checks. The controlling agent will execute the logic in 1367 Section 8.1 to nominate pairs that will be selected by ICE, and 1368 then both agents end ICE as described in Section 8.1.2. In 1369 unusual cases, described in Appendix B.11, it is possible for both 1370 agents to mistakenly believe they are controlled or controlling. 1371 To resolve this, each agent MUST select a random number, called 1372 the tie-breaker, uniformly distributed between 0 and (2**64) - 1 1373 (that is, a 64-bit positive integer). This number is used in 1374 connectivity checks to detect and repair this case, as described 1375 in Section 7.1.2.2. 1377 One agent full, one lite: The full agent MUST take the controlling 1378 role, and the lite agent MUST take the controlled role. The full 1379 agent will form check lists, run the ICE state machines, and 1380 generate connectivity checks. That agent will execute the logic 1381 in Section 8.1 to nominate pairs that will be selected by ICE, and 1382 use the logic in Section 8.1.2 to end ICE. The lite 1383 implementation will just listen for connectivity checks, receive 1384 them and respond to them, and then conclude ICE as described in 1385 Section 8.2. For the lite implementation, the state of ICE 1386 processing for each media stream is considered to be Running, and 1387 the state of ICE overall is Running. 1389 Both lite: The agent that generated the offer which started the ICE 1390 processing MUST take the controlling role, and the other MUST take 1391 the controlled role. In this case, no connectivity checks are 1392 ever sent. Rather, once the offer/answer exchange completes, each 1393 agent performs the processing described in Section 8 without 1394 connectivity checks. It is possible that both agents will believe 1395 they are controlled or controlling. In the latter case, the 1396 conflict is resolved through glare detection capabilities in the 1397 signaling protocol carrying the offer/answer exchange. The state 1398 of ICE processing for each media stream is considered to be 1399 Running, and the state of ICE overall is Running. 1401 Once roles are determined for a session, they persist unless ICE is 1402 restarted. An ICE restart (Section 9.1) causes a new selection of 1403 roles and tie-breakers. 1405 5.3. Gathering Candidates 1407 The process for gathering candidates at the answerer is identical to 1408 the process for the offerer as described in Section 4.1.1 for full 1409 implementations and Section 4.2 for lite implementations. It is 1410 RECOMMENDED that this process begin immediately on receipt of the 1411 offer, prior to alerting the user. Such gathering MAY begin when an 1412 agent starts. 1414 5.4. Prioritizing Candidates 1416 The process for prioritizing candidates at the answerer is identical 1417 to the process followed by the offerer, as described in Section 4.1.2 1418 for full implementations and Section 4.2 for lite implementations. 1420 5.5. Choosing Default Candidates 1422 The process for selecting default candidates at the answerer is 1423 identical to the process followed by the offerer, as described in 1424 Section 4.1.4 for full implementations and Section 4.2 for lite 1425 implementations. 1427 5.6. Encoding the SDP 1429 The process for encoding the SDP at the answerer is identical to the 1430 process followed by the offerer for both full and lite 1431 implementations, as described in Section 4.3. 1433 5.7. Forming the Check Lists 1435 Forming check lists is done only by full implementations. Lite 1436 implementations MUST skip the steps defined in this section. 1438 There is one check list per in-use media stream resulting from the 1439 offer/answer exchange. To form the check list for a media stream, 1440 the agent forms candidate pairs, computes a candidate pair priority, 1441 orders the pairs by priority, prunes them, and sets their states. 1442 These steps are described in this section. 1444 5.7.1. Forming Candidate Pairs 1446 First, the agent takes each of its candidates for a media stream 1447 (called LOCAL CANDIDATES) and pairs them with the candidates it 1448 received from its peer (called REMOTE CANDIDATES) for that media 1449 stream. In order to prevent the attacks described in Section 18.5.2, 1450 agents MAY limit the number of candidates they'll accept in an offer 1451 or answer. A local candidate is paired with a remote candidate if 1452 and only if the two candidates have the same component ID and have 1453 the same IP address version. It is possible that some of the local 1454 candidates won't get paired with remote candidates, and some of the 1455 remote candidates won't get paired with local candidates. This can 1456 happen if one agent doesn't include candidates for the all of the 1457 components for a media stream. If this happens, the number of 1458 components for that media stream is effectively reduced, and 1459 considered to be equal to the minimum across both agents of the 1460 maximum component ID provided by each agent across all components for 1461 the media stream. 1463 In the case of RTP, this would happen when one agent provides 1464 candidates for RTCP, and the other does not. As another example, the 1465 offerer can multiplex RTP and RTCP on the same port and signals that 1466 it can do that in the SDP through an SDP attribute [RFC5761]. 1467 However, since the offerer doesn't know if the answerer can perform 1468 such multiplexing, the offerer includes candidates for RTP and RTCP 1469 on separate ports, so that the offer has two components per media 1470 stream. If the answerer can perform such multiplexing, it would 1471 include just a single component for each candidate -- for the 1472 combined RTP/RTCP mux. ICE would end up acting as if there was just 1473 a single component for this candidate. 1475 The candidate pairs whose local and remote candidates are both the 1476 default candidates for a particular component is called, 1477 unsurprisingly, the default candidate pair for that component. This 1478 is the pair that would be used to transmit media if both agents had 1479 not been ICE aware. 1481 In order to aid understanding, Figure 6 shows the relationships 1482 between several key concepts -- transport addresses, candidates, 1483 candidate pairs, and check lists, in addition to indicating the main 1484 properties of candidates and candidate pairs. 1486 +------------------------------------------+ 1487 | | 1488 | +---------------------+ | 1489 | |+----+ +----+ +----+ | +Type | 1490 | || IP | |Port| |Tran| | +Priority | 1491 | ||Addr| | | | | | +Foundation | 1492 | |+----+ +----+ +----+ | +ComponentiD | 1493 | | Transport | +RelatedAddr | 1494 | | Addr | | 1495 | +---------------------+ +Base | 1496 | Candidate | 1497 +------------------------------------------+ 1498 * * 1499 * ************************************* 1500 * * 1501 +-------------------------------+ 1502 .| | 1503 | Local Remote | 1504 | +----+ +----+ +default? | 1505 | |Cand| |Cand| +valid? | 1506 | +----+ +----+ +nominated?| 1507 | +State | 1508 | | 1509 | | 1510 | Candidate Pair | 1511 +-------------------------------+ 1512 * * 1513 * ************ 1514 * * 1515 +------------------+ 1516 | Candidate Pair | 1517 +------------------+ 1518 +------------------+ 1519 | Candidate Pair | 1520 +------------------+ 1521 +------------------+ 1522 | Candidate Pair | 1523 +------------------+ 1525 Check 1526 List 1528 Figure 6: Conceptual Diagram of a Check List 1530 5.7.2. Computing Pair Priority and Ordering Pairs 1532 Once the pairs are formed, a candidate pair priority is computed. 1533 Let G be the priority for the candidate provided by the controlling 1534 agent. Let D be the priority for the candidate provided by the 1535 controlled agent. The priority for a pair is computed as: 1537 pair priority = 2^32*MIN(G,D) + 2*MAX(G,D) + (G>D?1:0) 1539 Where G>D?1:0 is an expression whose value is 1 if G is greater than 1540 D, and 0 otherwise. Once the priority is assigned, the agent sorts 1541 the candidate pairs in decreasing order of priority. If two pairs 1542 have identical priority, the ordering amongst them is arbitrary. 1544 5.7.3. Pruning the Pairs 1546 This sorted list of candidate pairs is used to determine a sequence 1547 of connectivity checks that will be performed. Each check involves 1548 sending a request from a local candidate to a remote candidate. 1549 Since an agent cannot send requests directly from a reflexive 1550 candidate, but only from its base, the agent next goes through the 1551 sorted list of candidate pairs. For each pair where the local 1552 candidate is server reflexive, the server reflexive candidate MUST be 1553 replaced by its base. Once this has been done, the agent MUST prune 1554 the list. This is done by removing a pair if its local and remote 1555 candidates are identical to the local and remote candidates of a pair 1556 higher up on the priority list. The result is a sequence of ordered 1557 candidate pairs, called the check list for that media stream. 1559 In addition, in order to limit the attacks described in 1560 Section 18.5.2, an agent MUST limit the total number of connectivity 1561 checks the agent performs across all check lists to a specific value, 1562 and this value MUST be configurable. A default of 100 is 1563 RECOMMENDED. This limit is enforced by discarding the lower-priority 1564 candidate pairs until there are less than 100. It is RECOMMENDED 1565 that a lower value be utilized when possible, set to the maximum 1566 number of plausible checks that might be seen in an actual deployment 1567 configuration. The requirement for configuration is meant to provide 1568 a tool for fixing this value in the field if, once deployed, it is 1569 found to be problematic. 1571 5.7.4. Computing States 1573 Each candidate pair in the check list has a foundation and a state. 1574 The foundation is the combination of the foundations of the local and 1575 remote candidates in the pair. The state is assigned once the check 1576 list for each media stream has been computed. There are five 1577 potential values that the state can have: 1579 Waiting: A check has not been performed for this pair, and can be 1580 performed as soon as it is the highest-priority Waiting pair on 1581 the check list. 1583 In-Progress: A check has been sent for this pair, but the 1584 transaction is in progress. 1586 Succeeded: A check for this pair was already done and produced a 1587 successful result. 1589 Failed: A check for this pair was already done and failed, either 1590 never producing any response or producing an unrecoverable failure 1591 response. 1593 Frozen: A check for this pair hasn't been performed, and it can't 1594 yet be performed until some other check succeeds, allowing this 1595 pair to unfreeze and move into the Waiting state. 1597 As ICE runs, the pairs will move between states as shown in Figure 7. 1599 +-----------+ 1600 | | 1601 | | 1602 | Frozen | 1603 | | 1604 | | 1605 +-----------+ 1606 | 1607 |unfreeze 1608 | 1609 V 1610 +-----------+ +-----------+ 1611 | | | | 1612 | | perform | | 1613 | Waiting |-------->|In-Progress| 1614 | | | | 1615 | | | | 1616 +-----------+ +-----------+ 1617 / | 1618 // | 1619 // | 1620 // | 1621 / | 1622 // | 1623 failure // |success 1624 // | 1625 / | 1626 // | 1627 // | 1628 // | 1629 V V 1630 +-----------+ +-----------+ 1631 | | | | 1632 | | | | 1633 | Failed | | Succeeded | 1634 | | | | 1635 | | | | 1636 +-----------+ +-----------+ 1638 Figure 7: Pair State FSM 1640 The initial states for each pair in a check list are computed by 1641 performing the following sequence of steps: 1643 1. The agent sets all of the pairs in each check list to the Frozen 1644 state. 1646 2. The agent examines the check list for the first media stream (a 1647 media stream is the first media stream when it is described by 1648 the first m line in the SDP offer and answer). For that media 1649 stream: 1651 * For all pairs with the same foundation, it sets the state of 1652 the pair with the lowest component ID to Waiting. If there is 1653 more than one such pair, the one with the highest-priority is 1654 used. 1656 One of the check lists will have some number of pairs in the Waiting 1657 state, and the other check lists will have all of their pairs in the 1658 Frozen state. A check list with at least one pair that is Waiting is 1659 called an active check list, and a check list with all pairs Frozen 1660 is called a frozen check list. 1662 The check list itself is associated with a state, which captures the 1663 state of ICE checks for that media stream. There are three states: 1665 Running: In this state, ICE checks are still in progress for this 1666 media stream. 1668 Completed: In this state, ICE checks have produced nominated pairs 1669 for each component of the media stream. Consequently, ICE has 1670 succeeded and media can be sent. 1672 Failed: In this state, the ICE checks have not completed 1673 successfully for this media stream. 1675 When a check list is first constructed as the consequence of an 1676 offer/answer exchange, it is placed in the Running state. 1678 ICE processing across all media streams also has a state associated 1679 with it. This state is equal to Running while ICE processing is 1680 under way. The state is Completed when ICE processing is complete 1681 and Failed if it failed without success. Rules for transitioning 1682 between states are described below. 1684 5.8. Scheduling Checks 1686 Checks are generated only by full implementations. Lite 1687 implementations MUST skip the steps described in this section. 1689 An agent performs ordinary checks and triggered checks. The 1690 generation of both checks is governed by a timer that fires 1691 periodically for each media stream. The agent maintains a FIFO 1692 queue, called the triggered check queue, which contains candidate 1693 pairs for which checks are to be sent at the next available 1694 opportunity. When the timer fires, the agent removes the top pair 1695 from the triggered check queue, performs a connectivity check on that 1696 pair, and sets the state of the candidate pair to In-Progress. If 1697 there are no pairs in the triggered check queue, an ordinary check is 1698 sent. 1700 Once the agent has computed the check lists as described in 1701 Section 5.7, it sets a timer for each active check list. The timer 1702 fires every Ta*N seconds, where N is the number of active check lists 1703 (initially, there is only one active check list). Implementations 1704 MAY set the timer to fire less frequently than this. Implementations 1705 SHOULD take care to spread out these timers so that they do not fire 1706 at the same time for each media stream. Ta and the retransmit timer 1707 RTO are computed as described in Section 16. Multiplying by N allows 1708 this aggregate check throughput to be split between all active check 1709 lists. The first timer fires immediately, so that the agent performs 1710 a connectivity check the moment the offer/answer exchange has been 1711 done, followed by the next check Ta seconds later (since there is 1712 only one active check list). 1714 When the timer fires and there is no triggered check to be sent, the 1715 agent MUST choose an ordinary check as follows: 1717 o Find the highest-priority pair in that check list that is in the 1718 Waiting state. 1720 o If there is such a pair: 1722 * Send a STUN check from the local candidate of that pair to the 1723 remote candidate of that pair. The procedures for forming the 1724 STUN request for this purpose are described in Section 7.1.2. 1726 * Set the state of the candidate pair to In-Progress. 1728 o If there is no such pair: 1730 * Find the highest-priority pair in that check list that is in 1731 the Frozen state. 1733 * If there is such a pair: 1735 + Unfreeze the pair. 1737 + Perform a check for that pair, causing its state to 1738 transition to In-Progress. 1740 * If there is no such pair: 1742 + Terminate the timer for that check list. 1744 To compute the message integrity for the check, the agent uses the 1745 remote username fragment and password learned from the SDP from its 1746 peer. The local username fragment is known directly by the agent for 1747 its own candidate. 1749 6. Receipt of the Initial Answer 1751 This section describes the procedures that an agent follows when it 1752 receives the answer from the peer. It verifies that its peer 1753 supports ICE, determines its role, and for full implementations, 1754 forms the check list and begins performing ordinary checks. 1756 When ICE is used with SIP, forking may result in a single offer 1757 generating a multiplicity of answers. In that case, ICE proceeds 1758 completely in parallel and independently for each answer, treating 1759 the combination of its offer and each answer as an independent offer/ 1760 answer exchange, with its own set of pairs, check lists, states, and 1761 so on. The only case in which processing of one pair impacts another 1762 is freeing of candidates, discussed below in Section 8.3. 1764 6.1. Verifying ICE Support 1766 The logic at the offerer is identical to that of the answerer as 1767 described in Section 5.1, with the exception that an offerer would 1768 not ever generate a=ice-mismatch attributes in an SDP. 1770 In some cases, the answer may omit a=candidate attributes for the 1771 media streams, and instead include an a=ice-mismatch attribute for 1772 one or more of the media streams in the SDP. This signals to the 1773 offerer that the answerer supports ICE, but that ICE processing was 1774 not used for the session because a signaling intermediary modified 1775 the default destination for media components without modifying the 1776 corresponding candidate attributes. See Section 18 for a discussion 1777 of cases where this can happen. This specification provides no 1778 guidance on how an agent should proceed in such a failure case. 1780 6.2. Determining Role 1782 The offerer follows the same procedures described for the answerer in 1783 Section 5.2. 1785 6.3. Forming the Check List 1787 Formation of check lists is performed only by full implementations. 1788 The offerer follows the same procedures described for the answerer in 1789 Section 5.7. 1791 6.4. Performing Ordinary Checks 1793 Ordinary checks are performed only by full implementations. The 1794 offerer follows the same procedures described for the answerer in 1795 Section 5.8. 1797 7. Performing Connectivity Checks 1799 This section describes how connectivity checks are performed. All 1800 ICE implementations are required to be compliant to [RFC5389], as 1801 opposed to the older [RFC3489]. However, whereas a full 1802 implementation will both generate checks (acting as a STUN client) 1803 and receive them (acting as a STUN server), a lite implementation 1804 will only receive checks, and thus will only act as a STUN server. 1806 7.1. STUN Client Procedures 1808 These procedures define how an agent sends a connectivity check, 1809 whether it is an ordinary or a triggered check. These procedures are 1810 only applicable to full implementations. 1812 7.1.1. Creating Permissions for Relayed Candidates 1814 If the connectivity check is being sent using a relayed local 1815 candidate, the client MUST create a permission first if it has not 1816 already created one previously. It would have created one previously 1817 if it had told the TURN server to create a permission for the given 1818 relayed candidate towards the IP address of the remote candidate. To 1819 create the permission, the agent follows the procedures defined in 1820 [RFC5766]. The permission MUST be created towards the IP address of 1821 the remote candidate. It is RECOMMENDED that the agent defer 1822 creation of a TURN channel until ICE completes, in which case 1823 permissions for connectivity checks are normally created using a 1824 CreatePermission request. Once established, the agent MUST keep the 1825 permission active until ICE concludes. 1827 7.1.2. Sending the Request 1829 The check is generated by sending a Binding request from a local 1830 candidate to a remote candidate. [RFC5389] describes how Binding 1831 requests are constructed and generated. A connectivity check MUST 1832 utilize the STUN short-term credential mechanism. Support for 1833 backwards compatibility with RFC 3489 MUST NOT be used or assumed 1834 with connectivity checks. The FINGERPRINT mechanism MUST be used for 1835 connectivity checks. 1837 ICE extends STUN by defining several new attributes, including 1838 PRIORITY, USE-CANDIDATE, ICE-CONTROLLED, and ICE-CONTROLLING. These 1839 new attributes are formally defined in Section 19.1, and their usage 1840 is described in the subsections below. These STUN extensions are 1841 applicable only to connectivity checks used for ICE. 1843 7.1.2.1. PRIORITY and USE-CANDIDATE 1845 An agent MUST include the PRIORITY attribute in its Binding request. 1846 The attribute MUST be set equal to the priority that would be 1847 assigned, based on the algorithm in Section 4.1.2, to a peer 1848 reflexive candidate, should one be learned as a consequence of this 1849 check (see Section 7.1.3.2.1 for how peer reflexive candidates are 1850 learned). This priority value will be computed identically to how 1851 the priority for the local candidate of the pair was computed, except 1852 that the type preference is set to the value for peer reflexive 1853 candidate types. 1855 The controlling agent MAY include the USE-CANDIDATE attribute in the 1856 Binding request. The controlled agent MUST NOT include it in its 1857 Binding request. This attribute signals that the controlling agent 1858 wishes to cease checks for this component, and use the candidate pair 1859 resulting from the check for this component. Section 8.1.1 provides 1860 guidance on determining when to include it. 1862 7.1.2.2. ICE-CONTROLLED and ICE-CONTROLLING 1864 The agent MUST include the ICE-CONTROLLED attribute in the request if 1865 it is in the controlled role, and MUST include the ICE-CONTROLLING 1866 attribute in the request if it is in the controlling role. The 1867 content of either attribute MUST be the tie-breaker that was 1868 determined in Section 5.2. These attributes are defined fully in 1869 Section 19.1. 1871 7.1.2.3. Forming Credentials 1873 A Binding request serving as a connectivity check MUST utilize the 1874 STUN short-term credential mechanism. The username for the 1875 credential is formed by concatenating the username fragment provided 1876 by the peer with the username fragment of the agent sending the 1877 request, separated by a colon (":"). The password is equal to the 1878 password provided by the peer. For example, consider the case where 1879 agent L is the offerer, and agent R is the answerer. Agent L 1880 included a username fragment of LFRAG for its candidates and a 1881 password of LPASS. Agent R provided a username fragment of RFRAG and 1882 a password of RPASS. A connectivity check from L to R utilizes the 1883 username RFRAG:LFRAG and a password of RPASS. A connectivity check 1884 from R to L utilizes the username LFRAG:RFRAG and a password of 1885 LPASS. The responses utilize the same usernames and passwords as the 1886 requests (note that the USERNAME attribute is not present in the 1887 response). 1889 7.1.2.4. DiffServ Treatment 1891 If the agent is using Diffserv Codepoint markings [RFC2475] in its 1892 media packets, it SHOULD apply those same markings to its 1893 connectivity checks. 1895 7.1.3. Processing the Response 1897 When a Binding response is received, it is correlated to its Binding 1898 request using the transaction ID, as defined in [RFC5389], which then 1899 ties it to the candidate pair for which the Binding request was sent. 1900 This section defines additional procedures for processing Binding 1901 responses specific to this usage of STUN. 1903 7.1.3.1. Failure Cases 1905 If the STUN transaction generates a 487 (Role Conflict) error 1906 response, the agent checks whether it included the ICE-CONTROLLED or 1907 ICE-CONTROLLING attribute in the Binding request. If the request 1908 contained the ICE-CONTROLLED attribute, the agent MUST switch to the 1909 controlling role if it has not already done so. If the request 1910 contained the ICE-CONTROLLING attribute, the agent MUST switch to the 1911 controlled role if it has not already done so. Once it has switched, 1912 the agent MUST enqueue the candidate pair whose check generated the 1913 487 into the triggered check queue. The state of that pair is set to 1914 Waiting. When the triggered check is sent, it will contain an ICE- 1915 CONTROLLING or ICE-CONTROLLED attribute reflecting its new role. 1916 Note, however, that the tie-breaker value MUST NOT be reselected. 1918 A change in roles will require an agent to recompute pair priorities 1919 (Section 5.7.2), since those priorities are a function of controlling 1920 and controlled roles. The change in role will also impact whether 1921 the agent is responsible for selecting nominated pairs and generating 1922 updated offers upon conclusion of ICE. 1924 Agents MAY support receipt of ICMP errors for connectivity checks. 1925 If the STUN transaction generates an ICMP error, the agent sets the 1926 state of the pair to Failed. If the STUN transaction generates a 1927 STUN error response that is unrecoverable (as defined in [RFC5389]) 1928 or times out, the agent sets the state of the pair to Failed. 1930 The agent MUST check that the source IP address and port of the 1931 response equal the destination IP address and port to which the 1932 Binding request was sent, and that the destination IP address and 1933 port of the response match the source IP address and port from which 1934 the Binding request was sent. In other words, the source and 1935 destination transport addresses in the request and responses are 1936 symmetric. If they are not symmetric, the agent sets the state of 1937 the pair to Failed. 1939 7.1.3.2. Success Cases 1941 A check is considered to be a success if all of the following are 1942 true: 1944 o The STUN transaction generated a success response. 1946 o The source IP address and port of the response equals the 1947 destination IP address and port to which the Binding request was 1948 sent. 1950 o The destination IP address and port of the response match the 1951 source IP address and port from which the Binding request was 1952 sent. 1954 7.1.3.2.1. Discovering Peer Reflexive Candidates 1956 The agent checks the mapped address from the STUN response. If the 1957 transport address does not match any of the local candidates that the 1958 agent knows about, the mapped address represents a new candidate -- a 1959 peer reflexive candidate. Like other candidates, it has a type, 1960 base, priority, and foundation. They are computed as follows: 1962 o Its type is equal to peer reflexive. 1964 o Its base is set equal to the local candidate of the candidate pair 1965 from which the STUN check was sent. 1967 o Its priority is set equal to the value of the PRIORITY attribute 1968 in the Binding request. 1970 o Its foundation is selected as described in Section 4.1.1.3. 1972 This peer reflexive candidate is then added to the list of local 1973 candidates for the media stream. Its username fragment and password 1974 are the same as all other local candidates for that media stream. 1975 However, the peer reflexive candidate is not paired with other remote 1976 candidates. This is not necessary; a valid pair will be generated 1977 from it momentarily based on the procedures in Section 7.1.3.2.2. If 1978 an agent wishes to pair the peer reflexive candidate with other 1979 remote candidates besides the one in the valid pair that will be 1980 generated, the agent MAY generate an updated offer which includes the 1981 peer reflexive candidate. This will cause it to be paired with all 1982 other remote candidates. 1984 7.1.3.2.2. Constructing a Valid Pair 1986 The agent constructs a candidate pair whose local candidate equals 1987 the mapped address of the response, and whose remote candidate equals 1988 the destination address to which the request was sent. This is 1989 called a valid pair, since it has been validated by a STUN 1990 connectivity check. The valid pair may equal the pair that generated 1991 the check, may equal a different pair in the check list, or may be a 1992 pair not currently on any check list. If the pair equals the pair 1993 that generated the check or is on a check list currently, it is also 1994 added to the VALID LIST, which is maintained by the agent for each 1995 media stream. This list is empty at the start of ICE processing, and 1996 fills as checks are performed, resulting in valid candidate pairs. 1998 It will be very common that the pair will not be on any check list. 1999 Recall that the check list has pairs whose local candidates are never 2000 server reflexive; those pairs had their local candidates converted to 2001 the base of the server reflexive candidates, and then pruned if they 2002 were redundant. When the response to the STUN check arrives, the 2003 mapped address will be reflexive if there is a NAT between the two. 2004 In that case, the valid pair will have a local candidate that doesn't 2005 match any of the pairs in the check list. 2007 If the pair is not on any check list, the agent computes the priority 2008 for the pair based on the priority of each candidate, using the 2009 algorithm in Section 5.7. The priority of the local candidate 2010 depends on its type. If it is not peer reflexive, it is equal to the 2011 priority signaled for that candidate in the SDP. If it is peer 2012 reflexive, it is equal to the PRIORITY attribute the agent placed in 2013 the Binding request that just completed. The priority of the remote 2014 candidate is taken from the SDP of the peer. If the candidate does 2015 not appear there, then the check must have been a triggered check to 2016 a new remote candidate. In that case, the priority is taken as the 2017 value of the PRIORITY attribute in the Binding request that triggered 2018 the check that just completed. The pair is then added to the VALID 2019 LIST. 2021 7.1.3.2.3. Updating Pair States 2023 The agent sets the state of the pair that *generated* the check to 2024 Succeeded. Note that, the pair which *generated* the check may be 2025 different than the valid pair constructed in Section 7.1.3.2.2 as a 2026 consequence of the response. The success of this check might also 2027 cause the state of other checks to change as well. The agent MUST 2028 perform the following two steps: 2030 1. The agent changes the states for all other Frozen pairs for the 2031 same media stream and same foundation to Waiting. Typically, but 2032 not always, these other pairs will have different component IDs. 2034 2. If there is a pair in the valid list for every component of this 2035 media stream (where this is the actual number of components being 2036 used, in cases where the number of components signaled in the SDP 2037 differs from offerer to answerer), the success of this check may 2038 unfreeze checks for other media streams. Note that this step is 2039 followed not just the first time the valid list under 2040 consideration has a pair for every component, but every 2041 subsequent time a check succeeds and adds yet another pair to 2042 that valid list. The agent examines the check list for each 2043 other media stream in turn: 2045 * If the check list is active, the agent changes the state of 2046 all Frozen pairs in that check list whose foundation matches a 2047 pair in the valid list under consideration to Waiting. 2049 * If the check list is frozen, and there is at least one pair in 2050 the check list whose foundation matches a pair in the valid 2051 list under consideration, the state of all pairs in the check 2052 list whose foundation matches a pair in the valid list under 2053 consideration is set to Waiting. This will cause the check 2054 list to become active, and ordinary checks will begin for it, 2055 as described in Section 5.8. 2057 * If the check list is frozen, and there are no pairs in the 2058 check list whose foundation matches a pair in the valid list 2059 under consideration, the agent 2061 + groups together all of the pairs with the same foundation, 2062 and 2064 + for each group, sets the state of the pair with the lowest 2065 component ID to Waiting. If there is more than one such 2066 pair, the one with the highest-priority is used. 2068 7.1.3.2.4. Updating the Nominated Flag 2070 If the agent was a controlling agent, and it had included a USE- 2071 CANDIDATE attribute in the Binding request, the valid pair generated 2072 from that check has its nominated flag set to true. This flag 2073 indicates that this valid pair should be used for media if it is the 2074 highest-priority one amongst those whose nominated flag is set. This 2075 may conclude ICE processing for this media stream or all media 2076 streams; see Section 8. 2078 If the agent is the controlled agent, the response may be the result 2079 of a triggered check that was sent in response to a request that 2080 itself had the USE-CANDIDATE attribute. This case is described in 2081 Section 7.2.1.5, and may now result in setting the nominated flag for 2082 the pair learned from the original request. 2084 7.1.3.3. Check List and Timer State Updates 2086 Regardless of whether the check was successful or failed, the 2087 completion of the transaction may require updating of check list and 2088 timer states. 2090 If all of the pairs in the check list are now either in the Failed or 2091 Succeeded state: 2093 o If there is not a pair in the valid list for each component of the 2094 media stream, the state of the check list is set to Failed. 2096 o For each frozen check list, the agent 2098 * groups together all of the pairs with the same foundation, and 2100 * for each group, sets the state of the pair with the lowest 2101 component ID to Waiting. If there is more than one such pair, 2102 the one with the highest-priority is used. 2104 If none of the pairs in the check list are in the Waiting or Frozen 2105 state, the check list is no longer considered active, and will not 2106 count towards the value of N in the computation of timers for 2107 ordinary checks as described in Section 5.8. 2109 7.2. STUN Server Procedures 2111 An agent MUST be prepared to receive a Binding request on the base of 2112 each candidate it included in its most recent offer or answer. This 2113 requirement holds even if the peer is a lite implementation. 2115 The agent MUST use a short-term credential to authenticate the 2116 request and perform a message integrity check. The agent MUST 2117 consider the username to be valid if it consists of two values 2118 separated by a colon, where the first value is equal to the username 2119 fragment generated by the agent in an offer or answer for a session 2120 in-progress. It is possible (and in fact very likely) that an 2121 offerer will receive a Binding request prior to receiving the answer 2122 from its peer. If this happens, the agent MUST immediately generate 2123 a response (including computation of the mapped address as described 2124 in Section 7.2.1.2). The agent has sufficient information at this 2125 point to generate the response; the password from the peer is not 2126 required. Once the answer is received, it MUST proceed with the 2127 remaining steps required, namely, Section 7.2.1.3, Section 7.2.1.4, 2128 and Section 7.2.1.5 for full implementations. In cases where 2129 multiple STUN requests are received before the answer, this may cause 2130 several pairs to be queued up in the triggered check queue. 2132 An agent MUST NOT utilize the ALTERNATE-SERVER mechanism, and MUST 2133 NOT support the backwards-compatibility mechanisms to RFC 3489. It 2134 MUST utilize the FINGERPRINT mechanism. 2136 If the agent is using Diffserv Codepoint markings [RFC2475] in its 2137 media packets, it SHOULD apply those same markings to its responses 2138 to Binding requests. The same would apply to any layer 2 markings 2139 the endpoint might be applying to media packets. 2141 7.2.1. Additional Procedures for Full Implementations 2143 This subsection defines the additional server procedures applicable 2144 to full implementations. 2146 7.2.1.1. Detecting and Repairing Role Conflicts 2148 Normally, the rules for selection of a role in Section 5.2 will 2149 result in each agent selecting a different role -- one controlling 2150 and one controlled. However, in unusual call flows, typically 2151 utilizing third party call control, it is possible for both agents to 2152 select the same role. This section describes procedures for checking 2153 for this case and repairing it. 2155 An agent MUST examine the Binding request for either the ICE- 2156 CONTROLLING or ICE-CONTROLLED attribute. It MUST follow these 2157 procedures: 2159 o If neither ICE-CONTROLLING nor ICE-CONTROLLED is present in the 2160 request, the peer agent may have implemented a previous version of 2161 this specification. There may be a conflict, but it cannot be 2162 detected. 2164 o If the agent is in the controlling role, and the ICE-CONTROLLING 2165 attribute is present in the request: 2167 * If the agent's tie-breaker is larger than or equal to the 2168 contents of the ICE-CONTROLLING attribute, the agent generates 2169 a Binding error response and includes an ERROR-CODE attribute 2170 with a value of 487 (Role Conflict) but retains its role. 2172 * If the agent's tie-breaker is less than the contents of the 2173 ICE-CONTROLLING attribute, the agent switches to the controlled 2174 role. 2176 o If the agent is in the controlled role, and the ICE-CONTROLLED 2177 attribute is present in the request: 2179 * If the agent's tie-breaker is larger than or equal to the 2180 contents of the ICE-CONTROLLED attribute, the agent switches to 2181 the controlling role. 2183 * If the agent's tie-breaker is less than the contents of the 2184 ICE-CONTROLLED attribute, the agent generates a Binding error 2185 response and includes an ERROR-CODE attribute with a value of 2186 487 (Role Conflict) but retains its role. 2188 o If the agent is in the controlled role and the ICE-CONTROLLING 2189 attribute was present in the request, or the agent was in the 2190 controlling role and the ICE-CONTROLLED attribute was present in 2191 the request, there is no conflict. 2193 A change in roles will require an agent to recompute pair priorities 2194 (Section 5.7.2), since those priorities are a function of controlling 2195 and controlled roles. The change in role will also impact whether 2196 the agent is responsible for selecting nominated pairs and generated 2197 updated offers upon conclusion of ICE. 2199 The remaining sections in Section 7.2.1 are followed if the server 2200 generated a successful response to the Binding request, even if the 2201 agent changed roles. 2203 7.2.1.2. Computing Mapped Address 2205 For requests being received on a relayed candidate, the source 2206 transport address used for STUN processing (namely, generation of the 2207 XOR-MAPPED-ADDRESS attribute) is the transport address as seen by the 2208 TURN server. That source transport address will be present in the 2209 XOR-PEER-ADDRESS attribute of a Data Indication message, if the 2210 Binding request was delivered through a Data Indication. If the 2211 Binding request was delivered through a ChannelData message, the 2212 source transport address is the one that was bound to the channel. 2214 7.2.1.3. Learning Peer Reflexive Candidates 2216 If the source transport address of the request does not match any 2217 existing remote candidates, it represents a new peer reflexive remote 2218 candidate. This candidate is constructed as follows: 2220 o The priority of the candidate is set to the PRIORITY attribute 2221 from the request. 2223 o The type of the candidate is set to peer reflexive. 2225 o The foundation of the candidate is set to an arbitrary value, 2226 different from the foundation for all other remote candidates. If 2227 any subsequent offer/answer exchanges contain this peer reflexive 2228 candidate in the SDP, it will signal the actual foundation for the 2229 candidate. 2231 o The component ID of this candidate is set to the component ID for 2232 the local candidate to which the request was sent. 2234 This candidate is added to the list of remote candidates. However, 2235 the agent does not pair this candidate with any local candidates. 2237 7.2.1.4. Triggered Checks 2239 Next, the agent constructs a pair whose local candidate is equal to 2240 the transport address on which the STUN request was received, and a 2241 remote candidate equal to the source transport address where the 2242 request came from (which may be the peer reflexive remote candidate 2243 that was just learned). The local candidate will either be a host 2244 candidate (for cases where the request was not received through a 2245 relay) or a relayed candidate (for cases where it is received through 2246 a relay). The local candidate can never be a server reflexive 2247 candidate. Since both candidates are known to the agent, it can 2248 obtain their priorities and compute the candidate pair priority. 2249 This pair is then looked up in the check list. There can be one of 2250 several outcomes: 2252 o If the pair is already on the check list: 2254 * If the state of that pair is Waiting or Frozen, a check for 2255 that pair is enqueued into the triggered check queue if not 2256 already present. 2258 * If the state of that pair is In-Progress, the agent cancels the 2259 in-progress transaction. Cancellation means that the agent 2260 will not retransmit the request, will not treat the lack of 2261 response to be a failure, but will wait the duration of the 2262 transaction timeout for a response. In addition, the agent 2263 MUST create a new connectivity check for that pair 2264 (representing a new STUN Binding request transaction) by 2265 enqueueing the pair in the triggered check queue. The state of 2266 the pair is then changed to Waiting. 2268 * If the state of the pair is Failed, it is changed to Waiting 2269 and the agent MUST create a new connectivity check for that 2270 pair (representing a new STUN Binding request transaction), by 2271 enqueueing the pair in the triggered check queue. 2273 * If the state of that pair is Succeeded, nothing further is 2274 done. 2276 These steps are done to facilitate rapid completion of ICE when both 2277 agents are behind NAT. 2279 o If the pair is not already on the check list: 2281 * The pair is inserted into the check list based on its priority. 2283 * Its state is set to Waiting. 2285 * The pair is enqueued into the triggered check queue. 2287 When a triggered check is to be sent, it is constructed and processed 2288 as described in Section 7.1.2. These procedures require the agent to 2289 know the transport address, username fragment, and password for the 2290 peer. The username fragment for the remote candidate is equal to the 2291 part after the colon of the USERNAME in the Binding request that was 2292 just received. Using that username fragment, the agent can check the 2293 SDP messages received from its peer (there may be more than one in 2294 cases of forking), and find this username fragment. The 2295 corresponding password is then selected. 2297 7.2.1.5. Updating the Nominated Flag 2299 If the Binding request received by the agent had the USE-CANDIDATE 2300 attribute set, and the agent is in the controlled role, the agent 2301 looks at the state of the pair computed in Section 7.2.1.4: 2303 o If the state of this pair is Succeeded, it means that the check 2304 generated by this pair produced a successful response. This would 2305 have caused the agent to construct a valid pair when that success 2306 response was received (see Section 7.1.3.2.2). The agent now sets 2307 the nominated flag in the valid pair to true. This may end ICE 2308 processing for this media stream; see Section 8. 2310 o If the state of this pair is In-Progress, if its check produces a 2311 successful result, the resulting valid pair has its nominated flag 2312 set when the response arrives. This may end ICE processing for 2313 this media stream when it arrives; see Section 8. 2315 7.2.2. Additional Procedures for Lite Implementations 2317 If the check that was just received contained a USE-CANDIDATE 2318 attribute, the agent constructs a candidate pair whose local 2319 candidate is equal to the transport address on which the request was 2320 received, and whose remote candidate is equal to the source transport 2321 address of the request that was received. This candidate pair is 2322 assigned an arbitrary priority, and placed into a list of valid 2323 candidates called the valid list. The agent sets the nominated flag 2324 for that pair to true. ICE processing is considered complete for a 2325 media stream if the valid list contains a candidate pair for each 2326 component. 2328 8. Concluding ICE Processing 2330 This section describes how an agent completes ICE. 2332 8.1. Procedures for Full Implementations 2334 Concluding ICE involves nominating pairs by the controlling agent and 2335 updating of state machinery. 2337 8.1.1. Nominating Pairs 2339 The controlling agent nominates pairs to be selected by ICE by using 2340 one of two techniques: regular nomination or aggressive nomination. 2341 If its peer has a lite implementation, an agent MUST use a regular 2342 nomination algorithm. If its peer is using ICE options (present in 2343 an ice-options attribute from the peer) that the agent does not 2344 understand, the agent MUST use a regular nomination algorithm. If 2345 its peer is a full implementation and isn't using any ICE options or 2346 is using ICE options understood by the agent, the agent MAY use 2347 either the aggressive or the regular nomination algorithm. However, 2348 the regular algorithm is RECOMMENDED since it provides greater 2349 stability. 2351 8.1.1.1. Regular Nomination 2353 With regular nomination, the agent lets some number of checks 2354 complete, each of which omit the USE-CANDIDATE attribute. Once one 2355 or more checks complete successfully for a component of a media 2356 stream, valid pairs are generated and added to the valid list. The 2357 agent lets the checks continue until some stopping criterion is met, 2358 and then picks amongst the valid pairs based on an evaluation 2359 criterion. The criteria for stopping the checks and for evaluating 2360 the valid pairs is entirely a matter of local optimization. 2362 When the controlling agent selects the valid pair, it repeats the 2363 check that produced this valid pair (by enqueueing the pair that 2364 generated the check into the triggered check queue), this time with 2365 the USE-CANDIDATE attribute. This check should succeed (since the 2366 previous did), causing the nominated flag of that and only that pair 2367 to be set. Consequently, there will be only a single nominated pair 2368 in the valid list for each component, and when the state of the check 2369 list moves to completed, that exact pair is selected by ICE for 2370 sending and receiving media for that component. 2372 Regular nomination provides the most flexibility, since the agent has 2373 control over the stopping and selection criteria for checks. The 2374 only requirement is that the agent MUST eventually pick one and only 2375 one candidate pair and generate a check for that pair with the USE- 2376 CANDIDATE attribute present. Regular nomination also improves ICE's 2377 resilience to variations in implementation (see Section 14). Regular 2378 nomination is also more stable, allowing both agents to converge on a 2379 single pair for media without any transient selections, which can 2380 happen with the aggressive algorithm. The drawback of regular 2381 nomination is that it is guaranteed to increase latencies because it 2382 requires an additional check to be done. 2384 8.1.1.2. Aggressive Nomination 2386 With aggressive nomination, the controlling agent includes the USE- 2387 CANDIDATE attribute in every check it sends. Once the first check 2388 for a component succeeds, it will be added to the valid list and have 2389 its nominated flag set. When all components have a nominated pair in 2390 the valid list, media can begin to flow using the highest-priority 2391 nominated pair. However, because the agent included the USE- 2392 CANDIDATE attribute in all of its checks, another check may yet 2393 complete, causing another valid pair to have its nominated flag set. 2394 ICE always selects the highest-priority nominated candidate pair from 2395 the valid list as the one used for media. Consequently, the selected 2396 pair may actually change briefly as ICE checks complete, resulting in 2397 a set of transient selections until it stabilizes. 2399 8.1.2. Updating States 2401 For both controlling and controlled agents, the state of ICE 2402 processing depends on the presence of nominated candidate pairs in 2403 the valid list and on the state of the check list. Note that, at any 2404 time, more than one of the following cases can apply: 2406 o If there are no nominated pairs in the valid list for a media 2407 stream and the state of the check list is Running, ICE processing 2408 continues. 2410 o If there is at least one nominated pair in the valid list for a 2411 media stream and the state of the check list is Running: 2413 * The agent MUST remove all Waiting and Frozen pairs in the check 2414 list and triggered check queue for the same component as the 2415 nominated pairs for that media stream. 2417 * If an In-Progress pair in the check list is for the same 2418 component as a nominated pair, the agent SHOULD cease 2419 retransmissions for its check if its pair priority is lower 2420 than the lowest-priority nominated pair for that component. 2422 o Once there is at least one nominated pair in the valid list for 2423 every component of at least one media stream and the state of the 2424 check list is Running: 2426 * The agent MUST change the state of processing for its check 2427 list for that media stream to Completed. 2429 * The agent MUST continue to respond to any checks it may still 2430 receive for that media stream, and MUST perform triggered 2431 checks if required by the processing of Section 7.2. 2433 * The agent MUST continue retransmitting any In-Progress checks 2434 for that check list. 2436 * The agent MAY begin transmitting media for this media stream as 2437 described in Section 11.1. 2439 o Once the state of each check list is Completed: 2441 * The agent sets the state of ICE processing overall to 2442 Completed. 2444 * If an agent is controlling, it examines the highest-priority 2445 nominated candidate pair for each component of each media 2446 stream. If any of those candidate pairs differ from the 2447 default candidate pairs in the most recent offer/answer 2448 exchange, the controlling agent MUST generate an updated offer 2449 as described in Section 9. If the controlling agent is using 2450 an aggressive nomination algorithm, this may result in several 2451 updated offers as the pairs selected for media change. An 2452 agent MAY delay sending the offer for a brief interval (one 2453 second is RECOMMENDED) in order to allow the selected pairs to 2454 stabilize. 2456 o If the state of the check list is Failed, ICE has not been able to 2457 complete for this media stream. The correct behavior depends on 2458 the state of the check lists for other media streams: 2460 * If all check lists are Failed, ICE processing overall is 2461 considered to be in the Failed state, and the agent SHOULD 2462 consider the session a failure, SHOULD NOT restart ICE, and the 2463 controlling agent SHOULD terminate the entire session. 2465 * If at least one of the check lists for other media streams is 2466 Completed, the controlling agent SHOULD remove the failed media 2467 stream from the session in its updated offer. 2469 * If none of the check lists for other media streams are 2470 Completed, but at least one is Running, the agent SHOULD let 2471 ICE continue. 2473 8.2. Procedures for Lite Implementations 2475 Concluding ICE for a lite implementation is relatively 2476 straightforward. There are two cases to consider: 2478 The implementation is lite, and its peer is full. 2480 The implementation is lite, and its peer is lite. 2482 The effect of ICE concluding is that the agent can free any allocated 2483 host candidates that were not utilized by ICE, as described in 2484 Section 8.3. 2486 8.2.1. Peer Is Full 2488 In this case, the agent will receive connectivity checks from its 2489 peer. When an agent has received a connectivity check that includes 2490 the USE-CANDIDATE attribute for each component of a media stream, the 2491 state of ICE processing for that media stream moves from Running to 2492 Completed. When the state of ICE processing for all media streams is 2493 Completed, the state of ICE processing overall is Completed. 2495 The lite implementation will never itself determine that ICE 2496 processing has failed for a media stream; rather, the full peer will 2497 make that determination and then remove or restart the failed media 2498 stream in a subsequent offer. 2500 8.2.2. Peer Is Lite 2502 Once the offer/answer exchange has completed, both agents examine 2503 their candidates and those of its peer. For each media stream, each 2504 agent pairs up its own candidates with the candidates of its peer for 2505 that media stream. Two candidates are paired up when they are for 2506 the same component, utilize the same transport protocol (UDP in this 2507 specification), and are from the same IP address family (IPv4 or 2508 IPv6). 2510 o If there is a single pair per component, that pair is added to the 2511 Valid list. If all of the components for a media stream had one 2512 pair, the state of ICE processing for that media stream is set to 2513 Completed. If all media streams are Completed, the state of ICE 2514 processing is set to Completed overall. This will always be the 2515 case for implementations that are IPv4-only. 2517 o If there is more than one pair per component: 2519 * The agent MUST select a pair based on local policy. Since this 2520 case only arises for IPv6, it is RECOMMENDED that an agent 2521 follow the procedures of RFC 3484 [RFC3484] to select a single 2522 pair. 2524 * The agent adds the selected pair for each component to the 2525 valid list. As described in Section 11.1, this will permit 2526 media to begin flowing. However, it is possible (and in fact 2527 likely) that both agents have chosen different pairs. 2529 * To reconcile this, the controlling agent MUST send an updated 2530 offer as described in Section 9.1.3, which will include the 2531 remote-candidates attribute. 2533 * The agent MUST NOT update the state of ICE processing when the 2534 offer is sent. If this subsequent offer completes, the 2535 controlling agent MUST change the state of ICE processing to 2536 Completed for all media streams, and the state of ICE 2537 processing overall to Completed. The states for the controlled 2538 agent are set based on the logic in Section 9.2.3. 2540 8.3. Freeing Candidates 2542 8.3.1. Full Implementation Procedures 2544 The procedures in Section 8 require that an agent continue to listen 2545 for STUN requests and continue to generate triggered checks for a 2546 media stream, even once processing for that stream completes. The 2547 rules in this section describe when it is safe for an agent to cease 2548 sending or receiving checks on a candidate that was not selected by 2549 ICE, and then free the candidate. 2551 When ICE is used with SIP, and an offer is forked to multiple 2552 recipients, ICE proceeds in parallel and independently with each 2553 answerer, all using the same local candidates. Once ICE processing 2554 has reached the Completed state for all peers for media streams using 2555 those candidates, the agent SHOULD wait an additional three seconds, 2556 and then it MAY cease responding to checks or generating triggered 2557 checks on that candidate. It MAY free the candidate at that time. 2558 Freeing of server reflexive candidates is never explicit; it happens 2559 by lack of a keepalive. The three-second delay handles cases when 2560 aggressive nomination is used, and the selected pairs can quickly 2561 change after ICE has completed. 2563 8.3.2. Lite Implementation Procedures 2565 A lite implementation MAY free candidates not selected by ICE as soon 2566 as ICE processing has reached the Completed state for all peers for 2567 all media streams using those candidates. 2569 9. Subsequent Offer/Answer Exchanges 2571 Either agent MAY generate a subsequent offer at any time allowed by 2572 RFC 3264 [RFC3264]. The rules in Section 8 will cause the 2573 controlling agent to send an updated offer at the conclusion of ICE 2574 processing when ICE has selected different candidate pairs from the 2575 default pairs. This section defines rules for construction of 2576 subsequent offers and answers. 2578 Should a subsequent offer be rejected, ICE processing continues as if 2579 the subsequent offer had never been made. 2581 9.1. Generating the Offer 2583 9.1.1. Procedures for All Implementations 2585 9.1.1.1. ICE Restarts 2587 An agent MAY restart ICE processing for an existing media stream. An 2588 ICE restart, as the name implies, will cause all previous states of 2589 ICE processing to be flushed and checks to start anew. The only 2590 difference between an ICE restart and a brand new media session is 2591 that, during the restart, media can continue to be sent to the 2592 previously validated pair. 2594 An agent MUST restart ICE for a media stream if: 2596 o The offer is being generated for the purposes of changing the 2597 target of the media stream. In other words, if an agent wants to 2598 generate an updated offer that, had ICE not been in use, would 2599 result in a new value for the destination of a media component. 2601 o An agent is changing its implementation level. This typically 2602 only happens in third party call control use cases, where the 2603 entity performing the signaling is not the entity receiving the 2604 media, and it has changed the target of media mid-session to 2605 another entity that has a different ICE implementation. 2607 These rules imply that setting the IP address in the c line to 2608 0.0.0.0 will cause an ICE restart. Consequently, ICE implementations 2609 MUST NOT utilize this mechanism for call hold, and instead MUST use 2610 a=inactive and a=sendonly as described in [RFC3264]. 2612 To restart ICE, an agent MUST change both the ice-pwd and the ice- 2613 ufrag for the media stream in an offer. Note that it is permissible 2614 to use a session-level attribute in one offer, but to provide the 2615 same ice-pwd or ice-ufrag as a media-level attribute in a subsequent 2616 offer. This is not a change in password, just a change in its 2617 representation, and does not cause an ICE restart. 2619 An agent sets the rest of the fields in the SDP for this media stream 2620 as it would in an initial offer of this media stream (see 2621 Section 4.3). Consequently, the set of candidates MAY include some, 2622 none, or all of the previous candidates for that stream and MAY 2623 include a totally new set of candidates gathered as described in 2624 Section 4.1.1. 2626 9.1.1.2. Removing a Media Stream 2628 If an agent removes a media stream by setting its port to zero, it 2629 MUST NOT include any candidate attributes for that media stream and 2630 SHOULD NOT include any other ICE-related attributes defined in 2631 Section 15 for that media stream. 2633 9.1.1.3. Adding a Media Stream 2635 If an agent wishes to add a new media stream, it sets the fields in 2636 the SDP for this media stream as if this was an initial offer for 2637 that media stream (see Section 4.3). This will cause ICE processing 2638 to begin for this media stream. 2640 9.1.2. Procedures for Full Implementations 2642 This section describes additional procedures for full 2643 implementations, covering existing media streams. 2645 The username fragments, password, and implementation level MUST 2646 remain the same as used previously. If an agent needs to change one 2647 of these, it MUST restart ICE for that media stream. 2649 Additional behavior depends on the state ICE processing for that 2650 media stream. 2652 9.1.2.1. Existing Media Streams with ICE Running 2654 If an agent generates an updated offer including a media stream that 2655 was previously established, and for which ICE checks are in the 2656 Running state, the agent follows the procedures defined here. 2658 An agent MUST include candidate attributes for all local candidates 2659 it had signaled previously for that media stream. The properties of 2660 that candidate as signaled in SDP -- the priority, foundation, type, 2661 and related transport address -- SHOULD remain the same. The IP 2662 address, port, and transport protocol, which fundamentally identify 2663 that candidate, MUST remain the same (if they change, it would be a 2664 new candidate). The component ID MUST remain the same. The agent 2665 MAY include additional candidates it did not offer previously, but 2666 which it has gathered since the last offer/answer exchange, including 2667 peer reflexive candidates. 2669 The agent MAY change the default destination for media. As with 2670 initial offers, there MUST be a set of candidate attributes in the 2671 offer matching this default destination. 2673 9.1.2.2. Existing Media Streams with ICE Completed 2675 If an agent generates an updated offer including a media stream that 2676 was previously established, and for which ICE checks are in the 2677 Completed state, the agent follows the procedures defined here. 2679 The default destination for media (i.e., the values of the IP 2680 addresses and ports in the m and c lines used for that media stream) 2681 MUST be the local candidate from the highest-priority nominated pair 2682 in the valid list for each component. This "fixes" the default 2683 destination for media to equal the destination ICE has selected for 2684 media. 2686 The agent MUST include candidate attributes for candidates matching 2687 the default destination for each component of the media stream, and 2688 MUST NOT include any other candidates. 2690 In addition, if the agent is controlling, it MUST include the 2691 a=remote-candidates attribute for each media stream whose check list 2692 is in the Completed state. The attribute contains the remote 2693 candidates from the highest-priority nominated pair in the valid list 2694 for each component of that media stream. It is needed to avoid a 2695 race condition whereby the controlling agent chooses its pairs, but 2696 the updated offer beats the connectivity checks to the controlled 2697 agent, which doesn't even know these pairs are valid, let alone 2698 selected. See Appendix B.6 for elaboration on this race condition. 2700 9.1.3. Procedures for Lite Implementations 2702 9.1.3.1. Existing Media Streams with ICE Running 2704 This section describes procedures for lite implementations for 2705 existing streams for which ICE is running. 2707 A lite implementation MUST include all of its candidates for each 2708 component of each media stream in an a=candidate attribute in any 2709 subsequent offer. These candidates are formed identically to the 2710 procedures for initial offers, as described in Section 4.2. 2712 A lite implementation MUST NOT add additional host candidates in a 2713 subsequent offer. If an agent needs to offer additional candidates, 2714 it MUST restart ICE. 2716 The username fragments, password, and implementation level MUST 2717 remain the same as used previously. If an agent needs to change one 2718 of these, it MUST restart ICE for that media stream. 2720 9.1.3.2. Existing Media Streams with ICE Completed 2722 If ICE has completed for a media stream, the default destination for 2723 that media stream MUST be set to the remote candidate of the 2724 candidate pair for that component in the valid list. For a lite 2725 implementation, there is always just a single candidate pair in the 2726 valid list for each component of a media stream. Additionally, the 2727 agent MUST include a candidate attribute for each default 2728 destination. 2730 Additionally, if the agent is controlling (which only happens when 2731 both agents are lite), the agent MUST include the a=remote-candidates 2732 attribute for each media stream. The attribute contains the remote 2733 candidates from the candidate pairs in the valid list (one pair for 2734 each component of each media stream). 2736 9.2. Receiving the Offer and Generating an Answer 2737 9.2.1. Procedures for All Implementations 2739 When receiving a subsequent offer within an existing session, an 2740 agent MUST reapply the verification procedures in Section 5.1 without 2741 regard to the results of verification from any previous offer/answer 2742 exchanges. Indeed, it is possible that a previous offer/answer 2743 exchange resulted in ICE not being used, but it is used as a 2744 consequence of a subsequent exchange. 2746 9.2.1.1. Detecting ICE Restart 2748 If the offer contained a change in the a=ice-ufrag or a=ice-pwd 2749 attributes compared to the previous SDP from the peer, it indicates 2750 that ICE is restarting for this media stream. If all media streams 2751 are restarting, then ICE is restarting overall. 2753 If ICE is restarting for a media stream: 2755 o The agent MUST change the a=ice-ufrag and a=ice-pwd attributes in 2756 the answer. 2758 o The agent MAY change its implementation level in the answer. 2760 An agent sets the rest of the fields in the SDP for this media stream 2761 as it would in an initial answer to this media stream (see 2762 Section 4.3). Consequently, the set of candidates MAY include some, 2763 none, or all of the previous candidates for that stream and MAY 2764 include a totally new set of candidates gathered as described in 2765 Section 4.1.1. 2767 9.2.1.2. New Media Stream 2769 If the offer contains a new media stream, the agent sets the fields 2770 in the answer as if it had received an initial offer containing that 2771 media stream (see Section 4.3). This will cause ICE processing to 2772 begin for this media stream. 2774 9.2.1.3. Removed Media Stream 2776 If an offer contains a media stream whose port is zero, the agent 2777 MUST NOT include any candidate attributes for that media stream in 2778 its answer and SHOULD NOT include any other ICE-related attributes 2779 defined in Section 15 for that media stream. 2781 9.2.2. Procedures for Full Implementations 2783 Unless the agent has detected an ICE restart from the offer, the 2784 username fragments, password, and implementation level MUST remain 2785 the same as used previously. If an agent needs to change one of 2786 these it MUST restart ICE for that media stream by generating an 2787 offer; ICE cannot be restarted in an answer. 2789 Additional behaviors depend on the state of ICE processing for that 2790 media stream. 2792 9.2.2.1. Existing Media Streams with ICE Running and no remote- 2793 candidates 2795 If ICE is running for a media stream, and the offer for that media 2796 stream lacked the remote-candidates attribute, the rules for 2797 construction of the answer are identical to those for the offerer as 2798 described in Section 9.1.2.1. 2800 9.2.2.2. Existing Media Streams with ICE Completed and no remote- 2801 candidates 2803 If ICE is Completed for a media stream, and the offer for that media 2804 stream lacked the remote-candidates attribute, the rules for 2805 construction of the answer are identical to those for the offerer as 2806 described in Section 9.1.2.2, except that the answerer MUST NOT 2807 include the a=remote-candidates attribute in the answer. 2809 9.2.2.3. Existing Media Streams and remote-candidates 2811 A controlled agent will receive an offer with the a=remote-candidates 2812 attribute for a media stream when its peer has concluded ICE 2813 processing for that media stream. This attribute is present in the 2814 offer to deal with a race condition between the receipt of the offer, 2815 and the receipt of the Binding response that tells the answerer the 2816 candidate that will be selected by ICE. See Appendix B.6 for an 2817 explanation of this race condition. Consequently, processing of an 2818 offer with this attribute depends on the winner of the race. 2820 The agent forms a candidate pair for each component of the media 2821 stream by: 2823 o Setting the remote candidate equal to the offerer's default 2824 destination for that component (e.g., the contents of the m and c 2825 lines for RTP, and the a=rtcp attribute for RTCP) 2827 o Setting the local candidate equal to the transport address for 2828 that same component in the a=remote-candidates attribute in the 2829 offer. 2831 The agent then sees if each of these candidate pairs is present in 2832 the valid list. If a particular pair is not in the valid list, the 2833 check has "lost" the race. Call such a pair a "losing pair". 2835 The agent finds all the pairs in the check list whose remote 2836 candidates equal the remote candidate in the losing pair: 2838 o If none of the pairs are In-Progress, and at least one is Failed, 2839 it is most likely that a network failure, such as a network 2840 partition or serious packet loss, has occurred. The agent SHOULD 2841 generate an answer for this media stream as if the remote- 2842 candidates attribute had not been present, and then restart ICE 2843 for this stream. 2845 o If at least one of the pairs is In-Progress, the agent SHOULD wait 2846 for those checks to complete, and as each completes, redo the 2847 processing in this section until there are no losing pairs. 2849 Once there are no losing pairs, the agent can generate the answer. 2850 It MUST set the default destination for media to the candidates in 2851 the remote-candidates attribute from the offer (each of which will 2852 now be the local candidate of a candidate pair in the valid list). 2853 It MUST include a candidate attribute in the answer for each 2854 candidate in the remote-candidates attribute in the offer. 2856 9.2.3. Procedures for Lite Implementations 2858 If the received offer contains the remote-candidates attribute for a 2859 media stream, the agent forms a candidate pair for each component of 2860 the media stream by: 2862 o Setting the remote candidate equal to the offerer's default 2863 destination for that component (e.g., the contents of the m and c 2864 lines for RTP, and the a=rtcp attribute for RTCP). 2866 o Setting the local candidate equal to the transport address for 2867 that same component in the a=remote-candidates attribute in the 2868 offer. 2870 It then places those candidates into the Valid list for the media 2871 stream. The state of ICE processing for that media stream is set to 2872 Completed. 2874 Furthermore, if the agent believed it was controlling, but the offer 2875 contained the remote-candidates attribute, both agents believe they 2876 are controlling. In this case, both would have sent updated offers 2877 around the same time. However, the signaling protocol carrying the 2878 offer/answer exchanges will have resolved this glare condition, so 2879 that one agent is always the 'winner' by having its offer received 2880 before its peer has sent an offer. The winner takes the role of 2881 controlled, so that the loser (the answerer under consideration in 2882 this section) MUST change its role to controlled. Consequently, if 2883 the agent was going to send an updated offer since, based on the 2884 rules in Section 8.2.2, it was controlling, it no longer needs to. 2886 Besides the potential role change, change in the Valid list, and 2887 state changes, the construction of the answer is performed 2888 identically to the construction of an offer as described in 2889 Section 9.1.3. 2891 9.3. Updating the Check and Valid Lists 2893 9.3.1. Procedures for Full Implementations 2895 9.3.1.1. ICE Restarts 2897 The agent MUST remember the highest-priority nominated pairs in the 2898 Valid list for each component of the media stream, called the 2899 previous selected pairs, prior to the restart. The agent will 2900 continue to send media using these pairs, as described in 2901 Section 11.1. Once these destinations are noted, the agent MUST 2902 flush the valid and check lists, and then recompute the check list 2903 and its states as described in Section 5.7. 2905 9.3.1.2. New Media Stream 2907 If the offer/answer exchange added a new media stream, the agent MUST 2908 create a new check list for it (and an empty Valid list to start of 2909 course), as described in Section 5.7. 2911 9.3.1.3. Removed Media Stream 2913 If the offer/answer exchange removed a media stream, or an answer 2914 rejected an offered media stream, an agent MUST flush the Valid list 2915 for that media stream. It MUST terminate any STUN transactions in 2916 progress for that media stream. An agent MUST remove the check list 2917 for that media stream and cancel any pending ordinary checks for it. 2919 9.3.1.4. ICE Continuing for Existing Media Stream 2921 The valid list is not affected by an updated offer/answer exchange 2922 unless ICE is restarting. 2924 If an agent is in the Running state for that media stream, the check 2925 list is updated (the check list is irrelevant if the state is 2926 completed). To do that, the agent recomputes the check list using 2927 the procedures described in Section 5.7. If a pair on the new check 2928 list was also on the previous check list, and its state was Waiting, 2929 In-Progress, Succeeded, or Failed, its state is copied over. 2930 Otherwise, its state is set to Frozen. 2932 If none of the check lists are active (meaning that the pairs in each 2933 check list are Frozen), the full-mode agent sets the first pair in 2934 the check list for the first media stream to Waiting, and then sets 2935 the state of all other pairs in that check list for the same 2936 component ID and with the same foundation to Waiting as well. 2938 Next, the agent goes through each check list, starting with the 2939 highest-priority pair. If a pair has a state of Succeeded, and it 2940 has a component ID of 1, then all Frozen pairs in the same check list 2941 with the same foundation whose component IDs are not 1 have their 2942 state set to Waiting. If, for a particular check list, there are 2943 pairs for each component of that media stream in the Succeeded state, 2944 the agent moves the state of all Frozen pairs for the first component 2945 of all other media streams (and thus in different check lists) with 2946 the same foundation to Waiting. 2948 9.3.2. Procedures for Lite Implementations 2950 If ICE is restarting for a media stream, the agent MUST start a new 2951 Valid list for that media stream. It MUST remember the pairs in the 2952 previous Valid list for each component of the media stream, called 2953 the previous selected pairs, and continue to send media there as 2954 described in Section 11.1. The state of ICE processing for each 2955 media stream MUST change to Running, and the state of ICE processing 2956 MUST change to Running. 2958 10. Keepalives 2960 All endpoints MUST send keepalives for each media session. These 2961 keepalives serve the purpose of keeping NAT bindings alive for the 2962 media session. These keepalives MUST be sent regardless of whether 2963 the media stream is currently inactive, sendonly, recvonly, or 2964 sendrecv, and regardless of the presence or value of the bandwidth 2965 attribute. These keepalives MUST be sent even if ICE is not being 2966 utilized for the session at all. The keepalive SHOULD be sent using 2967 a format that is supported by its peer. ICE endpoints allow for 2968 STUN-based keepalives for UDP streams, and as such, STUN keepalives 2969 MUST be used when an agent is a full ICE implementation and is 2970 communicating with a peer that supports ICE (lite or full). An agent 2971 can determine that its peer supports ICE by the presence of 2972 a=candidate attributes for each media session. If the peer does not 2973 support ICE, the choice of a packet format for keepalives is a matter 2974 of local implementation. A format that allows packets to easily be 2975 sent in the absence of actual media content is RECOMMENDED. Examples 2976 of formats that readily meet this goal are RTP No-Op 2977 [I-D.ietf-avt-rtp-no-op], and in cases where both sides support it, 2978 RTP comfort noise [RFC3389]. If the peer doesn't support any formats 2979 that are particularly well suited for keepalives, an agent SHOULD 2980 send RTP packets with an incorrect version number, or some other form 2981 of error that would cause them to be discarded by the peer. 2983 If there has been no packet sent on the candidate pair ICE is using 2984 for a media component for Tr seconds (where packets include those 2985 defined for the component (RTP or RTCP) and previous keepalives), an 2986 agent MUST generate a keepalive on that pair. Tr SHOULD be 2987 configurable and SHOULD have a default of 15 seconds. Tr MUST NOT be 2988 configured to less than 15 seconds. Alternatively, if an agent has a 2989 dynamic way to discover the binding lifetimes of the intervening 2990 NATs, it can use that value to determine Tr. Administrators 2991 deploying ICE in more controlled networking environments SHOULD set 2992 Tr to the longest duration possible in their environment. 2994 If STUN is being used for keepalives, a STUN Binding Indication is 2995 used [RFC5389]. The Indication MUST NOT utilize any authentication 2996 mechanism. It SHOULD contain the FINGERPRINT attribute to aid in 2997 demultiplexing, but SHOULD NOT contain any other attributes. It is 2998 used solely to keep the NAT bindings alive. The Binding Indication 2999 is sent using the same local and remote candidates that are being 3000 used for media. Though Binding Indications are used for keepalives, 3001 an agent MUST be prepared to receive a connectivity check as well. 3002 If a connectivity check is received, a response is generated as 3003 discussed in [RFC5389], but there is no impact on ICE processing 3004 otherwise. 3006 An agent MUST begin the keepalive processing once ICE has selected 3007 candidates for usage with media, or media begins to flow, whichever 3008 happens first. Keepalives end once the session terminates or the 3009 media stream is removed. 3011 11. Media Handling 3013 11.1. Sending Media 3015 Procedures for sending media differ for full and lite 3016 implementations. 3018 11.1.1. Procedures for Full Implementations 3020 Agents always send media using a candidate pair, called the selected 3021 candidate pair. An agent will send media to the remote candidate in 3022 the selected pair (setting the destination address and port of the 3023 packet equal to that remote candidate), and will send it from the 3024 local candidate of the selected pair. When the local candidate is 3025 server or peer reflexive, media is originated from the base. Media 3026 sent from a relayed candidate is sent from the base through that TURN 3027 server, using procedures defined in [RFC5766]. 3029 If the local candidate is a relayed candidate, it is RECOMMENDED that 3030 an agent create a channel on the TURN server towards the remote 3031 candidate. This is done using the procedures for channel creation as 3032 defined in Section 11 of [RFC5766]. 3034 The selected pair for a component of a media stream is: 3036 o empty if the state of the check list for that media stream is 3037 Running, and there is no previous selected pair for that component 3038 due to an ICE restart 3040 o equal to the previous selected pair for a component of a media 3041 stream if the state of the check list for that media stream is 3042 Running, and there was a previous selected pair for that component 3043 due to an ICE restart 3045 o equal to the highest-priority nominated pair for that component in 3046 the valid list if the state of the check list is Completed 3048 If the selected pair for at least one component of a media stream is 3049 empty, an agent MUST NOT send media for any component of that media 3050 stream. If the selected pair for each component of a media stream 3051 has a value, an agent MAY send media for all components of that media 3052 stream. 3054 Note that the selected pair for a component of a media stream may not 3055 equal the default pair for that same component from the most recent 3056 offer/answer exchange. When this happens, the selected pair is used 3057 for media, not the default pair. When ICE first completes, if the 3058 selected pairs aren't a match for the default pairs, the controlling 3059 agent sends an updated offer/answer exchange to remedy this 3060 disparity. However, until that updated offer arrives, there will not 3061 be a match. Furthermore, in very unusual cases, the default 3062 candidates in the updated offer/answer will not be a match. 3064 11.1.2. Procedures for Lite Implementations 3066 A lite implementation MUST NOT send media until it has a Valid list 3067 that contains a candidate pair for each component of that media 3068 stream. Once that happens, the agent MAY begin sending media 3069 packets. To do that, it sends media to the remote candidate in the 3070 pair (setting the destination address and port of the packet equal to 3071 that remote candidate), and will send it from the local candidate. 3073 11.1.3. Procedures for All Implementations 3075 ICE has interactions with jitter buffer adaptation mechanisms. An 3076 RTP stream can begin using one candidate, and switch to another one, 3077 though this happens rarely with ICE. The newer candidate may result 3078 in RTP packets taking a different path through the network -- one 3079 with different delay characteristics. As discussed below, agents are 3080 encouraged to re-adjust jitter buffers when there are changes in 3081 source or destination address of media packets. Furthermore, many 3082 audio codecs use the marker bit to signal the beginning of a 3083 talkspurt, for the purposes of jitter buffer adaptation. For such 3084 codecs, it is RECOMMENDED that the sender set the marker bit 3085 [RFC3550] when an agent switches transmission of media from one 3086 candidate pair to another. 3088 11.2. Receiving Media 3090 ICE implementations MUST be prepared to receive media on each 3091 component on any candidates provided for that component in the most 3092 recent offer/answer exchange (in the case of RTP, this would include 3093 both RTP and RTCP if candidates were provided for both). 3095 It is RECOMMENDED that, when an agent receives an RTP packet with a 3096 new source or destination IP address for a particular media stream, 3097 that the agent re-adjust its jitter buffers. 3099 RFC 3550 [RFC3550] describes an algorithm in Section 8.2 for 3100 detecting synchronization source (SSRC) collisions and loops. These 3101 algorithms are based, in part, on seeing different source transport 3102 addresses with the same SSRC. However, when ICE is used, such 3103 changes will sometimes occur as the media streams switch between 3104 candidates. An agent will be able to determine that a media stream 3105 is from the same peer as a consequence of the STUN exchange that 3106 proceeds media transmission. Thus, if there is a change in source 3107 transport address, but the media packets come from the same peer 3108 agent, this SHOULD NOT be treated as an SSRC collision. 3110 12. Usage with SIP 3112 12.1. Latency Guidelines 3114 ICE requires a series of STUN-based connectivity checks to take place 3115 between endpoints. These checks start from the answerer on 3116 generation of its answer, and start from the offerer when it receives 3117 the answer. These checks can take time to complete, and as such, the 3118 selection of messages to use with offers and answers can affect 3119 perceived user latency. Two latency figures are of particular 3120 interest. These are the post-pickup delay and the post-dial delay. 3121 The post-pickup delay refers to the time between when a user "answers 3122 the phone" and when any speech they utter can be delivered to the 3123 caller. The post-dial delay refers to the time between when a user 3124 enters the destination address for the user and ringback begins as a 3125 consequence of having successfully started ringing the phone of the 3126 called party. 3128 Two cases can be considered -- one where the offer is present in the 3129 initial INVITE and one where it is in a response. 3131 12.1.1. Offer in INVITE 3133 To reduce post-dial delays, it is RECOMMENDED that the caller begin 3134 gathering candidates prior to actually sending its initial INVITE. 3135 This can be started upon user interface cues that a call is pending, 3136 such as activity on a keypad or the phone going off-hook. 3138 If an offer is received in an INVITE request, the answerer SHOULD 3139 begin to gather its candidates on receipt of the offer and then 3140 generate an answer in a provisional response once it has completed 3141 that process. ICE requires that a provisional response with an SDP 3142 be transmitted reliably. This can be done through the existing 3143 Provisional Response Acknowledgment (PRACK) mechanism [RFC3262] or 3144 through an optimization that is specific to ICE. With this 3145 optimization, provisional responses containing an SDP answer that 3146 begins ICE processing for one or more media streams can be sent 3147 reliably without RFC 3262. To do this, the agent retransmits the 3148 provisional response with the exponential backoff timers described in 3149 RFC 3262. Retransmits MUST cease on receipt of a STUN Binding 3150 request for one of the media streams signaled in that SDP (because 3151 receipt of a Binding request indicates the offerer has received the 3152 answer) or on transmission of the answer in a 2xx response. If the 3153 peer agent is lite, there will never be a STUN Binding request. In 3154 such a case, the agent MUST cease retransmitting the 18x after 3155 sending it four times (ICE will actually work even if the peer never 3156 receives the 18x; however, experience has shown that sending it is 3157 important for middleboxes and firewall traversal). If no Binding 3158 request is received prior to the last retransmit, the agent does not 3159 consider the session terminated. Despite the fact that the 3160 provisional response will be delivered reliably, the rules for when 3161 an agent can send an updated offer or answer do not change from those 3162 specified in RFC 3262. Specifically, if the INVITE contained an 3163 offer, the same answer appears in all of the 1xx and in the 2xx 3164 response to the INVITE. Only after that 2xx has been sent can an 3165 updated offer/answer exchange occur. This optimization SHOULD NOT be 3166 used if both agents support PRACK. Note that the optimization is 3167 very specific to provisional response carrying answers that start ICE 3168 processing; it is not a general technique for 1xx reliability. 3170 Alternatively, an agent MAY delay sending an answer until the 200 OK; 3171 however, this results in a poor user experience and is NOT 3172 RECOMMENDED. 3174 Once the answer has been sent, the agent SHOULD begin its 3175 connectivity checks. Once candidate pairs for each component of a 3176 media stream enter the valid list, the answerer can begin sending 3177 media on that media stream. 3179 However, prior to this point, any media that needs to be sent towards 3180 the caller (such as SIP early media [RFC3960]) MUST NOT be 3181 transmitted. For this reason, implementations SHOULD delay alerting 3182 the called party until candidates for each component of each media 3183 stream have entered the valid list. In the case of a PSTN gateway, 3184 this would mean that the setup message into the PSTN is delayed until 3185 this point. Doing this increases the post-dial delay, but has the 3186 effect of eliminating 'ghost rings'. Ghost rings are cases where the 3187 called party hears the phone ring, picks up, but hears nothing and 3188 cannot be heard. This technique works without requiring support for, 3189 or usage of, preconditions [RFC3312], since it's a localized 3190 decision. It also has the benefit of guaranteeing that not a single 3191 packet of media will get clipped, so that post-pickup delay is zero. 3192 If an agent chooses to delay local alerting in this way, it SHOULD 3193 generate a 180 response once alerting begins. 3195 12.1.2. Offer in Response 3197 In addition to uses where the offer is in an INVITE, and the answer 3198 is in the provisional and/or 200 OK response, ICE works with cases 3199 where the offer appears in the response. In such cases, which are 3200 common in third party call control [RFC3725], ICE agents SHOULD 3201 generate their offers in a reliable provisional response (which MUST 3202 utilize RFC 3262), and not alert the user on receipt of the INVITE. 3203 The answer will arrive in a PRACK. This allows for ICE processing to 3204 take place prior to alerting, so that there is no post-pickup delay, 3205 at the expense of increased call setup delays. Once ICE completes, 3206 the callee can alert the user and then generate a 200 OK when they 3207 answer. The 200 OK would contain no SDP, since the offer/answer 3208 exchange has completed. 3210 Alternatively, agents MAY place the offer in a 2xx instead (in which 3211 case the answer comes in the ACK). When this happens, the callee 3212 will alert the user on receipt of the INVITE, and the ICE exchanges 3213 will take place only after the user answers. This has the effect of 3214 reducing call setup delay, but can cause substantial post-pickup 3215 delays and media clipping. 3217 12.2. SIP Option Tags and Media Feature Tags 3219 [RFC5768] specifies a SIP option tag and media feature tag for usage 3220 with ICE. ICE implementations using SIP SHOULD support this 3221 specification, which uses a feature tag in registrations to 3222 facilitate interoperability through signaling intermediaries. 3224 12.3. Interactions with Forking 3226 ICE interacts very well with forking. Indeed, ICE fixes some of the 3227 problems associated with forking. Without ICE, when a call forks and 3228 the caller receives multiple incoming media streams, it cannot 3229 determine which media stream corresponds to which callee. 3231 With ICE, this problem is resolved. The connectivity checks which 3232 occur prior to transmission of media carry username fragments, which 3233 in turn are correlated to a specific callee. Subsequent media 3234 packets that arrive on the same candidate pair as the connectivity 3235 check will be associated with that same callee. Thus, the caller can 3236 perform this correlation as long as it has received an answer. 3238 12.4. Interactions with Preconditions 3240 Quality of Service (QoS) preconditions, which are defined in RFC 3312 3241 [RFC3312] and RFC 4032 [RFC4032], apply only to the transport 3242 addresses listed as the default targets for media in an offer/answer. 3243 If ICE changes the transport address where media is received, this 3244 change is reflected in an updated offer that changes the default 3245 destination for media to match ICE's selection. As such, it appears 3246 like any other re-INVITE would, and is fully treated in RFCs 3312 and 3247 4032, which apply without regard to the fact that the destination for 3248 media is changing due to ICE negotiations occurring "in the 3249 background". 3251 Indeed, an agent SHOULD NOT indicate that QoS preconditions have been 3252 met until the checks have completed and selected the candidate pairs 3253 to be used for media. 3255 ICE also has (purposeful) interactions with connectivity 3256 preconditions [RFC5898]. Those interactions are described there. 3257 Note that the procedures described in Section 12.1 describe their own 3258 type of "preconditions", albeit with less functionality than those 3259 provided by the explicit preconditions in [RFC5898]. 3261 12.5. Interactions with Third Party Call Control 3263 ICE works with Flows I, III, and IV as described in [RFC3725]. Flow 3264 I works without the controller supporting or being aware of ICE. 3265 Flow IV will work as long as the controller passes along the ICE 3266 attributes without alteration. Flow II is fundamentally incompatible 3267 with ICE; each agent will believe itself to be the answerer and thus 3268 never generate a re-INVITE. 3270 The flows for continued operation, as described in Section 7 of RFC 3271 3725, require additional behavior of ICE implementations to support. 3272 In particular, if an agent receives a mid-dialog re-INVITE that 3273 contains no offer, it MUST restart ICE for each media stream and go 3274 through the process of gathering new candidates. Furthermore, that 3275 list of candidates SHOULD include the ones currently being used for 3276 media. 3278 13. Relationship with ANAT 3280 RFC 4091 [RFC4091], the Alternative Network Address Types (ANAT) 3281 Semantics for the SDP grouping framework, and RFC 4092 [RFC4092], its 3282 usage with SIP, define a mechanism for indicating that an agent can 3283 support both IPv4 and IPv6 for a media stream, and it does so by 3284 including two m lines, one for v4 and one for v6. This is similar to 3285 ICE, which allows for an agent to indicate multiple transport 3286 addresses using the candidate attribute. However, ANAT relies on 3287 static selection to pick between choices, rather than a dynamic 3288 connectivity check used by ICE. 3290 This specification deprecates RFC 4091 and RFC 4092. Instead, agents 3291 wishing to support dual-stack will utilize ICE. 3293 14. Extensibility Considerations 3295 This specification makes very specific choices about how both agents 3296 in a session coordinate to arrive at the set of candidate pairs that 3297 are selected for media. It is anticipated that future specifications 3298 will want to alter these algorithms, whether they are simple changes 3299 like timer tweaks or larger changes like a revamp of the priority 3300 algorithm. When such a change is made, providing interoperability 3301 between the two agents in a session is critical. 3303 First, ICE provides the a=ice-options SDP attribute. Each extension 3304 or change to ICE is associated with a token. When an agent 3305 supporting such an extension or change generates an offer or an 3306 answer, it MUST include the token for that extension in this 3307 attribute. This allows each side to know what the other side is 3308 doing. This attribute MUST NOT be present if the agent doesn't 3309 support any ICE extensions or changes. 3311 At this time, no IANA registry or registration procedures are defined 3312 for these option tags. At time of writing, it is unclear whether ICE 3313 changes and extensions will be sufficiently common to warrant a 3314 registry. 3316 One of the complications in achieving interoperability is that ICE 3317 relies on a distributed algorithm running on both agents to converge 3318 on an agreed set of candidate pairs. If the two agents run different 3319 algorithms, it can be difficult to guarantee convergence on the same 3320 candidate pairs. The regular nomination procedure described in 3321 Section 8 eliminates some of the tight coordination by delegating the 3322 selection algorithm completely to the controlling agent. 3323 Consequently, when a controlling agent is communicating with a peer 3324 that supports options it doesn't know about, the agent MUST run a 3325 regular nomination algorithm. When regular nomination is used, ICE 3326 will converge perfectly even when both agents use different pair 3327 prioritization algorithms. One of the keys to such convergence is 3328 triggered checks, which ensure that the nominated pair is validated 3329 by both agents. Consequently, any future ICE enhancements MUST 3330 preserve triggered checks. 3332 ICE is also extensible to other media streams beyond RTP, and for 3333 transport protocols beyond UDP. Extensions to ICE for non-RTP media 3334 streams need to specify how many components they utilize, and assign 3335 component IDs to them, starting at 1 for the most important component 3336 ID. Specifications for new transport protocols must define how, if 3337 at all, various steps in the ICE processing differ from UDP. 3339 15. Grammar 3341 This specification defines seven new SDP attributes -- the 3342 "candidate", "remote-candidates", "ice-lite", "ice-mismatch", "ice- 3343 ufrag", "ice-pwd", and "ice-options" attributes. 3345 15.1. "candidate" Attribute 3347 The candidate attribute is a media-level attribute only. It contains 3348 a transport address for a candidate that can be used for connectivity 3349 checks. 3351 The syntax of this attribute is defined using Augmented BNF as 3352 defined in [RFC5234]: 3354 candidate-attribute = "candidate" ":" foundation SP component-id SP 3355 transport SP 3356 priority SP 3357 connection-address SP ;from RFC 4566 3358 port ;port from RFC 4566 3359 SP cand-type 3360 [SP rel-addr] 3361 [SP rel-port] 3362 *(SP extension-att-name SP 3363 extension-att-value) 3365 foundation = 1*32ice-char 3366 component-id = 1*5DIGIT 3367 transport = "UDP" / transport-extension 3368 transport-extension = token ; from RFC 3261 3369 priority = 1*10DIGIT 3370 cand-type = "typ" SP candidate-types 3371 candidate-types = "host" / "srflx" / "prflx" / "relay" / token 3372 rel-addr = "raddr" SP connection-address 3373 rel-port = "rport" SP port 3374 extension-att-name = byte-string ;from RFC 4566 3375 extension-att-value = byte-string 3376 ice-char = ALPHA / DIGIT / "+" / "/" 3378 This grammar encodes the primary information about a candidate: its 3379 IP address, port and transport protocol, and its properties: the 3380 foundation, component ID, priority, type, and related transport 3381 address: 3383 : is taken from RFC 4566 [RFC4566]. It is the 3384 IP address of the candidate, allowing for IPv4 addresses, IPv6 3385 addresses, and fully qualified domain names (FQDNs). When parsing 3386 this field, an agent can differentiate an IPv4 address and an IPv6 3387 address by presence of a colon in its value -- the presence of a 3388 colon indicates IPv6. An agent MUST ignore candidate lines that 3389 include candidates with IP address versions that are not supported 3390 or recognized. An IP address SHOULD be used, but an FQDN MAY be 3391 used in place of an IP address. In that case, when receiving an 3392 offer or answer containing an FQDN in an a=candidate attribute, 3393 the FQDN is looked up in the DNS first using an AAAA record 3394 (assuming the agent supports IPv6), and if no result is found or 3395 the agent only supports IPv4, using an A. If the DNS query returns 3396 more than one IP address, one is chosen, and then used for the 3397 remainder of ICE processing. 3399 : is also taken from RFC 4566 [RFC4566]. It is the port of 3400 the candidate. 3402 : indicates the transport protocol for the candidate. 3403 This specification only defines UDP. However, extensibility is 3404 provided to allow for future transport protocols to be used with 3405 ICE, such as TCP or the Datagram Congestion Control Protocol 3406 (DCCP) [RFC4340]. 3408 : is composed of 1 to 32 s. It is an 3409 identifier that is equivalent for two candidates that are of the 3410 same type, share the same base, and come from the same STUN 3411 server. The foundation is used to optimize ICE performance in the 3412 Frozen algorithm. 3414 : is a positive integer between 1 and 256 that 3415 identifies the specific component of the media stream for which 3416 this is a candidate. It MUST start at 1 and MUST increment by 1 3417 for each component of a particular candidate. For media streams 3418 based on RTP, candidates for the actual RTP media MUST have a 3419 component ID of 1, and candidates for RTCP MUST have a component 3420 ID of 2. Other types of media streams that require multiple 3421 components MUST develop specifications that define the mapping of 3422 components to component IDs. See Section 14 for additional 3423 discussion on extending ICE to new media streams. 3425 : is a positive integer between 1 and (2**31 - 1). 3427 : encodes the type of candidate. This specification 3428 defines the values "host", "srflx", "prflx", and "relay" for host, 3429 server reflexive, peer reflexive, and relayed candidates, 3430 respectively. The set of candidate types is extensible for the 3431 future. 3433 and : convey transport addresses related to the 3434 candidate, useful for diagnostics and other purposes. 3435 and MUST be present for server reflexive, peer 3436 reflexive, and relayed candidates. If a candidate is server or 3437 peer reflexive, and are equal to the base 3438 for that server or peer reflexive candidate. If the candidate is 3439 relayed, and is equal to the mapped address 3440 in the Allocate response that provided the client with that 3441 relayed candidate (see Appendix B.3 for a discussion of its 3442 purpose). If the candidate is a host candidate, and 3443 MUST be omitted. 3445 The candidate attribute can itself be extended. The grammar allows 3446 for new name/value pairs to be added at the end of the attribute. An 3447 implementation MUST ignore any name/value pairs it doesn't 3448 understand. 3450 15.2. "remote-candidates" Attribute 3452 The syntax of the "remote-candidates" attribute is defined using 3453 Augmented BNF as defined in RFC 5234 [RFC5234]. The remote- 3454 candidates attribute is a media-level attribute only. 3456 remote-candidate-att = "remote-candidates" ":" remote-candidate 3457 0*(SP remote-candidate) 3458 remote-candidate = component-ID SP connection-address SP port 3460 The attribute contains a connection-address and port for each 3461 component. The ordering of components is irrelevant. However, a 3462 value MUST be present for each component of a media stream. This 3463 attribute MUST be included in an offer by a controlling agent for a 3464 media stream that is Completed, and MUST NOT be included in any other 3465 case. 3467 15.3. "ice-lite" and "ice-mismatch" Attributes 3469 The syntax of the "ice-lite" and "ice-mismatch" attributes, both of 3470 which are flags, is: 3472 ice-lite = "ice-lite" 3473 ice-mismatch = "ice-mismatch" 3475 "ice-lite" is a session-level attribute only, and indicates that an 3476 agent is a lite implementation. "ice-mismatch" is a media-level 3477 attribute only, and when present in an answer, indicates that the 3478 offer arrived with a default destination for a media component that 3479 didn't have a corresponding candidate attribute. 3481 15.4. "ice-ufrag" and "ice-pwd" Attributes 3483 The "ice-ufrag" and "ice-pwd" attributes convey the username fragment 3484 and password used by ICE for message integrity. Their syntax is: 3486 ice-pwd-att = "ice-pwd" ":" password 3487 ice-ufrag-att = "ice-ufrag" ":" ufrag 3488 password = 22*256ice-char 3489 ufrag = 4*256ice-char 3491 The "ice-pwd" and "ice-ufrag" attributes can appear at either the 3492 session-level or media-level. When present in both, the value in the 3493 media-level takes precedence. Thus, the value at the session-level 3494 is effectively a default that applies to all media streams, unless 3495 overridden by a media-level value. Whether present at the session or 3496 media-level, there MUST be an ice-pwd and ice-ufrag attribute for 3497 each media stream. If two media streams have identical ice-ufrag's, 3498 they MUST have identical ice-pwd's. 3500 The ice-ufrag and ice-pwd attributes MUST be chosen randomly at the 3501 beginning of a session. The ice-ufrag attribute MUST contain at 3502 least 24 bits of randomness, and the ice-pwd attribute MUST contain 3503 at least 128 bits of randomness. This means that the ice-ufrag 3504 attribute will be at least 4 characters long, and the ice-pwd at 3505 least 22 characters long, since the grammar for these attributes 3506 allows for 6 bits of randomness per character. The attributes MAY be 3507 longer than 4 and 22 characters, respectively, of course, up to 256 3508 characters. The upper limit allows for buffer sizing in 3509 implementations. Its large upper limit allows for increased amounts 3510 of randomness to be added over time. 3512 15.5. "ice-options" Attribute 3514 The "ice-options" attribute is a session-level attribute. It 3515 contains a series of tokens that identify the options supported by 3516 the agent. Its grammar is: 3518 ice-options = "ice-options" ":" ice-option-tag 3519 0*(SP ice-option-tag) 3520 ice-option-tag = 1*ice-char 3522 16. Setting Ta and RTO 3524 During the gathering phase of ICE (Section 4.1.1) and while ICE is 3525 performing connectivity checks (Section 7), an agent sends STUN and 3526 TURN transactions. These transactions are paced at a rate of one 3527 every Ta milliseconds, and utilize a specific RTO. This section 3528 describes how the values of Ta and RTO are computed. This 3529 computation depends on whether ICE is being used with a real-time 3530 media stream (such as RTP) or something else. When ICE is used for a 3531 stream with a known maximum bandwidth, the computation in 3532 Section 16.1 MAY be followed to rate-control the ICE exchanges. For 3533 all other streams, the computation in Section 16.2 MUST be followed. 3535 16.1. RTP Media Streams 3537 The values of RTO and Ta change during the lifetime of ICE 3538 processing. One set of values applies during the gathering phase, 3539 and the other, for connectivity checks. 3541 The value of Ta SHOULD be configurable, and SHOULD have a default of: 3543 For each media stream i: 3544 Ta_i = (stun_packet_size / rtp_packet_size) * rtp_ptime 3546 1 3547 Ta = MAX (20ms, ------------------- ) 3548 k 3549 ---- 3550 \ 1 3551 > ------ 3552 / Ta_i 3553 ---- 3554 i=1 3556 where k is the number of media streams. During the gathering phase, 3557 Ta is computed based on the number of media streams the agent has 3558 indicated in its offer or answer, and the RTP packet size and RTP 3559 ptime are those of the most preferred codec for each media stream. 3560 Once an offer and answer have been exchanged, the agent recomputes Ta 3561 to pace the connectivity checks. In that case, the value of Ta is 3562 based on the number of media streams that will actually be used in 3563 the session, and the RTP packet size and RTP ptime are those of the 3564 most preferred codec with which the agent will send. 3566 In addition, the retransmission timer for the STUN transactions, RTO, 3567 defined in [RFC5389], SHOULD be configurable and during the gathering 3568 phase, SHOULD have a default of: 3570 RTO = MAX (100ms, Ta * (number of pairs)) 3572 where the number of pairs refers to the number of pairs of candidates 3573 with STUN or TURN servers. 3575 For connectivity checks, RTO SHOULD be configurable and SHOULD have a 3576 default of: 3578 RTO = MAX (100ms, Ta*N * (Num-Waiting + Num-In-Progress)) 3580 where Num-Waiting is the number of checks in the check list in the 3581 Waiting state, and Num-In-Progress is the number of checks in the In- 3582 Progress state. Note that the RTO will be different for each 3583 transaction as the number of checks in the Waiting and In-Progress 3584 states change. 3586 These formulas are aimed at causing STUN transactions to be paced at 3587 the same rate as media. This ensures that ICE will work properly 3588 under the same network conditions needed to support the media as 3589 well. See Appendix B.1 for additional discussion and motivations. 3590 Because of this pacing, it will take a certain amount of time to 3591 obtain all of the server reflexive and relayed candidates. 3592 Implementations should be aware of the time required to do this, and 3593 if the application requires a time budget, limit the number of 3594 candidates that are gathered. 3596 The formulas result in a behavior whereby an agent will send its 3597 first packet for every single connectivity check before performing a 3598 retransmit. This can be seen in the formulas for the RTO (which 3599 represents the retransmit interval). Those formulas scale with N, 3600 the number of checks to be performed. As a result of this, ICE 3601 maintains a nicely constant rate, but becomes more sensitive to 3602 packet loss. The loss of the first single packet for any 3603 connectivity check is likely to cause that pair to take a long time 3604 to be validated, and instead, a lower-priority check (but one for 3605 which there was no packet loss) is much more likely to complete 3606 first. This results in ICE performing sub-optimally, choosing lower- 3607 priority pairs over higher-priority pairs. Implementors should be 3608 aware of this consequence, but still should utilize the timer values 3609 described here. 3611 16.2. Non-RTP Sessions 3613 In cases where ICE is used to establish some kind of session that is 3614 not real time, and has no fixed rate associated with it that is known 3615 to work on the network in which ICE is deployed, Ta and RTO revert to 3616 more conservative values. Ta SHOULD be configurable, SHOULD have a 3617 default of 500 ms, and MUST NOT be configurable to be less than 500 3618 ms. 3620 In addition, the retransmission timer for the STUN transactions, RTO, 3621 SHOULD be configurable and during the gathering phase, SHOULD have a 3622 default of: 3624 RTO = MAX (500ms, Ta * (number of pairs)) 3626 where the number of pairs refers to the number of pairs of candidates 3627 with STUN or TURN servers. 3629 For connectivity checks, RTO SHOULD be configurable and SHOULD have a 3630 default of: 3632 RTO = MAX (500ms, Ta*N * (Num-Waiting + Num-In-Progress)) 3634 17. Example 3636 The example is based on the simplified topology of Figure 8. 3638 +-----+ 3639 | | 3640 |STUN | 3641 | Srvr| 3642 +-----+ 3643 | 3644 +---------------------+ 3645 | | 3646 | Internet | 3647 | | 3648 | | 3649 +---------------------+ 3650 | | 3651 | | 3652 +---------+ | 3653 | NAT | | 3654 +---------+ | 3655 | | 3656 | | 3657 | | 3658 +-----+ +-----+ 3659 | | | | 3660 | L | | R | 3661 | | | | 3662 +-----+ +-----+ 3664 Figure 8: Example Topology 3666 Two agents, L and R, are using ICE. Both are full-mode ICE 3667 implementations and use aggressive nomination when they are 3668 controlling. Both agents have a single IPv4 address. For agent L, 3669 it is 10.0.1.1 in private address space [RFC1918], and for agent R, 3670 192.0.2.1 on the public Internet. Both are configured with the same 3671 STUN server (shown in this example for simplicity, although in 3672 practice the agents do not need to use the same STUN server), which 3673 is listening for STUN Binding requests at an IP address of 192.0.2.2 3674 and port 3478. TURN servers are not used in this example. Agent L 3675 is behind a NAT, and agent R is on the public Internet. The NAT has 3676 an endpoint independent mapping property and an address dependent 3677 filtering property. The public side of the NAT has an IP address of 3678 192.0.2.3. 3680 To facilitate understanding, transport addresses are listed using 3681 variables that have mnemonic names. The format of the name is 3682 entity-type-seqno, where entity refers to the entity whose IP address 3683 the transport address is on, and is one of "L", "R", "STUN", or 3684 "NAT". The type is either "PUB" for transport addresses that are 3685 public, and "PRIV" for transport addresses that are private. 3686 Finally, seq-no is a sequence number that is different for each 3687 transport address of the same type on a particular entity. Each 3688 variable has an IP address and port, denoted by varname.IP and 3689 varname.PORT, respectively, where varname is the name of the 3690 variable. 3692 The STUN server has advertised transport address STUN-PUB-1 (which is 3693 192.0.2.2:3478). 3695 In the call flow itself, STUN messages are annotated with several 3696 attributes. The "S=" attribute indicates the source transport 3697 address of the message. The "D=" attribute indicates the destination 3698 transport address of the message. The "MA=" attribute is used in 3699 STUN Binding response messages and refers to the mapped address. 3700 "USE-CAND" implies the presence of the USE-CANDIDATE attribute. 3702 The call flow examples omit STUN authentication operations and RTCP, 3703 and focus on RTP for a single media stream between two full 3704 implementations. 3706 L NAT STUN R 3707 |RTP STUN alloc. | | 3708 |(1) STUN Req | | | 3709 |S=$L-PRIV-1 | | | 3710 |D=$STUN-PUB-1 | | | 3711 |------------->| | | 3712 | |(2) STUN Req | | 3713 | |S=$NAT-PUB-1 | | 3714 | |D=$STUN-PUB-1 | | 3715 | |------------->| | 3716 | |(3) STUN Res | | 3717 | |S=$STUN-PUB-1 | | 3718 | |D=$NAT-PUB-1 | | 3719 | |MA=$NAT-PUB-1 | | 3720 | |<-------------| | 3721 |(4) STUN Res | | | 3722 |S=$STUN-PUB-1 | | | 3723 |D=$L-PRIV-1 | | | 3724 |MA=$NAT-PUB-1 | | | 3725 |<-------------| | | 3726 |(5) Offer | | | 3727 |------------------------------------------->| 3728 | | | | RTP STUN 3729 | | | | alloc. 3730 | | |(6) STUN Req | 3731 | | |S=$R-PUB-1 | 3732 | | |D=$STUN-PUB-1 | 3733 | | |<-------------| 3734 | | |(7) STUN Res | 3735 | | |S=$STUN-PUB-1 | 3736 | | |D=$R-PUB-1 | 3737 | | |MA=$R-PUB-1 | 3738 | | |------------->| 3739 |(8) answer | | | 3740 |<-------------------------------------------| 3741 | |(9) Bind Req | |Begin 3742 | |S=$R-PUB-1 | |Connectivity 3743 | |D=L-PRIV-1 | |Checks 3744 | |<----------------------------| 3745 | |Dropped | | 3746 |(10) Bind Req | | | 3747 |S=$L-PRIV-1 | | | 3748 |D=$R-PUB-1 | | | 3749 |USE-CAND | | | 3750 |------------->| | | 3751 | |(11) Bind Req | | 3752 | |S=$NAT-PUB-1 | | 3753 | |D=$R-PUB-1 | | 3754 | |USE-CAND | | 3755 | |---------------------------->| 3756 | |(12) Bind Res | | 3757 | |S=$R-PUB-1 | | 3758 | |D=$NAT-PUB-1 | | 3759 | |MA=$NAT-PUB-1 | | 3760 | |<----------------------------| 3761 |(13) Bind Res | | | 3762 |S=$R-PUB-1 | | | 3763 |D=$L-PRIV-1 | | | 3764 |MA=$NAT-PUB-1 | | | 3765 |<-------------| | | 3766 |RTP flows | | | 3767 | |(14) Bind Req | | 3768 | |S=$R-PUB-1 | | 3769 | |D=$NAT-PUB-1 | | 3770 | |<----------------------------| 3771 |(15) Bind Req | | | 3772 |S=$R-PUB-1 | | | 3773 |D=$L-PRIV-1 | | | 3774 |<-------------| | | 3775 |(16) Bind Res | | | 3776 |S=$L-PRIV-1 | | | 3777 |D=$R-PUB-1 | | | 3778 |MA=$R-PUB-1 | | | 3779 |------------->| | | 3780 | |(17) Bind Res | | 3781 | |S=$NAT-PUB-1 | | 3782 | |D=$R-PUB-1 | | 3783 | |MA=$R-PUB-1 | | 3784 | |---------------------------->| 3785 | | | |RTP flows 3787 Figure 9: Example Flow 3789 First, agent L obtains a host candidate from its local IP address 3790 (not shown), and from that, sends a STUN Binding request to the STUN 3791 server to get a server reflexive candidate (messages 1-4). Recall 3792 that the NAT has the address and port independent mapping property. 3793 Here, it creates a binding of NAT-PUB-1 for this UDP request, and 3794 this becomes the server reflexive candidate for RTP. 3796 Agent L sets a type preference of 126 for the host candidate and 100 3797 for the server reflexive. The local preference is 65535. Based on 3798 this, the priority of the host candidate is 2130706431 and for the 3799 server reflexive candidate is 1694498815. The host candidate is 3800 assigned a foundation of 1, and the server reflexive, a foundation of 3801 2. It chooses its server reflexive candidate as the default 3802 candidate, and encodes it into the m and c lines. The resulting 3803 offer (message 5) looks like (lines folded for clarity): 3805 v=0 3806 o=jdoe 2890844526 2890842807 IN IP4 $L-PRIV-1.IP 3807 s= 3808 c=IN IP4 $NAT-PUB-1.IP 3809 t=0 0 3810 a=ice-pwd:asd88fgpdd777uzjYhagZg 3811 a=ice-ufrag:8hhY 3812 m=audio $NAT-PUB-1.PORT RTP/AVP 0 3813 b=RS:0 3814 b=RR:0 3815 a=rtpmap:0 PCMU/8000 3816 a=candidate:1 1 UDP 2130706431 $L-PRIV-1.IP $L-PRIV-1.PORT typ host 3817 a=candidate:2 1 UDP 1694498815 $NAT-PUB-1.IP $NAT-PUB-1.PORT typ 3818 srflx raddr $L-PRIV-1.IP rport $L-PRIV-1.PORT 3820 The offer, with the variables replaced with their values, will look 3821 like (lines folded for clarity): 3823 v=0 3824 o=jdoe 2890844526 2890842807 IN IP4 10.0.1.1 3825 s= 3826 c=IN IP4 192.0.2.3 3827 t=0 0 3828 a=ice-pwd:asd88fgpdd777uzjYhagZg 3829 a=ice-ufrag:8hhY 3830 m=audio 45664 RTP/AVP 0 3831 b=RS:0 3832 b=RR:0 3833 a=rtpmap:0 PCMU/8000 3834 a=candidate:1 1 UDP 2130706431 10.0.1.1 8998 typ host 3835 a=candidate:2 1 UDP 1694498815 192.0.2.3 45664 typ srflx raddr 3836 10.0.1.1 rport 8998 3838 This offer is received at agent R. Agent R will obtain a host 3839 candidate, and from it, obtain a server reflexive candidate (messages 3840 6-7). Since R is not behind a NAT, this candidate is identical to 3841 its host candidate, and they share the same base. It therefore 3842 discards this redundant candidate and ends up with a single host 3843 candidate. With identical type and local preferences as L, the 3844 priority for this candidate is 2130706431. It chooses a foundation 3845 of 1 for its single candidate. Its resulting answer looks like: 3847 v=0 3848 o=bob 2808844564 2808844564 IN IP4 $R-PUB-1.IP 3849 s= 3850 c=IN IP4 $R-PUB-1.IP 3851 t=0 0 3852 a=ice-pwd:YH75Fviy6338Vbrhrlp8Yh 3853 a=ice-ufrag:9uB6 3854 m=audio $R-PUB-1.PORT RTP/AVP 0 3855 b=RS:0 3856 b=RR:0 3857 a=rtpmap:0 PCMU/8000 3858 a=candidate:1 1 UDP 2130706431 $R-PUB-1.IP $R-PUB-1.PORT typ host 3860 With the variables filled in: 3862 v=0 3863 o=bob 2808844564 2808844564 IN IP4 192.0.2.1 3864 s= 3865 c=IN IP4 192.0.2.1 3866 t=0 0 3867 a=ice-pwd:YH75Fviy6338Vbrhrlp8Yh 3868 a=ice-ufrag:9uB6 3869 m=audio 3478 RTP/AVP 0 3870 b=RS:0 3871 b=RR:0 3872 a=rtpmap:0 PCMU/8000 3873 a=candidate:1 1 UDP 2130706431 192.0.2.1 3478 typ host 3875 Since neither side indicated that it is lite, the agent that sent the 3876 offer that began ICE processing (agent L) becomes the controlling 3877 agent. 3879 Agents L and R both pair up the candidates. They both initially have 3880 two pairs. However, agent L will prune the pair containing its 3881 server reflexive candidate, resulting in just one. At agent L, this 3882 pair has a local candidate of $L_PRIV_1 and remote candidate of 3883 $R_PUB_1, and has a candidate pair priority of 4.57566E+18 (note that 3884 an implementation would represent this as a 64-bit integer so as not 3885 to lose precision). At agent R, there are two pairs. The highest 3886 priority has a local candidate of $R_PUB_1 and remote candidate of 3887 $L_PRIV_1 and has a priority of 4.57566E+18, and the second has a 3888 local candidate of $R_PUB_1 and remote candidate of $NAT_PUB_1 and 3889 priority 3.63891E+18. 3891 Agent R begins its connectivity check (message 9) for the first pair 3892 (between the two host candidates). Since R is the controlled agent 3893 for this session, the check omits the USE-CANDIDATE attribute. The 3894 host candidate from agent L is private and behind a NAT, and thus 3895 this check won't be successful, because the packet cannot be routed 3896 from R to L. 3898 When agent L gets the answer, it performs its one and only 3899 connectivity check (messages 10-13). It implements the aggressive 3900 nomination algorithm, and thus includes a USE-CANDIDATE attribute in 3901 this check. Since the check succeeds, agent L creates a new pair, 3902 whose local candidate is from the mapped address in the Binding 3903 response (NAT-PUB-1 from message 13) and whose remote candidate is 3904 the destination of the request (R-PUB-1 from message 10). This is 3905 added to the valid list. In addition, it is marked as selected since 3906 the Binding request contained the USE-CANDIDATE attribute. Since 3907 there is a selected candidate in the Valid list for the one component 3908 of this media stream, ICE processing for this stream moves into the 3909 Completed state. Agent L can now send media if it so chooses. 3911 Soon after receipt of the STUN Binding request from agent L (message 3912 11), agent R will generate its triggered check. This check happens 3913 to match the next one on its check list -- from its host candidate to 3914 agent L's server reflexive candidate. This check (messages 14-17) 3915 will succeed. Consequently, agent R constructs a new candidate pair 3916 using the mapped address from the response as the local candidate 3917 (R-PUB-1) and the destination of the request (NAT-PUB-1) as the 3918 remote candidate. This pair is added to the Valid list for that 3919 media stream. Since the check was generated in the reverse direction 3920 of a check that contained the USE-CANDIDATE attribute, the candidate 3921 pair is marked as selected. Consequently, processing for this stream 3922 moves into the Completed state, and agent R can also send media. 3924 18. Security Considerations 3926 There are several types of attacks possible in an ICE system. This 3927 section considers these attacks and their countermeasures. These 3928 countermeasures include: 3930 o Using ICE in conjunction with secure signaling techniques, such as 3931 SIPS. 3933 o Limiting the total number of connectivity checks to 100, and 3934 optionally limiting the number of candidates they'll accept in an 3935 offer or answer. 3937 18.1. Attacks on Connectivity Checks 3939 An attacker might attempt to disrupt the STUN connectivity checks. 3940 Ultimately, all of these attacks fool an agent into thinking 3941 something incorrect about the results of the connectivity checks. 3942 The possible false conclusions an attacker can try and cause are: 3944 False Invalid: An attacker can fool a pair of agents into thinking a 3945 candidate pair is invalid, when it isn't. This can be used to 3946 cause an agent to prefer a different candidate (such as one 3947 injected by the attacker) or to disrupt a call by forcing all 3948 candidates to fail. 3950 False Valid: An attacker can fool a pair of agents into thinking a 3951 candidate pair is valid, when it isn't. This can cause an agent 3952 to proceed with a session, but then not be able to receive any 3953 media. 3955 False Peer Reflexive Candidate: An attacker can cause an agent to 3956 discover a new peer reflexive candidate, when it shouldn't have. 3957 This can be used to redirect media streams to a Denial-of-Service 3958 (DoS) target or to the attacker, for eavesdropping or other 3959 purposes. 3961 False Valid on False Candidate: An attacker has already convinced an 3962 agent that there is a candidate with an address that doesn't 3963 actually route to that agent (for example, by injecting a false 3964 peer reflexive candidate or false server reflexive candidate). It 3965 must then launch an attack that forces the agents to believe that 3966 this candidate is valid. 3968 If an attacker can cause a false peer reflexive candidate or false 3969 valid on a false candidate, it can launch any of the attacks 3970 described in [RFC5389]. 3972 To force the false invalid result, the attacker has to wait for the 3973 connectivity check from one of the agents to be sent. When it is, 3974 the attacker needs to inject a fake response with an unrecoverable 3975 error response, such as a 400. However, since the candidate is, in 3976 fact, valid, the original request may reach the peer agent, and 3977 result in a success response. The attacker needs to force this 3978 packet or its response to be dropped, through a DoS attack, layer 2 3979 network disruption, or other technique. If it doesn't do this, the 3980 success response will also reach the originator, alerting it to a 3981 possible attack. Fortunately, this attack is mitigated completely 3982 through the STUN short-term credential mechanism. The attacker needs 3983 to inject a fake response, and in order for this response to be 3984 processed, the attacker needs the password. If the offer/answer 3985 signaling is secured, the attacker will not have the password and its 3986 response will be discarded. 3988 Forcing the fake valid result works in a similar way. The agent 3989 needs to wait for the Binding request from each agent, and inject a 3990 fake success response. The attacker won't need to worry about 3991 disrupting the actual response since, if the candidate is not valid, 3992 it presumably wouldn't be received anyway. However, like the fake 3993 invalid attack, this attack is mitigated by the STUN short-term 3994 credential mechanism in conjunction with a secure offer/answer 3995 exchange. 3997 Forcing the false peer reflexive candidate result can be done either 3998 with fake requests or responses, or with replays. We consider the 3999 fake requests and responses case first. It requires the attacker to 4000 send a Binding request to one agent with a source IP address and port 4001 for the false candidate. In addition, the attacker must wait for a 4002 Binding request from the other agent, and generate a fake response 4003 with a XOR-MAPPED-ADDRESS attribute containing the false candidate. 4004 Like the other attacks described here, this attack is mitigated by 4005 the STUN message integrity mechanisms and secure offer/answer 4006 exchanges. 4008 Forcing the false peer reflexive candidate result with packet replays 4009 is different. The attacker waits until one of the agents sends a 4010 check. It intercepts this request, and replays it towards the other 4011 agent with a faked source IP address. It must also prevent the 4012 original request from reaching the remote agent, either by launching 4013 a DoS attack to cause the packet to be dropped, or forcing it to be 4014 dropped using layer 2 mechanisms. The replayed packet is received at 4015 the other agent, and accepted, since the integrity check passes (the 4016 integrity check cannot and does not cover the source IP address and 4017 port). It is then responded to. This response will contain a XOR- 4018 MAPPED-ADDRESS with the false candidate, and will be sent to that 4019 false candidate. The attacker must then receive it and relay it 4020 towards the originator. 4022 The other agent will then initiate a connectivity check towards that 4023 false candidate. This validation needs to succeed. This requires 4024 the attacker to force a false valid on a false candidate. Injecting 4025 of fake requests or responses to achieve this goal is prevented using 4026 the integrity mechanisms of STUN and the offer/answer exchange. 4027 Thus, this attack can only be launched through replays. To do that, 4028 the attacker must intercept the check towards this false candidate, 4029 and replay it towards the other agent. Then, it must intercept the 4030 response and replay that back as well. 4032 This attack is very hard to launch unless the attacker is identified 4033 by the fake candidate. This is because it requires the attacker to 4034 intercept and replay packets sent by two different hosts. If both 4035 agents are on different networks (for example, across the public 4036 Internet), this attack can be hard to coordinate, since it needs to 4037 occur against two different endpoints on different parts of the 4038 network at the same time. 4040 If the attacker itself is identified by the fake candidate, the 4041 attack is easier to coordinate. However, if SRTP is used [RFC3711], 4042 the attacker will not be able to play the media packets, but will 4043 only be able to discard them, effectively disabling the media stream 4044 for the call. However, this attack requires the agent to disrupt 4045 packets in order to block the connectivity check from reaching the 4046 target. In that case, if the goal is to disrupt the media stream, 4047 it's much easier to just disrupt it with the same mechanism, rather 4048 than attack ICE. 4050 18.2. Attacks on Server Reflexive Address Gathering 4052 ICE endpoints make use of STUN Binding requests for gathering server 4053 reflexive candidates from a STUN server. These requests are not 4054 authenticated in any way. As a consequence, there are numerous 4055 techniques an attacker can employ to provide the client with a false 4056 server reflexive candidate: 4058 o An attacker can compromise the DNS, causing DNS queries to return 4059 a rogue STUN server address. That server can provide the client 4060 with fake server reflexive candidates. This attack is mitigated 4061 by DNS security, though DNS-SEC is not required to address it. 4063 o An attacker that can observe STUN messages (such as an attacker on 4064 a shared network segment, like WiFi) can inject a fake response 4065 that is valid and will be accepted by the client. 4067 o An attacker can compromise a STUN server by means of a virus, and 4068 cause it to send responses with incorrect mapped addresses. 4070 A false mapped address learned by these attacks will be used as a 4071 server reflexive candidate in the ICE exchange. For this candidate 4072 to actually be used for media, the attacker must also attack the 4073 connectivity checks, and in particular, force a false valid on a 4074 false candidate. This attack is very hard to launch if the false 4075 address identifies a fourth party (neither the offerer, answerer, nor 4076 attacker), since it requires attacking the checks generated by each 4077 agent in the session, and is prevented by SRTP if it identifies the 4078 attacker themself. 4080 If the attacker elects not to attack the connectivity checks, the 4081 worst it can do is prevent the server reflexive candidate from being 4082 used. However, if the peer agent has at least one candidate that is 4083 reachable by the agent under attack, the STUN connectivity checks 4084 themselves will provide a peer reflexive candidate that can be used 4085 for the exchange of media. Peer reflexive candidates are generally 4086 preferred over server reflexive candidates. As such, an attack 4087 solely on the STUN address gathering will normally have no impact on 4088 a session at all. 4090 18.3. Attacks on Relayed Candidate Gathering 4092 An attacker might attempt to disrupt the gathering of relayed 4093 candidates, forcing the client to believe it has a false relayed 4094 candidate. Exchanges with the TURN server are authenticated using a 4095 long-term credential. Consequently, injection of fake responses or 4096 requests will not work. In addition, unlike Binding requests, 4097 Allocate requests are not susceptible to replay attacks with modified 4098 source IP addresses and ports, since the source IP address and port 4099 are not utilized to provide the client with its relayed candidate. 4101 However, TURN servers are susceptible to DNS attacks, or to viruses 4102 aimed at the TURN server, for purposes of turning it into a zombie or 4103 rogue server. These attacks can be mitigated by DNS-SEC and through 4104 good box and software security on TURN servers. 4106 Even if an attacker has caused the client to believe in a false 4107 relayed candidate, the connectivity checks cause such a candidate to 4108 be used only if they succeed. Thus, an attacker must launch a false 4109 valid on a false candidate, per above, which is a very difficult 4110 attack to coordinate. 4112 18.4. Attacks on the Offer/Answer Exchanges 4114 An attacker that can modify or disrupt the offer/answer exchanges 4115 themselves can readily launch a variety of attacks with ICE. They 4116 could direct media to a target of a DoS attack, they could insert 4117 themselves into the media stream, and so on. These are similar to 4118 the general security considerations for offer/answer exchanges, and 4119 the security considerations in RFC 3264 [RFC3264] apply. These 4120 require techniques for message integrity and encryption for offers 4121 and answers, which are satisfied by the SIPS mechanism [RFC3261] when 4122 SIP is used. As such, the usage of SIPS with ICE is RECOMMENDED. 4124 18.5. Insider Attacks 4126 In addition to attacks where the attacker is a third party trying to 4127 insert fake offers, answers, or stun messages, there are several 4128 attacks possible with ICE when the attacker is an authenticated and 4129 valid participant in the ICE exchange. 4131 18.5.1. The Voice Hammer Attack 4133 The voice hammer attack is an amplification attack. In this attack, 4134 the attacker initiates sessions to other agents, and maliciously 4135 includes the IP address and port of a DoS target as the destination 4136 for media traffic signaled in the SDP. This causes substantial 4137 amplification; a single offer/answer exchange can create a continuing 4138 flood of media packets, possibly at high rates (consider video 4139 sources). This attack is not specific to ICE, but ICE can help 4140 provide remediation. 4142 Specifically, if ICE is used, the agent receiving the malicious SDP 4143 will first perform connectivity checks to the target of media before 4144 sending media there. If this target is a third-party host, the 4145 checks will not succeed, and media is never sent. 4147 Unfortunately, ICE doesn't help if its not used, in which case an 4148 attacker could simply send the offer without the ICE parameters. 4149 However, in environments where the set of clients is known, and is 4150 limited to ones that support ICE, the server can reject any offers or 4151 answers that don't indicate ICE support. 4153 18.5.2. STUN Amplification Attack 4155 The STUN amplification attack is similar to the voice hammer. 4156 However, instead of voice packets being directed to the target, STUN 4157 connectivity checks are directed to the target. The attacker sends 4158 an offer with a large number of candidates, say, 50. The answerer 4159 receives the offer, and starts its checks, which are directed at the 4160 target, and consequently, never generate a response. The answerer 4161 will start a new connectivity check every Ta ms (say, Ta=20ms). 4162 However, the retransmission timers are set to a large number due to 4163 the large number of candidates. As a consequence, packets will be 4164 sent at an interval of one every Ta milliseconds, and then with 4165 increasing intervals after that. Thus, STUN will not send packets at 4166 a rate faster than media would be sent, and the STUN packets persist 4167 only briefly, until ICE fails for the session. Nonetheless, this is 4168 an amplification mechanism. 4170 It is impossible to eliminate the amplification, but the volume can 4171 be reduced through a variety of heuristics. Agents SHOULD limit the 4172 total number of connectivity checks they perform to 100. 4173 Additionally, agents MAY limit the number of candidates they'll 4174 accept in an offer or answer. 4176 Frequently, protocols that wish to avoid these kinds of attacks force 4177 the initiator to wait for a response prior to sending the next 4178 message. However, in the case of ICE, this is not possible. It is 4179 not possible to differentiate the following two cases: 4181 o There was no response because the initiator is being used to 4182 launch a DoS attack against an unsuspecting target that will not 4183 respond. 4185 o There was no response because the IP address and port are not 4186 reachable by the initiator. 4188 In the second case, another check should be sent at the next 4189 opportunity, while in the former case, no further checks should be 4190 sent. 4192 18.6. Interactions with Application Layer Gateways and SIP 4194 Application Layer Gateways (ALGs) are functions present in a NAT 4195 device that inspect the contents of packets and modify them, in order 4196 to facilitate NAT traversal for application protocols. Session 4197 Border Controllers (SBCs) are close cousins of ALGs, but are less 4198 transparent since they actually exist as application layer SIP 4199 intermediaries. ICE has interactions with SBCs and ALGs. 4201 If an ALG is SIP aware but not ICE aware, ICE will work through it as 4202 long as the ALG correctly modifies the SDP. A correct ALG 4203 implementation behaves as follows: 4205 o The ALG does not modify the m and c lines or the rtcp attribute if 4206 they contain external addresses. 4208 o If the m and c lines contain internal addresses, the modification 4209 depends on the state of the ALG: 4211 If the ALG already has a binding established that maps an 4212 external port to an internal IP address and port matching the 4213 values in the m and c lines or rtcp attribute, the ALG uses 4214 that binding instead of creating a new one. 4216 If the ALG does not already have a binding, it creates a new 4217 one and modifies the SDP, rewriting the m and c lines and rtcp 4218 attribute. 4220 Unfortunately, many ALGs are known to work poorly in these corner 4221 cases. ICE does not try to work around broken ALGs, as this is 4222 outside the scope of its functionality. ICE can help diagnose these 4223 conditions, which often show up as a mismatch between the set of 4224 candidates and the m and c lines and rtcp attributes. The ice- 4225 mismatch attribute is used for this purpose. 4227 ICE works best through ALGs when the signaling is run over TLS. This 4228 prevents the ALG from manipulating the SDP messages and interfering 4229 with ICE operation. Implementations that are expected to be deployed 4230 behind ALGs SHOULD provide for TLS transport of the SDP. 4232 If an SBC is SIP aware but not ICE aware, the result depends on the 4233 behavior of the SBC. If it is acting as a proper Back-to-Back User 4234 Agent (B2BUA), the SBC will remove any SDP attributes it doesn't 4235 understand, including the ICE attributes. Consequently, the call 4236 will appear to both endpoints as if the other side doesn't support 4237 ICE. This will result in ICE being disabled, and media flowing 4238 through the SBC, if the SBC has requested it. If, however, the SBC 4239 passes the ICE attributes without modification, yet modifies the 4240 default destination for media (contained in the m and c lines and 4241 rtcp attribute), this will be detected as an ICE mismatch, and ICE 4242 processing is aborted for the call. It is outside of the scope of 4243 ICE for it to act as a tool for "working around" SBCs. If one is 4244 present, ICE will not be used and the SBC techniques take precedence. 4246 19. STUN Extensions 4248 19.1. New Attributes 4250 This specification defines four new attributes, PRIORITY, USE- 4251 CANDIDATE, ICE-CONTROLLED, and ICE-CONTROLLING. 4253 The PRIORITY attribute indicates the priority that is to be 4254 associated with a peer reflexive candidate, should one be discovered 4255 by this check. It is a 32-bit unsigned integer, and has an attribute 4256 value of 0x0024. 4258 The USE-CANDIDATE attribute indicates that the candidate pair 4259 resulting from this check should be used for transmission of media. 4260 The attribute has no content (the Length field of the attribute is 4261 zero); it serves as a flag. It has an attribute value of 0x0025. 4263 The ICE-CONTROLLED attribute is present in a Binding request and 4264 indicates that the client believes it is currently in the controlled 4265 role. The content of the attribute is a 64-bit unsigned integer in 4266 network byte order, which contains a random number used for tie- 4267 breaking of role conflicts. 4269 The ICE-CONTROLLING attribute is present in a Binding request and 4270 indicates that the client believes it is currently in the controlling 4271 role. The content of the attribute is a 64-bit unsigned integer in 4272 network byte order, which contains a random number used for tie- 4273 breaking of role conflicts. 4275 19.2. New Error Response Codes 4277 This specification defines a single error response code: 4279 487 (Role Conflict): The Binding request contained either the ICE- 4280 CONTROLLING or ICE-CONTROLLED attribute, indicating a role that 4281 conflicted with the server. The server ran a tie-breaker based on 4282 the tie-breaker value in the request and determined that the 4283 client needs to switch roles. 4285 20. Operational Considerations 4287 This section discusses issues relevant to network operators looking 4288 to deploy ICE. 4290 20.1. NAT and Firewall Types 4292 ICE was designed to work with existing NAT and firewall equipment. 4293 Consequently, it is not necessary to replace or reconfigure existing 4294 firewall and NAT equipment in order to facilitate deployment of ICE. 4295 Indeed, ICE was developed to be deployed in environments where the 4296 Voice over IP (VoIP) operator has no control over the IP network 4297 infrastructure, including firewalls and NAT. 4299 That said, ICE works best in environments where the NAT devices are 4300 "behave" compliant, meeting the recommendations defined in [RFC4787] 4301 and [RFC5766]. In networks with behave-compliant NAT, ICE will work 4302 without the need for a TURN server, thus improving voice quality, 4303 decreasing call setup times, and reducing the bandwidth demands on 4304 the network operator. 4306 20.2. Bandwidth Requirements 4308 Deployment of ICE can have several interactions with available 4309 network capacity that operators should take into consideration. 4311 20.2.1. STUN and TURN Server Capacity Planning 4313 First and foremost, ICE makes use of TURN and STUN servers, which 4314 would typically be located in the network operator's data centers. 4315 The STUN servers require relatively little bandwidth. For each 4316 component of each media stream, there will be one or more STUN 4317 transactions from each client to the STUN server. In a basic voice- 4318 only IPv4 VoIP deployment, there will be four transactions per call 4319 (one for RTP and one for RTCP, for both caller and callee). Each 4320 transaction is a single request and a single response, the former 4321 being 20 bytes long, and the latter, 28. Consequently, if a system 4322 has N users, and each makes four calls in a busy hour, this would 4323 require N*1.7bps. For one million users, this is 1.7 Mbps, a very 4324 small number (relatively speaking). 4326 TURN traffic is more substantial. The TURN server will see traffic 4327 volume equal to the STUN volume (indeed, if TURN servers are 4328 deployed, there is no need for a separate STUN server), in addition 4329 to the traffic for the actual media traffic. The amount of calls 4330 requiring TURN for media relay is highly dependent on network 4331 topologies, and can and will vary over time. In a network with 100% 4332 behave-compliant NAT, it is exactly zero. At time of writing, large- 4333 scale consumer deployments were seeing between 5 and 10 percent of 4334 calls requiring TURN servers. Considering a voice-only deployment 4335 using G.711 (so 80 kbps in each direction), with .2 erlangs during 4336 the busy hour, this is N*3.2 kbps. For a population of one million 4337 users, this is 3.2 Gbps, assuming a 10% usage of TURN servers. 4339 20.2.2. Gathering and Connectivity Checks 4341 The process of gathering of candidates and performing of connectivity 4342 checks can be bandwidth intensive. ICE has been designed to pace 4343 both of these processes. The gathering phase and the connectivity 4344 check phase are meant to generate traffic at roughly the same 4345 bandwidth as the media traffic itself. This was done to ensure that, 4346 if a network is designed to support multimedia traffic of a certain 4347 type (voice, video, or just text), it will have sufficient capacity 4348 to support the ICE checks for that media. Of course, the ICE checks 4349 will cause a marginal increase in the total utilization; however, 4350 this will typically be an extremely small increase. 4352 Congestion due to the gathering and check phases has proven to be a 4353 problem in deployments that did not utilize pacing. Typically, 4354 access links became congested as the endpoints flooded the network 4355 with checks as fast as they can send them. Consequently, network 4356 operators should make sure that their ICE implementations support the 4357 pacing feature. Though this pacing does increase call setup times, 4358 it makes ICE network friendly and easier to deploy. 4360 20.2.3. Keepalives 4362 STUN keepalives (in the form of STUN Binding Indications) are sent in 4363 the middle of a media session. However, they are sent only in the 4364 absence of actual media traffic. In deployments that are not 4365 utilizing Voice Activity Detection (VAD), the keepalives are never 4366 used and there is no increase in bandwidth usage. When VAD is being 4367 used, keepalives will be sent during silence periods. This involves 4368 a single packet every 15-20 seconds, far less than the packet every 4369 20-30 ms that is sent when there is voice. Therefore, keepalives 4370 don't have any real impact on capacity planning. 4372 20.3. ICE and ICE-lite 4374 Deployments utilizing a mix of ICE and ICE-lite interoperate 4375 perfectly. They have been explicitly designed to do so, without loss 4376 of function. 4378 However, ICE-lite can only be deployed in limited use cases. Those 4379 cases, and the caveats involved in doing so, are documented in 4380 Appendix A. 4382 20.4. Troubleshooting and Performance Management 4384 ICE utilizes end-to-end connectivity checks, and places much of the 4385 processing in the endpoints. This introduces a challenge to the 4386 network operator -- how can they troubleshoot ICE deployments? How 4387 can they know how ICE is performing? 4389 ICE has built-in features to help deal with these problems. SIP 4390 servers on the signaling path, typically deployed in the data centers 4391 of the network operator, will see the contents of the offer/answer 4392 exchanges that convey the ICE parameters. These parameters include 4393 the type of each candidate (host, server reflexive, or relayed), 4394 along with their related addresses. Once ICE processing has 4395 completed, an updated offer/answer exchange takes place, signaling 4396 the selected address (and its type). This updated re-INVITE is 4397 performed exactly for the purposes of educating network equipment 4398 (such as a diagnostic tool attached to a SIP server) about the 4399 results of ICE processing. 4401 As a consequence, through the logs generated by the SIP server, a 4402 network operator can observe what types of candidates are being used 4403 for each call, and what address was selected by ICE. This is the 4404 primary information that helps evaluate how ICE is performing. 4406 20.5. Endpoint Configuration 4408 ICE relies on several pieces of data being configured into the 4409 endpoints. This configuration data includes timers, credentials for 4410 TURN servers, and hostnames for STUN and TURN servers. ICE itself 4411 does not provide a mechanism for this configuration. Instead, it is 4412 assumed that this information is attached to whatever mechanism is 4413 used to configure all of the other parameters in the endpoint. For 4414 SIP phones, standard solutions such as the configuration framework 4416 [RFC6080] have been defined. 4418 21. IANA Considerations 4420 This specification registers new SDP attributes, four new STUN 4421 attributes, and one new STUN error response. 4423 21.1. SDP Attributes 4425 This specification defines seven new SDP attributes per the 4426 procedures of Section 8.2.4 of [RFC4566]. The required information 4427 for the registrations is included here. 4429 21.1.1. candidate Attribute 4431 Contact Name: Jonathan Rosenberg, jdrosen@jdrosen.net. 4433 Attribute Name: candidate 4435 Long Form: candidate 4437 Type of Attribute: media-level 4439 Charset Considerations: The attribute is not subject to the charset 4440 attribute. 4442 Purpose: This attribute is used with Interactive Connectivity 4443 Establishment (ICE), and provides one of many possible candidate 4444 addresses for communication. These addresses are validated with 4445 an end-to-end connectivity check using Session Traversal Utilities 4446 for NAT (STUN). 4448 Appropriate Values: See Section 15 of RFC 5245. 4450 21.1.2. remote-candidates Attribute 4452 Contact Name: Jonathan Rosenberg, jdrosen@jdrosen.net. 4454 Attribute Name: remote-candidates 4456 Long Form: remote-candidates 4458 Type of Attribute: media-level 4459 Charset Considerations: The attribute is not subject to the charset 4460 attribute. 4462 Purpose: This attribute is used with Interactive Connectivity 4463 Establishment (ICE), and provides the identity of the remote 4464 candidates that the offerer wishes the answerer to use in its 4465 answer. 4467 Appropriate Values: See Section 15 of RFC 5245. 4469 21.1.3. ice-lite Attribute 4471 Contact Name: Jonathan Rosenberg, jdrosen@jdrosen.net. 4473 Attribute Name: ice-lite 4475 Long Form: ice-lite 4477 Type of Attribute: session-level 4479 Charset Considerations: The attribute is not subject to the charset 4480 attribute. 4482 Purpose: This attribute is used with Interactive Connectivity 4483 Establishment (ICE), and indicates that an agent has the minimum 4484 functionality required to support ICE inter-operation with a peer 4485 that has a full implementation. 4487 Appropriate Values: See Section 15 of RFC 5245. 4489 21.1.4. ice-mismatch Attribute 4491 Contact Name: Jonathan Rosenberg, jdrosen@jdrosen.net. 4493 Attribute Name: ice-mismatch 4495 Long Form: ice-mismatch 4497 Type of Attribute: session-level 4499 Charset Considerations: The attribute is not subject to the charset 4500 attribute. 4502 Purpose: This attribute is used with Interactive Connectivity 4503 Establishment (ICE), and indicates that an agent is ICE capable, 4504 but did not proceed with ICE due to a mismatch of candidates with 4505 the default destination for media signaled in the SDP. 4507 Appropriate Values: See Section 15 of RFC 5245. 4509 21.1.5. ice-pwd Attribute 4511 Contact Name: Jonathan Rosenberg, jdrosen@jdrosen.net. 4513 Attribute Name: ice-pwd 4515 Long Form: ice-pwd 4517 Type of Attribute: session- or media-level 4519 Charset Considerations: The attribute is not subject to the charset 4520 attribute. 4522 Purpose: This attribute is used with Interactive Connectivity 4523 Establishment (ICE), and provides the password used to protect 4524 STUN connectivity checks. 4526 Appropriate Values: See Section 15 of RFC 5245. 4528 21.1.6. ice-ufrag Attribute 4530 Contact Name: Jonathan Rosenberg, jdrosen@jdrosen.net. 4532 Attribute Name: ice-ufrag 4534 Long Form: ice-ufrag 4536 Type of Attribute: session- or media-level 4538 Charset Considerations: The attribute is not subject to the charset 4539 attribute. 4541 Purpose: This attribute is used with Interactive Connectivity 4542 Establishment (ICE), and provides the fragments used to construct 4543 the username in STUN connectivity checks. 4545 Appropriate Values: See Section 15 of RFC 5245. 4547 21.1.7. ice-options Attribute 4549 Contact Name: Jonathan Rosenberg, jdrosen@jdrosen.net. 4551 Attribute Name: ice-options 4552 Long Form: ice-options 4554 Type of Attribute: session-level 4556 Charset Considerations: The attribute is not subject to the charset 4557 attribute. 4559 Purpose: This attribute is used with Interactive Connectivity 4560 Establishment (ICE), and indicates the ICE options or extensions 4561 used by the agent. 4563 Appropriate Values: See Section 15 of RFC 5245. 4565 21.2. STUN Attributes 4567 This section registers four new STUN attributes per the procedures in 4568 [RFC5389]. 4570 0x0024 PRIORITY 4571 0x0025 USE-CANDIDATE 4572 0x8029 ICE-CONTROLLED 4573 0x802A ICE-CONTROLLING 4575 21.3. STUN Error Responses 4577 This section registers one new STUN error response code per the 4578 procedures in [RFC5389]. 4580 487 Role Conflict: The client asserted an ICE role (controlling or 4581 controlled) that is in conflict with the role of the server. 4583 22. IAB Considerations 4585 The IAB has studied the problem of "Unilateral Self-Address Fixing", 4586 which is the general process by which a agent attempts to determine 4587 its address in another realm on the other side of a NAT through a 4588 collaborative protocol reflection mechanism [RFC3424]. ICE is an 4589 example of a protocol that performs this type of function. 4590 Interestingly, the process for ICE is not unilateral, but bilateral, 4591 and the difference has a significant impact on the issues raised by 4592 IAB. Indeed, ICE can be considered a B-SAF (Bilateral Self-Address 4593 Fixing) protocol, rather than an UNSAF protocol. Regardless, the IAB 4594 has mandated that any protocols developed for this purpose document a 4595 specific set of considerations. This section meets those 4596 requirements. 4598 22.1. Problem Definition 4600 >From RFC 3424, any UNSAF proposal must provide: 4602 Precise definition of a specific, limited-scope problem that is to 4603 be solved with the UNSAF proposal. A short-term fix should not be 4604 generalized to solve other problems; this is why "short-term fixes 4605 usually aren't". 4607 The specific problems being solved by ICE are: 4609 Provide a means for two peers to determine the set of transport 4610 addresses that can be used for communication. 4612 Provide a means for a agent to determine an address that is 4613 reachable by another peer with which it wishes to communicate. 4615 22.2. Exit Strategy 4617 >From RFC 3424, any UNSAF proposal must provide: 4619 Description of an exit strategy/transition plan. The better 4620 short-term fixes are the ones that will naturally see less and 4621 less use as the appropriate technology is deployed. 4623 ICE itself doesn't easily get phased out. However, it is useful even 4624 in a globally connected Internet, to serve as a means for detecting 4625 whether a router failure has temporarily disrupted connectivity, for 4626 example. ICE also helps prevent certain security attacks that have 4627 nothing to do with NAT. However, what ICE does is help phase out 4628 other UNSAF mechanisms. ICE effectively selects amongst those 4629 mechanisms, prioritizing ones that are better, and deprioritizing 4630 ones that are worse. Local IPv6 addresses can be preferred. As NATs 4631 begin to dissipate as IPv6 is introduced, server reflexive and 4632 relayed candidates (both forms of UNSAF addresses) simply never get 4633 used, because higher-priority connectivity exists to the native host 4634 candidates. Therefore, the servers get used less and less, and can 4635 eventually be remove when their usage goes to zero. 4637 Indeed, ICE can assist in the transition from IPv4 to IPv6. It can 4638 be used to determine whether to use IPv6 or IPv4 when two dual-stack 4639 hosts communicate with SIP (IPv6 gets used). It can also allow a 4640 network with both 6to4 and native v6 connectivity to determine which 4641 address to use when communicating with a peer. 4643 22.3. Brittleness Introduced by ICE 4645 >From RFC 3424, any UNSAF proposal must provide: 4647 Discussion of specific issues that may render systems more 4648 "brittle". For example, approaches that involve using data at 4649 multiple network layers create more dependencies, increase 4650 debugging challenges, and make it harder to transition. 4652 ICE actually removes brittleness from existing UNSAF mechanisms. In 4653 particular, classic STUN (as described in RFC 3489 [RFC3489]) has 4654 several points of brittleness. One of them is the discovery process 4655 that requires an agent to try to classify the type of NAT it is 4656 behind. This process is error-prone. With ICE, that discovery 4657 process is simply not used. Rather than unilaterally assessing the 4658 validity of the address, its validity is dynamically determined by 4659 measuring connectivity to a peer. The process of determining 4660 connectivity is very robust. 4662 Another point of brittleness in classic STUN and any other unilateral 4663 mechanism is its absolute reliance on an additional server. ICE 4664 makes use of a server for allocating unilateral addresses, but allows 4665 agents to directly connect if possible. Therefore, in some cases, 4666 the failure of a STUN server would still allow for a call to progress 4667 when ICE is used. 4669 Another point of brittleness in classic STUN is that it assumes that 4670 the STUN server is on the public Internet. Interestingly, with ICE, 4671 that is not necessary. There can be a multitude of STUN servers in a 4672 variety of address realms. ICE will discover the one that has 4673 provided a usable address. 4675 The most troubling point of brittleness in classic STUN is that it 4676 doesn't work in all network topologies. In cases where there is a 4677 shared NAT between each agent and the STUN server, traditional STUN 4678 may not work. With ICE, that restriction is removed. 4680 Classic STUN also introduces some security considerations. 4681 Fortunately, those security considerations are also mitigated by ICE. 4683 Consequently, ICE serves to repair the brittleness introduced in 4684 classic STUN, and does not introduce any additional brittleness into 4685 the system. 4687 The penalty of these improvements is that ICE increases session 4688 establishment times. 4690 22.4. Requirements for a Long-Term Solution 4692 From RFC 3424, any UNSAF proposal must provide: 4694 ... requirements for longer term, sound technical solutions -- 4695 contribute to the process of finding the right longer term 4696 solution. 4698 Our conclusions from RFC 3489 remain unchanged. However, we feel ICE 4699 actually helps because we believe it can be part of the long-term 4700 solution. 4702 22.5. Issues with Existing NAPT Boxes 4704 From RFC 3424, any UNSAF proposal must provide: 4706 Discussion of the impact of the noted practical issues with 4707 existing, deployed NA[P]Ts and experience reports. 4709 A number of NAT boxes are now being deployed into the market that try 4710 to provide "generic" ALG functionality. These generic ALGs hunt for 4711 IP addresses, either in text or binary form within a packet, and 4712 rewrite them if they match a binding. This interferes with classic 4713 STUN. However, the update to STUN [RFC5389] uses an encoding that 4714 hides these binary addresses from generic ALGs. 4716 Existing NAPT boxes have non-deterministic and typically short 4717 expiration times for UDP-based bindings. This requires 4718 implementations to send periodic keepalives to maintain those 4719 bindings. ICE uses a default of 15 s, which is a very conservative 4720 estimate. Eventually, over time, as NAT boxes become compliant to 4721 behave [RFC4787], this minimum keepalive will become deterministic 4722 and well-known, and the ICE timers can be adjusted. Having a way to 4723 discover and control the minimum keepalive interval would be far 4724 better still. 4726 23. Acknowledgements 4728 The authors would like to thank Dan Wing, Eric Rescorla, Flemming 4729 Andreasen, Rohan Mahy, Dean Willis, Eric Cooper, Jason Fischl, 4730 Douglas Otis, Tim Moore, Jean-Francois Mule, Kevin Johns, Jonathan 4731 Lennox, and Francois Audet for their comments and input. A special 4732 thanks goes to Bill May, who suggested several of the concepts in 4733 this specification, Philip Matthews, who suggested many of the key 4734 performance optimizations in this specification, Eric Rescorla, who 4735 drafted the text in the introduction, and Magnus Westerlund, for 4736 doing several detailed reviews on the various revisions of this 4737 specification. 4739 24. References 4741 24.1. Normative References 4743 [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate 4744 Requirement Levels", BCP 14, RFC 2119, March 1997. 4746 [RFC3605] Huitema, C., "Real Time Control Protocol (RTCP) attribute 4747 in Session Description Protocol (SDP)", RFC 3605, 4748 October 2003. 4750 [RFC3261] Rosenberg, J., Schulzrinne, H., Camarillo, G., Johnston, 4751 A., Peterson, J., Sparks, R., Handley, M., and E. 4752 Schooler, "SIP: Session Initiation Protocol", RFC 3261, 4753 June 2002. 4755 [RFC3264] Rosenberg, J. and H. Schulzrinne, "An Offer/Answer Model 4756 with Session Description Protocol (SDP)", RFC 3264, 4757 June 2002. 4759 [RFC3556] Casner, S., "Session Description Protocol (SDP) Bandwidth 4760 Modifiers for RTP Control Protocol (RTCP) Bandwidth", 4761 RFC 3556, July 2003. 4763 [RFC3312] Camarillo, G., Marshall, W., and J. Rosenberg, 4764 "Integration of Resource Management and Session Initiation 4765 Protocol (SIP)", RFC 3312, October 2002. 4767 [RFC4032] Camarillo, G. and P. Kyzivat, "Update to the Session 4768 Initiation Protocol (SIP) Preconditions Framework", 4769 RFC 4032, March 2005. 4771 [RFC3262] Rosenberg, J. and H. Schulzrinne, "Reliability of 4772 Provisional Responses in Session Initiation Protocol 4773 (SIP)", RFC 3262, June 2002. 4775 [RFC4566] Handley, M., Jacobson, V., and C. Perkins, "SDP: Session 4776 Description Protocol", RFC 4566, July 2006. 4778 [RFC4091] Camarillo, G. and J. Rosenberg, "The Alternative Network 4779 Address Types (ANAT) Semantics for the Session Description 4780 Protocol (SDP) Grouping Framework", RFC 4091, June 2005. 4782 [RFC4092] Camarillo, G. and J. Rosenberg, "Usage of the Session 4783 Description Protocol (SDP) Alternative Network Address 4784 Types (ANAT) Semantics in the Session Initiation Protocol 4785 (SIP)", RFC 4092, June 2005. 4787 [RFC3484] Draves, R., "Default Address Selection for Internet 4788 Protocol version 6 (IPv6)", RFC 3484, February 2003. 4790 [RFC5234] Crocker, D. and P. Overell, "Augmented BNF for Syntax 4791 Specifications: ABNF", STD 68, RFC 5234, January 2008. 4793 [RFC5389] Rosenberg, J., Mahy, R., Matthews, P., and D. Wing, 4794 "Session Traversal Utilities for NAT (STUN)", RFC 5389, 4795 October 2008. 4797 [RFC5766] Mahy, R., Matthews, P., and J. Rosenberg, "Traversal Using 4798 Relays around NAT (TURN): Relay Extensions to Session 4799 Traversal Utilities for NAT (STUN)", RFC 5766, April 2010. 4801 [RFC5768] Rosenberg, J., "Indicating Support for Interactive 4802 Connectivity Establishment (ICE) in the Session Initiation 4803 Protocol (SIP)", RFC 5768, April 2010. 4805 24.2. Informative References 4807 [RFC3489] Rosenberg, J., Weinberger, J., Huitema, C., and R. Mahy, 4808 "STUN - Simple Traversal of User Datagram Protocol (UDP) 4809 Through Network Address Translators (NATs)", RFC 3489, 4810 March 2003. 4812 [RFC3235] Senie, D., "Network Address Translator (NAT)-Friendly 4813 Application Design Guidelines", RFC 3235, January 2002. 4815 [RFC3303] Srisuresh, P., Kuthan, J., Rosenberg, J., Molitor, A., and 4816 A. Rayhan, "Middlebox communication architecture and 4817 framework", RFC 3303, August 2002. 4819 [RFC3725] Rosenberg, J., Peterson, J., Schulzrinne, H., and G. 4820 Camarillo, "Best Current Practices for Third Party Call 4821 Control (3pcc) in the Session Initiation Protocol (SIP)", 4822 BCP 85, RFC 3725, April 2004. 4824 [RFC3102] Borella, M., Lo, J., Grabelsky, D., and G. Montenegro, 4825 "Realm Specific IP: Framework", RFC 3102, October 2001. 4827 [RFC3103] Borella, M., Grabelsky, D., Lo, J., and K. Taniguchi, 4828 "Realm Specific IP: Protocol Specification", RFC 3103, 4829 October 2001. 4831 [RFC3424] Daigle, L. and IAB, "IAB Considerations for UNilateral 4832 Self-Address Fixing (UNSAF) Across Network Address 4833 Translation", RFC 3424, November 2002. 4835 [RFC3550] Schulzrinne, H., Casner, S., Frederick, R., and V. 4836 Jacobson, "RTP: A Transport Protocol for Real-Time 4837 Applications", STD 64, RFC 3550, July 2003. 4839 [RFC3711] Baugher, M., McGrew, D., Naslund, M., Carrara, E., and K. 4840 Norrman, "The Secure Real-time Transport Protocol (SRTP)", 4841 RFC 3711, March 2004. 4843 [RFC3056] Carpenter, B. and K. Moore, "Connection of IPv6 Domains 4844 via IPv4 Clouds", RFC 3056, February 2001. 4846 [RFC3389] Zopf, R., "Real-time Transport Protocol (RTP) Payload for 4847 Comfort Noise (CN)", RFC 3389, September 2002. 4849 [RFC3960] Camarillo, G. and H. Schulzrinne, "Early Media and Ringing 4850 Tone Generation in the Session Initiation Protocol (SIP)", 4851 RFC 3960, December 2004. 4853 [RFC2475] Blake, S., Black, D., Carlson, M., Davies, E., Wang, Z., 4854 and W. Weiss, "An Architecture for Differentiated 4855 Services", RFC 2475, December 1998. 4857 [RFC1918] Rekhter, Y., Moskowitz, R., Karrenberg, D., Groot, G., and 4858 E. Lear, "Address Allocation for Private Internets", 4859 BCP 5, RFC 1918, February 1996. 4861 [RFC4787] Audet, F. and C. Jennings, "Network Address Translation 4862 (NAT) Behavioral Requirements for Unicast UDP", BCP 127, 4863 RFC 4787, January 2007. 4865 [RFC5898] Andreasen, F., Camarillo, G., Oran, D., and D. Wing, 4866 "Connectivity Preconditions for Session Description 4867 Protocol (SDP) Media Streams", RFC 5898, July 2010. 4869 [I-D.ietf-avt-rtp-no-op] 4870 Andreasen, F., "A No-Op Payload Format for RTP", 4871 draft-ietf-avt-rtp-no-op-04 (work in progress), May 2007. 4873 [RFC5761] Perkins, C. and M. Westerlund, "Multiplexing RTP Data and 4874 Control Packets on a Single Port", RFC 5761, April 2010. 4876 [RFC4340] Kohler, E., Handley, M., and S. Floyd, "Datagram 4877 Congestion Control Protocol (DCCP)", RFC 4340, March 2006. 4879 [RFC4103] Hellstrom, G. and P. Jones, "RTP Payload for Text 4880 Conversation", RFC 4103, June 2005. 4882 [RFC5626] Jennings, C., Mahy, R., and F. Audet, "Managing Client- 4883 Initiated Connections in the Session Initiation Protocol 4884 (SIP)", RFC 5626, October 2009. 4886 [RFC5382] Guha, S., Biswas, K., Ford, B., Sivakumar, S., and P. 4887 Srisuresh, "NAT Behavioral Requirements for TCP", BCP 142, 4888 RFC 5382, October 2008. 4890 [RFC6080] Petrie, D. and S. Channabasappa, "A Framework for Session 4891 Initiation Protocol User Agent Profile Delivery", 4892 RFC 6080, March 2011. 4894 [RFC6544] Rosenberg, J., Keranen, A., Lowekamp, B., and A. Roach, 4895 "TCP Candidates with Interactive Connectivity 4896 Establishment (ICE)", RFC 6544, March 2012. 4898 Appendix A. Lite and Full Implementations 4900 ICE allows for two types of implementations. A full implementation 4901 supports the controlling and controlled roles in a session, and can 4902 also perform address gathering. In contrast, a lite implementation 4903 is a minimalist implementation that does little but respond to STUN 4904 checks. 4906 Because ICE requires both endpoints to support it in order to bring 4907 benefits to either endpoint, incremental deployment of ICE in a 4908 network is more complicated. Many sessions involve an endpoint that 4909 is, by itself, not behind a NAT and not one that would worry about 4910 NAT traversal. A very common case is to have one endpoint that 4911 requires NAT traversal (such as a VoIP hard phone or soft phone) make 4912 a call to one of these devices. Even if the phone supports a full 4913 ICE implementation, ICE won't be used at all if the other device 4914 doesn't support it. The lite implementation allows for a low-cost 4915 entry point for these devices. Once they support the lite 4916 implementation, full implementations can connect to them and get the 4917 full benefits of ICE. 4919 Consequently, a lite implementation is only appropriate for devices 4920 that will *always* be connected to the public Internet and have a 4921 public IP address at which it can receive packets from any 4922 correspondent. ICE will not function when a lite implementation is 4923 placed behind a NAT. 4925 ICE allows a lite implementation to have a single IPv4 host candidate 4926 and several IPv6 addresses. In that case, candidate pairs are 4927 selected by the controlling agent using a static algorithm, such as 4928 the one in RFC 3484, which is recommended by this specification. 4929 However, static mechanisms for address selection are always prone to 4930 error, since they cannot ever reflect the actual topology and can 4931 never provide actual guarantees on connectivity. They are always 4932 heuristics. Consequently, if an agent is implementing ICE just to 4933 select between its IPv4 and IPv6 addresses, and none of its IP 4934 addresses are behind NAT, usage of full ICE is still RECOMMENDED in 4935 order to provide the most robust form of address selection possible. 4937 It is important to note that the lite implementation was added to 4938 this specification to provide a stepping stone to full 4939 implementation. Even for devices that are always connected to the 4940 public Internet with just a single IPv4 address, a full 4941 implementation is preferable if achievable. A full implementation 4942 will reduce call setup times, since ICE's aggressive mode can be 4943 used. Full implementations also obtain the security benefits of ICE 4944 unrelated to NAT traversal; in particular, the voice hammer attack 4945 described in Section 18 is prevented only for full implementations, 4946 not lite. Finally, it is often the case that a device that finds 4947 itself with a public address today will be placed in a network 4948 tomorrow where it will be behind a NAT. It is difficult to 4949 definitively know, over the lifetime of a device or product, that it 4950 will always be used on the public Internet. Full implementation 4951 provides assurance that communications will always work. 4953 Appendix B. Design Motivations 4955 ICE contains a number of normative behaviors that may themselves be 4956 simple, but derive from complicated or non-obvious thinking or use 4957 cases that merit further discussion. Since these design motivations 4958 are not necessary to understand for purposes of implementation, they 4959 are discussed here in an appendix to the specification. This section 4960 is non-normative. 4962 B.1. Pacing of STUN Transactions 4964 STUN transactions used to gather candidates and to verify 4965 connectivity are paced out at an approximate rate of one new 4966 transaction every Ta milliseconds. Each transaction, in turn, has a 4967 retransmission timer RTO that is a function of Ta as well. Why are 4968 these transactions paced, and why are these formulas used? 4970 Sending of these STUN requests will often have the effect of creating 4971 bindings on NAT devices between the client and the STUN servers. 4972 Experience has shown that many NAT devices have upper limits on the 4973 rate at which they will create new bindings. Experiments have shown 4974 that once every 20 ms is well supported, but not much lower than 4975 that. This is why Ta has a lower bound of 20 ms. Furthermore, 4976 transmission of these packets on the network makes use of bandwidth 4977 and needs to be rate limited by the agent. Deployments based on 4978 earlier draft versions of this document tended to overload rate- 4979 constrained access links and perform poorly overall, in addition to 4980 negatively impacting the network. As a consequence, the pacing 4981 ensures that the NAT device does not get overloaded and that traffic 4982 is kept at a reasonable rate. 4984 The definition of a "reasonable" rate is that STUN should not use 4985 more bandwidth than the RTP itself will use, once media starts 4986 flowing. The formula for Ta is designed so that, if a STUN packet 4987 were sent every Ta seconds, it would consume the same amount of 4988 bandwidth as RTP packets, summed across all media streams. Of 4989 course, STUN has retransmits, and the desire is to pace those as 4990 well. For this reason, RTO is set such that the first retransmit on 4991 the first transaction happens just as the first STUN request on the 4992 last transaction occurs. Pictorially: 4994 First Packets Retransmits 4996 | | 4997 | | 4998 -------+------ -------+------ 4999 / \ / \ 5000 / \ / \ 5002 +--+ +--+ +--+ +--+ +--+ +--+ 5003 |A1| |B1| |C1| |A2| |B2| |C2| 5004 +--+ +--+ +--+ +--+ +--+ +--+ 5006 ---+-------+-------+-------+-------+-------+------------ Time 5007 0 Ta 2Ta 3Ta 4Ta 5Ta 5009 In this picture, there are three transactions that will be sent (for 5010 example, in the case of candidate gathering, there are three host 5011 candidate/STUN server pairs). These are transactions A, B, and C. 5012 The retransmit timer is set so that the first retransmission on the 5013 first transaction (packet A2) is sent at time 3Ta. 5015 Subsequent retransmits after the first will occur even less 5016 frequently than Ta milliseconds apart, since STUN uses an exponential 5017 back-off on its retransmissions. 5019 B.2. Candidates with Multiple Bases 5021 Section 4.1.3 talks about eliminating candidates that have the same 5022 transport address and base. However, candidates with the same 5023 transport addresses but different bases are not redundant. When can 5024 an agent have two candidates that have the same IP address and port, 5025 but different bases? Consider the topology of Figure 10: 5027 +----------+ 5028 | STUN Srvr| 5029 +----------+ 5030 | 5031 | 5032 ----- 5033 // \\ 5034 | | 5035 | B:net10 | 5036 | | 5037 \\ // 5038 ----- 5039 | 5040 | 5041 +----------+ 5042 | NAT | 5043 +----------+ 5044 | 5045 | 5046 ----- 5047 // \\ 5048 | A | 5049 |192.168/16 | 5050 | | 5051 \\ // 5052 ----- 5053 | 5054 | 5055 |192.168.1.100 ----- 5056 +----------+ // \\ +----------+ 5057 | | | | | | 5058 | Offerer |---------| C:net10 |-----------| Answerer | 5059 | |10.0.1.100| | 10.0.1.101 | | 5060 +----------+ \\ // +----------+ 5061 ----- 5063 Figure 10: Identical Candidates with Different Bases 5065 In this case, the offerer is multihomed. It has one IP address, 5066 10.0.1.100, on network C, which is a net 10 private network. The 5067 answerer is on this same network. The offerer is also connected to 5068 network A, which is 192.168/16. The offerer has an IP address of 5069 192.168.1.100 on this network. There is a NAT on this network, 5070 natting into network B, which is another net 10 private network, but 5071 not connected to network C. There is a STUN server on network B. 5073 The offerer obtains a host candidate on its IP address on network C 5074 (10.0.1.100:2498) and a host candidate on its IP address on network A 5075 (192.168.1.100:3344). It performs a STUN query to its configured 5076 STUN server from 192.168.1.100:3344. This query passes through the 5077 NAT, which happens to assign the binding 10.0.1.100:2498. The STUN 5078 server reflects this in the STUN Binding response. Now, the offerer 5079 has obtained a server reflexive candidate with a transport address 5080 that is identical to a host candidate (10.0.1.100:2498). However, 5081 the server reflexive candidate has a base of 192.168.1.100:3344, and 5082 the host candidate has a base of 10.0.1.100:2498. 5084 B.3. Purpose of the and Attributes 5086 The candidate attribute contains two values that are not used at all 5087 by ICE itself -- and . Why is it present? 5089 There are two motivations for its inclusion. The first is 5090 diagnostic. It is very useful to know the relationship between the 5091 different types of candidates. By including it, an agent can know 5092 which relayed candidate is associated with which reflexive candidate, 5093 which in turn is associated with a specific host candidate. When 5094 checks for one candidate succeed and not for others, this provides 5095 useful diagnostics on what is going on in the network. 5097 The second reason has to do with off-path Quality of Service (QoS) 5098 mechanisms. When ICE is used in environments such as PacketCable 5099 2.0, proxies will, in addition to performing normal SIP operations, 5100 inspect the SDP in SIP messages, and extract the IP address and port 5101 for media traffic. They can then interact, through policy servers, 5102 with access routers in the network, to establish guaranteed QoS for 5103 the media flows. This QoS is provided by classifying the RTP traffic 5104 based on 5-tuple, and then providing it a guaranteed rate, or marking 5105 its Diffserv codepoints appropriately. When a residential NAT is 5106 present, and a relayed candidate gets selected for media, this 5107 relayed candidate will be a transport address on an actual TURN 5108 server. That address says nothing about the actual transport address 5109 in the access router that would be used to classify packets for QoS 5110 treatment. Rather, the server reflexive candidate towards the TURN 5111 server is needed. By carrying the translation in the SDP, the proxy 5112 can use that transport address to request QoS from the access router. 5114 B.4. Importance of the STUN Username 5116 ICE requires the usage of message integrity with STUN using its 5117 short-term credential functionality. The actual short-term 5118 credential is formed by exchanging username fragments in the SDP 5119 offer/answer exchange. The need for this mechanism goes beyond just 5120 security; it is actually required for correct operation of ICE in the 5121 first place. 5123 Consider agents L, R, and Z. L and R are within private enterprise 1, 5124 which is using 10.0.0.0/8. Z is within private enterprise 2, which 5125 is also using 10.0.0.0/8. As it turns out, R and Z both have IP 5126 address 10.0.1.1. L sends an offer to Z. Z, in its answer, provides 5127 L with its host candidates. In this case, those candidates are 5128 10.0.1.1:8866 and 10.0.1.1:8877. As it turns out, R is in a session 5129 at that same time, and is also using 10.0.1.1:8866 and 10.0.1.1:8877 5130 as host candidates. This means that R is prepared to accept STUN 5131 messages on those ports, just as Z is. L will send a STUN request to 5132 10.0.1.1:8866 and another to 10.0.1.1:8877. However, these do not go 5133 to Z as expected. Instead, they go to R! If R just replied to them, 5134 L would believe it has connectivity to Z, when in fact it has 5135 connectivity to a completely different user, R. To fix this, the STUN 5136 short-term credential mechanisms are used. The username fragments 5137 are sufficiently random that it is highly unlikely that R would be 5138 using the same values as Z. Consequently, R would reject the STUN 5139 request since the credentials were invalid. In essence, the STUN 5140 username fragments provide a form of transient host identifiers, 5141 bound to a particular offer/answer session. 5143 An unfortunate consequence of the non-uniqueness of IP addresses is 5144 that, in the above example, R might not even be an ICE agent. It 5145 could be any host, and the port to which the STUN packet is directed 5146 could be any ephemeral port on that host. If there is an application 5147 listening on this socket for packets, and it is not prepared to 5148 handle malformed packets for whatever protocol is in use, the 5149 operation of that application could be affected. Fortunately, since 5150 the ports exchanged in SDP are ephemeral and usually drawn from the 5151 dynamic or registered range, the odds are good that the port is not 5152 used to run a server on host R, but rather is the agent side of some 5153 protocol. This decreases the probability of hitting an allocated 5154 port, due to the transient nature of port usage in this range. 5155 However, the possibility of a problem does exist, and network 5156 deployers should be prepared for it. Note that this is not a problem 5157 specific to ICE; stray packets can arrive at a port at any time for 5158 any type of protocol, especially ones on the public Internet. As 5159 such, this requirement is just restating a general design guideline 5160 for Internet applications -- be prepared for unknown packets on any 5161 port. 5163 B.5. The Candidate Pair Priority Formula 5165 The priority for a candidate pair has an odd form. It is: 5167 pair priority = 2^32*MIN(G,D) + 2*MAX(G,D) + (G>D?1:0) 5169 Why is this? When the candidate pairs are sorted based on this 5170 value, the resulting sorting has the MAX/MIN property. This means 5171 that the pairs are first sorted based on decreasing value of the 5172 minimum of the two priorities. For pairs that have the same value of 5173 the minimum priority, the maximum priority is used to sort amongst 5174 them. If the max and the min priorities are the same, the 5175 controlling agent's priority is used as the tie-breaker in the last 5176 part of the expression. The factor of 2*32 is used since the 5177 priority of a single candidate is always less than 2*32, resulting in 5178 the pair priority being a "concatenation" of the two component 5179 priorities. This creates the MAX/MIN sorting. MAX/MIN ensures that, 5180 for a particular agent, a lower-priority candidate is never used 5181 until all higher-priority candidates have been tried. 5183 B.6. The remote-candidates Attribute 5185 The a=remote-candidates attribute exists to eliminate a race 5186 condition between the updated offer and the response to the STUN 5187 Binding request that moved a candidate into the Valid list. This 5188 race condition is shown in Figure 11. On receipt of message 4, agent 5189 L adds a candidate pair to the valid list. If there was only a 5190 single media stream with a single component, agent L could now send 5191 an updated offer. However, the check from agent R has not yet 5192 generated a response, and agent R receives the updated offer (message 5193 7) before getting the response (message 9). Thus, it does not yet 5194 know that this particular pair is valid. To eliminate this 5195 condition, the actual candidates at R that were selected by the 5196 offerer (the remote candidates) are included in the offer itself, and 5197 the answerer delays its answer until those pairs validate. 5199 Agent A Network Agent B 5200 |(1) Offer | | 5201 |------------------------------------------>| 5202 |(2) Answer | | 5203 |<------------------------------------------| 5204 |(3) STUN Req. | | 5205 |------------------------------------------>| 5206 |(4) STUN Res. | | 5207 |<------------------------------------------| 5208 |(5) STUN Req. | | 5209 |<------------------------------------------| 5210 |(6) STUN Res. | | 5211 |-------------------->| | 5212 | |Lost | 5213 |(7) Offer | | 5214 |------------------------------------------>| 5215 |(8) STUN Req. | | 5216 |<------------------------------------------| 5217 |(9) STUN Res. | | 5218 |------------------------------------------>| 5219 |(10) Answer | | 5220 |<------------------------------------------| 5222 Figure 11: Race Condition Flow 5224 B.7. Why Are Keepalives Needed? 5226 Once media begins flowing on a candidate pair, it is still necessary 5227 to keep the bindings alive at intermediate NATs for the duration of 5228 the session. Normally, the media stream packets themselves (e.g., 5229 RTP) meet this objective. However, several cases merit further 5230 discussion. Firstly, in some RTP usages, such as SIP, the media 5231 streams can be "put on hold". This is accomplished by using the SDP 5232 "sendonly" or "inactive" attributes, as defined in RFC 3264 5233 [RFC3264]. RFC 3264 directs implementations to cease transmission of 5234 media in these cases. However, doing so may cause NAT bindings to 5235 timeout, and media won't be able to come off hold. 5237 Secondly, some RTP payload formats, such as the payload format for 5238 text conversation [RFC4103], may send packets so infrequently that 5239 the interval exceeds the NAT binding timeouts. 5241 Thirdly, if silence suppression is in use, long periods of silence 5242 may cause media transmission to cease sufficiently long for NAT 5243 bindings to time out. 5245 For these reasons, the media packets themselves cannot be relied 5246 upon. ICE defines a simple periodic keepalive utilizing STUN Binding 5247 indications. This makes its bandwidth requirements highly 5248 predictable, and thus amenable to QoS reservations. 5250 B.8. Why Prefer Peer Reflexive Candidates? 5252 Section 4.1.2 describes procedures for computing the priority of 5253 candidate based on its type and local preferences. That section 5254 requires that the type preference for peer reflexive candidates 5255 always be higher than server reflexive. Why is that? The reason has 5256 to do with the security considerations in Section 18. It is much 5257 easier for an attacker to cause an agent to use a false server 5258 reflexive candidate than it is for an attacker to cause an agent to 5259 use a false peer reflexive candidate. Consequently, attacks against 5260 address gathering with Binding requests are thwarted by ICE by 5261 preferring the peer reflexive candidates. 5263 B.9. Why Send an Updated Offer? 5265 Section 11.1 describes rules for sending media. Both agents can send 5266 media once ICE checks complete, without waiting for an updated offer. 5267 Indeed, the only purpose of the updated offer is to "correct" the SDP 5268 so that the default destination for media matches where media is 5269 being sent based on ICE procedures (which will be the highest- 5270 priority nominated candidate pair). 5272 This begs the question -- why is the updated offer/answer exchange 5273 needed at all? Indeed, in a pure offer/answer environment, it would 5274 not be. The offerer and answerer will agree on the candidates to use 5275 through ICE, and then can begin using them. As far as the agents 5276 themselves are concerned, the updated offer/answer provides no new 5277 information. However, in practice, numerous components along the 5278 signaling path look at the SDP information. These include entities 5279 performing off-path QoS reservations, NAT traversal components such 5280 as ALGs and Session Border Controllers (SBCs), and diagnostic tools 5281 that passively monitor the network. For these tools to continue to 5282 function without change, the core property of SDP -- that the 5283 existing, pre-ICE definitions of the addresses used for media -- the 5284 m and c lines and the rtcp attribute -- must be retained. For this 5285 reason, an updated offer must be sent. 5287 B.10. Why Are Binding Indications Used for Keepalives? 5289 Media keepalives are described in Section 10. These keepalives make 5290 use of STUN when both endpoints are ICE capable. However, rather 5291 than using a Binding request transaction (which generates a 5292 response), the keepalives use an Indication. Why is that? 5293 The primary reason has to do with network QoS mechanisms. Once media 5294 begins flowing, network elements will assume that the media stream 5295 has a fairly regular structure, making use of periodic packets at 5296 fixed intervals, with the possibility of jitter. If an agent is 5297 sending media packets, and then receives a Binding request, it would 5298 need to generate a response packet along with its media packets. 5299 This will increase the actual bandwidth requirements for the 5-tuple 5300 carrying the media packets, and introduce jitter in the delivery of 5301 those packets. Analysis has shown that this is a concern in certain 5302 layer 2 access networks that use fairly tight packet schedulers for 5303 media. 5305 Additionally, using a Binding Indication allows integrity to be 5306 disabled, allowing for better performance. This is useful for large- 5307 scale endpoints, such as PSTN gateways and SBCs. 5309 B.11. Why Is the Conflict Resolution Mechanism Needed? 5311 When ICE runs between two peers, one agent acts as controlled, and 5312 the other as controlling. Rules are defined as a function of 5313 implementation type and offerer/answerer to determine who is 5314 controlling and who is controlled. However, the specification 5315 mentions that, in some cases, both sides might believe they are 5316 controlling, or both sides might believe they are controlled. How 5317 can this happen? 5319 The condition when both agents believe they are controlled shows up 5320 in third party call control cases. Consider the following flow: 5322 A Controller B 5323 |(1) INV() | | 5324 |<-------------| | 5325 |(2) 200(SDP1) | | 5326 |------------->| | 5327 | |(3) INV() | 5328 | |------------->| 5329 | |(4) 200(SDP2) | 5330 | |<-------------| 5331 |(5) ACK(SDP2) | | 5332 |<-------------| | 5333 | |(6) ACK(SDP1) | 5334 | |------------->| 5336 Figure 12: Role Conflict Flow 5338 This flow is a variation on flow III of RFC 3725 [RFC3725]. In fact, 5339 it works better than flow III since it produces fewer messages. In 5340 this flow, the controller sends an offerless INVITE to agent A, which 5341 responds with its offer, SDP1. The agent then sends an offerless 5342 INVITE to agent B, which it responds to with its offer, SDP2. The 5343 controller then uses the offer from each agent to generate the 5344 answers. When this flow is used, ICE will run between agents A and 5345 B, but both will believe they are in the controlling role. With the 5346 role conflict resolution procedures, this flow will function properly 5347 when ICE is used. 5349 At this time, there are no documented flows that can result in the 5350 case where both agents believe they are controlled. However, the 5351 conflict resolution procedures allow for this case, should a flow 5352 arise that would fit into this category. 5354 Authors' Addresses 5356 Ari Keranen 5357 Ericsson 5358 Hirsalantie 11 5359 02420 Jorvas 5360 Finland 5362 Email: ari.keranen@ericsson.com 5364 Jonathan Rosenberg 5365 jdrosen.net 5366 Monmouth, NJ 5367 US 5369 Email: jdrosen@jdrosen.net 5370 URI: http://www.jdrosen.net