From 4bfd864f10b68b71482b35c818559068ef8d5797 Mon Sep 17 00:00:00 2001 From: Thomas Voss Date: Wed, 27 Nov 2024 20:54:24 +0100 Subject: doc: Add RFC documents --- doc/rfc/rfc8445.txt | 5603 +++++++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 5603 insertions(+) create mode 100644 doc/rfc/rfc8445.txt (limited to 'doc/rfc/rfc8445.txt') diff --git a/doc/rfc/rfc8445.txt b/doc/rfc/rfc8445.txt new file mode 100644 index 0000000..f7b3b3a --- /dev/null +++ b/doc/rfc/rfc8445.txt @@ -0,0 +1,5603 @@ + + + + + + +Internet Engineering Task Force (IETF) A. Keranen +Request for Comments: 8445 C. Holmberg +Obsoletes: 5245 Ericsson +Category: Standards Track J. Rosenberg +ISSN: 2070-1721 jdrosen.net + July 2018 + + + Interactive Connectivity Establishment (ICE): + A Protocol for Network Address Translator (NAT) Traversal + +Abstract + + This document describes a protocol for Network Address Translator + (NAT) traversal for UDP-based communication. This protocol is called + Interactive Connectivity Establishment (ICE). ICE makes use of the + Session Traversal Utilities for NAT (STUN) protocol and its + extension, Traversal Using Relay NAT (TURN). + + This document obsoletes RFC 5245. + +Status of This Memo + + This is an Internet Standards Track document. + + This document is a product of the Internet Engineering Task Force + (IETF). It represents the consensus of the IETF community. It has + received public review and has been approved for publication by the + Internet Engineering Steering Group (IESG). Further information on + Internet Standards is available in Section 2 of RFC 7841. + + Information about the current status of this document, any errata, + and how to provide feedback on it may be obtained at + https://www.rfc-editor.org/info/rfc8445. + + + + + + + + + + + + + + + + + +Keranen, et al. Standards Track [Page 1] + +RFC 8445 ICE July 2018 + + +Copyright Notice + + Copyright (c) 2018 IETF Trust and the persons identified as the + document authors. All rights reserved. + + This document is subject to BCP 78 and the IETF Trust's Legal + Provisions Relating to IETF Documents + (https://trustee.ietf.org/license-info) in effect on the date of + publication of this document. Please review these documents + carefully, as they describe your rights and restrictions with respect + to this document. Code Components extracted from this document must + include Simplified BSD License text as described in Section 4.e of + the Trust Legal Provisions and are provided without warranty as + described in the Simplified BSD License. + + This document may contain material from IETF Documents or IETF + Contributions published or made publicly available before November + 10, 2008. The person(s) controlling the copyright in some of this + material may not have granted the IETF Trust the right to allow + modifications of such material outside the IETF Standards Process. + Without obtaining an adequate license from the person(s) controlling + the copyright in such materials, this document may not be modified + outside the IETF Standards Process, and derivative works of it may + not be created outside the IETF Standards Process, except to format + it for publication as an RFC or to translate it into languages other + than English. + + + + + + + + + + + + + + + + + + + + + + + + + +Keranen, et al. Standards Track [Page 2] + +RFC 8445 ICE July 2018 + + +Table of Contents + + 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 5 + 2. Overview of ICE . . . . . . . . . . . . . . . . . . . . . . . 6 + 2.1. Gathering Candidates . . . . . . . . . . . . . . . . . . 8 + 2.2. Connectivity Checks . . . . . . . . . . . . . . . . . . . 10 + 2.3. Nominating Candidate Pairs and Concluding ICE . . . . . . 12 + 2.4. ICE Restart . . . . . . . . . . . . . . . . . . . . . . . 13 + 2.5. Lite Implementations . . . . . . . . . . . . . . . . . . 13 + 3. ICE Usage . . . . . . . . . . . . . . . . . . . . . . . . . . 13 + 4. Terminology . . . . . . . . . . . . . . . . . . . . . . . . . 13 + 5. ICE Candidate Gathering and Exchange . . . . . . . . . . . . 17 + 5.1. Full Implementation . . . . . . . . . . . . . . . . . . . 17 + 5.1.1. Gathering Candidates . . . . . . . . . . . . . . . . 18 + 5.1.1.1. Host Candidates . . . . . . . . . . . . . . . . . 18 + 5.1.1.2. Server-Reflexive and Relayed Candidates . . . . . 20 + 5.1.1.3. Computing Foundations . . . . . . . . . . . . . . 21 + 5.1.1.4. Keeping Candidates Alive . . . . . . . . . . . . 21 + 5.1.2. Prioritizing Candidates . . . . . . . . . . . . . . . 22 + 5.1.2.1. Recommended Formula . . . . . . . . . . . . . . . 22 + 5.1.2.2. Guidelines for Choosing Type and Local + Preferences . . . . . . . . . . . . . . . . . . . 23 + 5.1.3. Eliminating Redundant Candidates . . . . . . . . . . 23 + 5.2. Lite Implementation Procedures . . . . . . . . . . . . . 23 + 5.3. Exchanging Candidate Information . . . . . . . . . . . . 24 + 5.4. ICE Mismatch . . . . . . . . . . . . . . . . . . . . . . 26 + 6. ICE Candidate Processing . . . . . . . . . . . . . . . . . . 26 + 6.1. Procedures for Full Implementation . . . . . . . . . . . 26 + 6.1.1. Determining Role . . . . . . . . . . . . . . . . . . 26 + 6.1.2. Forming the Checklists . . . . . . . . . . . . . . . 28 + 6.1.2.1. Checklist State . . . . . . . . . . . . . . . . . 28 + 6.1.2.2. Forming Candidate Pairs . . . . . . . . . . . . . 28 + 6.1.2.3. Computing Pair Priority and Ordering Pairs . . . 31 + 6.1.2.4. Pruning the Pairs . . . . . . . . . . . . . . . . 31 + 6.1.2.5. Removing Lower-Priority Pairs . . . . . . . . . . 31 + 6.1.2.6. Computing Candidate Pair States . . . . . . . . . 32 + 6.1.3. ICE State . . . . . . . . . . . . . . . . . . . . . . 36 + 6.1.4. Scheduling Checks . . . . . . . . . . . . . . . . . . 36 + 6.1.4.1. Triggered-Check Queue . . . . . . . . . . . . . . 36 + 6.1.4.2. Performing Connectivity Checks . . . . . . . . . 36 + 6.2. Lite Implementation Procedures . . . . . . . . . . . . . 38 + 7. Performing Connectivity Checks . . . . . . . . . . . . . . . 38 + 7.1. STUN Extensions . . . . . . . . . . . . . . . . . . . . . 38 + 7.1.1. PRIORITY . . . . . . . . . . . . . . . . . . . . . . 38 + 7.1.2. USE-CANDIDATE . . . . . . . . . . . . . . . . . . . . 38 + 7.1.3. ICE-CONTROLLED and ICE-CONTROLLING . . . . . . . . . 39 + 7.2. STUN Client Procedures . . . . . . . . . . . . . . . . . 39 + 7.2.1. Creating Permissions for Relayed Candidates . . . . . 39 + + + +Keranen, et al. Standards Track [Page 3] + +RFC 8445 ICE July 2018 + + + 7.2.2. Forming Credentials . . . . . . . . . . . . . . . . . 39 + 7.2.3. Diffserv Treatment . . . . . . . . . . . . . . . . . 40 + 7.2.4. Sending the Request . . . . . . . . . . . . . . . . . 40 + 7.2.5. Processing the Response . . . . . . . . . . . . . . . 40 + 7.2.5.1. Role Conflict . . . . . . . . . . . . . . . . . . 40 + 7.2.5.2. Failure . . . . . . . . . . . . . . . . . . . . . 41 + 7.2.5.2.1. Non-Symmetric Transport Addresses . . . . . . 41 + 7.2.5.2.2. ICMP Error . . . . . . . . . . . . . . . . . 41 + 7.2.5.2.3. Timeout . . . . . . . . . . . . . . . . . . . 41 + 7.2.5.2.4. Unrecoverable STUN Response . . . . . . . . . 41 + 7.2.5.3. Success . . . . . . . . . . . . . . . . . . . . . 42 + 7.2.5.3.1. Discovering Peer-Reflexive Candidates . . . . 42 + 7.2.5.3.2. Constructing a Valid Pair . . . . . . . . . . 43 + 7.2.5.3.3. Updating Candidate Pair States . . . . . . . 44 + 7.2.5.3.4. Updating the Nominated Flag . . . . . . . . . 44 + 7.2.5.4. Checklist State Updates . . . . . . . . . . . . . 44 + 7.3. STUN Server Procedures . . . . . . . . . . . . . . . . . 45 + 7.3.1. Additional Procedures for Full Implementations . . . 45 + 7.3.1.1. Detecting and Repairing Role Conflicts . . . . . 46 + 7.3.1.2. Computing Mapped Addresses . . . . . . . . . . . 47 + 7.3.1.3. Learning Peer-Reflexive Candidates . . . . . . . 47 + 7.3.1.4. Triggered Checks . . . . . . . . . . . . . . . . 47 + 7.3.1.5. Updating the Nominated Flag . . . . . . . . . . . 49 + 7.3.2. Additional Procedures for Lite Implementations . . . 49 + 8. Concluding ICE Processing . . . . . . . . . . . . . . . . . . 50 + 8.1. Procedures for Full Implementations . . . . . . . . . . . 50 + 8.1.1. Nominating Pairs . . . . . . . . . . . . . . . . . . 50 + 8.1.2. Updating Checklist and ICE States . . . . . . . . . . 51 + 8.2. Procedures for Lite Implementations . . . . . . . . . . . 52 + 8.3. Freeing Candidates . . . . . . . . . . . . . . . . . . . 53 + 8.3.1. Full Implementation Procedures . . . . . . . . . . . 53 + 8.3.2. Lite Implementation Procedures . . . . . . . . . . . 53 + 9. ICE Restarts . . . . . . . . . . . . . . . . . . . . . . . . 53 + 10. ICE Option . . . . . . . . . . . . . . . . . . . . . . . . . 54 + 11. Keepalives . . . . . . . . . . . . . . . . . . . . . . . . . 54 + 12. Data Handling . . . . . . . . . . . . . . . . . . . . . . . . 55 + 12.1. Sending Data . . . . . . . . . . . . . . . . . . . . . . 55 + 12.1.1. Procedures for Lite Implementations . . . . . . . . 56 + 12.2. Receiving Data . . . . . . . . . . . . . . . . . . . . . 56 + 13. Extensibility Considerations . . . . . . . . . . . . . . . . 57 + 14. Setting Ta and RTO . . . . . . . . . . . . . . . . . . . . . 57 + 14.1. General . . . . . . . . . . . . . . . . . . . . . . . . 57 + 14.2. Ta . . . . . . . . . . . . . . . . . . . . . . . . . . . 58 + 14.3. RTO . . . . . . . . . . . . . . . . . . . . . . . . . . 58 + 15. Examples . . . . . . . . . . . . . . . . . . . . . . . . . . 59 + 15.1. Example with IPv4 Addresses . . . . . . . . . . . . . . 60 + 15.2. Example with IPv6 Addresses . . . . . . . . . . . . . . 65 + + + + +Keranen, et al. Standards Track [Page 4] + +RFC 8445 ICE July 2018 + + + 16. STUN Extensions . . . . . . . . . . . . . . . . . . . . . . . 69 + 16.1. Attributes . . . . . . . . . . . . . . . . . . . . . . . 69 + 16.2. New Error-Response Codes . . . . . . . . . . . . . . . . 70 + 17. Operational Considerations . . . . . . . . . . . . . . . . . 70 + 17.1. NAT and Firewall Types . . . . . . . . . . . . . . . . . 70 + 17.2. Bandwidth Requirements . . . . . . . . . . . . . . . . . 70 + 17.2.1. STUN and TURN Server-Capacity Planning . . . . . . . 71 + 17.2.2. Gathering and Connectivity Checks . . . . . . . . . 71 + 17.2.3. Keepalives . . . . . . . . . . . . . . . . . . . . . 72 + 17.3. ICE and ICE-Lite . . . . . . . . . . . . . . . . . . . . 72 + 17.4. Troubleshooting and Performance Management . . . . . . . 72 + 17.5. Endpoint Configuration . . . . . . . . . . . . . . . . . 73 + 18. IAB Considerations . . . . . . . . . . . . . . . . . . . . . 73 + 18.1. Problem Definition . . . . . . . . . . . . . . . . . . . 73 + 18.2. Exit Strategy . . . . . . . . . . . . . . . . . . . . . 74 + 18.3. Brittleness Introduced by ICE . . . . . . . . . . . . . 74 + 18.4. Requirements for a Long-Term Solution . . . . . . . . . 75 + 18.5. Issues with Existing NAPT Boxes . . . . . . . . . . . . 75 + 19. Security Considerations . . . . . . . . . . . . . . . . . . . 76 + 19.1. IP Address Privacy . . . . . . . . . . . . . . . . . . . 76 + 19.2. Attacks on Connectivity Checks . . . . . . . . . . . . . 77 + 19.3. Attacks on Server-Reflexive Address Gathering . . . . . 80 + 19.4. Attacks on Relayed Candidate Gathering . . . . . . . . . 80 + 19.5. Insider Attacks . . . . . . . . . . . . . . . . . . . . 81 + 19.5.1. STUN Amplification Attack . . . . . . . . . . . . . 81 + 20. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 82 + 20.1. STUN Attributes . . . . . . . . . . . . . . . . . . . . 82 + 20.2. STUN Error Responses . . . . . . . . . . . . . . . . . . 82 + 20.3. ICE Options . . . . . . . . . . . . . . . . . . . . . . 82 + 21. Changes from RFC 5245 . . . . . . . . . . . . . . . . . . . . 83 + 22. References . . . . . . . . . . . . . . . . . . . . . . . . . 84 + 22.1. Normative References . . . . . . . . . . . . . . . . . . 84 + 22.2. Informative References . . . . . . . . . . . . . . . . . 85 + Appendix A. Lite and Full Implementations . . . . . . . . . . . 89 + Appendix B. Design Motivations . . . . . . . . . . . . . . . . . 90 + B.1. Pacing of STUN Transactions . . . . . . . . . . . . . . . 90 + B.2. Candidates with Multiple Bases . . . . . . . . . . . . . 92 + B.3. Purpose of the Related-Address and Related-Port + Attributes . . . . . . . . . . . . . . . . . . . . . . . 94 + B.4. Importance of the STUN Username . . . . . . . . . . . . . 95 + B.5. The Candidate Pair Priority Formula . . . . . . . . . . . 96 + B.6. Why Are Keepalives Needed? . . . . . . . . . . . . . . . 96 + B.7. Why Prefer Peer-Reflexive Candidates? . . . . . . . . . . 97 + B.8. Why Are Binding Indications Used for Keepalives? . . . . 97 + B.9. Selecting Candidate Type Preference . . . . . . . . . . . 97 + Appendix C. Connectivity-Check Bandwidth . . . . . . . . . . . . 99 + Acknowledgements . . . . . . . . . . . . . . . . . . . . . . . . 100 + Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 100 + + + +Keranen, et al. Standards Track [Page 5] + +RFC 8445 ICE July 2018 + + +1. Introduction + + Protocols establishing communication sessions between peers typically + involve exchanging IP addresses and ports for the data sources and + sinks. However, this poses challenges when operated through Network + Address Translators (NATs) [RFC3235]. These protocols also seek to + create a data flow directly between participants, so that there is no + application-layer intermediary between them. This is done to reduce + data latency, decrease packet loss, and reduce the operational costs + of deploying the application. However, this is difficult to + accomplish through NATs. A full treatment of the reasons for this is + beyond the scope of this specification. + + Numerous solutions have been defined for allowing these protocols to + operate through NATs. These include Application Layer Gateways + (ALGs), the Middlebox Control Protocol [RFC3303], the original Simple + Traversal of UDP Through NAT (STUN) specification [RFC3489] (note + that RFC 3489 has been obsoleted by RFC 5389), and Realm Specific IP + [RFC3102] [RFC3103] along with session description extensions needed + to make them work, such as the Session Description Protocol (SDP) + attribute [RFC4566] for the Real-Time Control Protocol (RTCP) + [RFC3605]. Unfortunately, these techniques all have pros and cons + that make each one optimal in some network topologies, but a poor + choice in others. The result is that administrators and implementers + are making assumptions about the topologies of the networks in which + their solutions will be deployed. This introduces complexity and + brittleness into the system. + + This specification defines Interactive Connectivity Establishment + (ICE) as a technique for NAT traversal for UDP-based data streams + (though ICE has been extended to handle other transport protocols, + such as TCP [RFC6544]). ICE works by exchanging a multiplicity of IP + addresses and ports, which are then tested for connectivity by + peer-to-peer connectivity checks. The IP addresses and ports are + exchanged using ICE-usage-specific mechanisms (e.g., in an Offer/ + Answer exchange), and the connectivity checks are performed using + STUN [RFC5389]. ICE also makes use of Traversal Using Relay around + NAT (TURN) [RFC5766], an extension to STUN. Because ICE exchanges a + multiplicity of IP addresses and ports for each media stream, it also + allows for address selection for multihomed and dual-stack hosts. + For this reason, RFC 5245 [RFC5245] deprecated the solutions + previously defined in RFC 4091 [RFC4091] and RFC 4092 [RFC4092]. + + Appendix B provides background information and motivations regarding + the design decisions that were made when designing ICE. + + + + + + +Keranen, et al. Standards Track [Page 6] + +RFC 8445 ICE July 2018 + + +2. Overview of ICE + + In a typical ICE deployment, there are two endpoints (ICE agents) + that want to communicate. Note that ICE is not intended for NAT + traversal for the signaling protocol, which is assumed to be provided + via another mechanism. ICE assumes that the agents are able to + establish a signaling connection between each other. + + Initially, the agents are ignorant of their own topologies. In + particular, the agents may or may not be behind NATs (or multiple + tiers of NATs). ICE allows the agents to discover enough information + about their topologies to potentially find one or more paths by which + they can establish a data session. + + Figure 1 shows a typical ICE deployment. The agents are labeled L + and R. Both L and R are behind their own respective NATs, though + they may not be aware of it. The type of NAT and its properties are + also unknown. L and R are capable of engaging in a candidate + exchange process, whose purpose is to set up a data session between L + and R. Typically, this exchange will occur through a signaling + server (e.g., a SIP proxy). + + In addition to the agents, a signaling server, and NATs, ICE is + typically used in concert with STUN or TURN servers in the network. + Each agent can have its own STUN or TURN server, or they can be the + same. + + +---------+ + +--------+ |Signaling| +--------+ + | STUN | |Server | | STUN | + | Server | +---------+ | Server | + +--------+ / \ +--------+ + / \ + / \ + / <- Signaling -> \ + / \ + +--------+ +--------+ + | NAT | | NAT | + +--------+ +--------+ + / \ + / \ + +-------+ +-------+ + | Agent | | Agent | + | L | | R | + +-------+ +-------+ + + Figure 1: ICE Deployment Scenario + + + + +Keranen, et al. Standards Track [Page 7] + +RFC 8445 ICE July 2018 + + + The basic idea behind ICE is as follows: each agent has a variety of + candidate transport addresses (combination of IP address and port for + a particular transport protocol, which is always UDP in this + specification) it could use to communicate with the other agent. + These might include: + + o A transport address on a directly attached network interface + + o A translated transport address on the public side of a NAT (a + "server-reflexive" address) + + o A transport address allocated from a TURN server (a "relayed + address") + + Potentially, any of L's candidate transport addresses can be used to + communicate with any of R's candidate transport addresses. In + practice, however, many combinations will not work. For instance, if + L and R are both behind NATs, their directly attached interface + addresses are unlikely to be able to communicate directly (this is + why ICE is needed, after all!). The purpose of ICE is to discover + which pairs of addresses will work. The way that ICE does this is to + systematically try all possible pairs (in a carefully sorted order) + until it finds one or more that work. + +2.1. Gathering Candidates + + In order to execute ICE, an ICE agent identifies and gathers one or + more address candidates. A candidate has a transport address -- a + combination of IP address and port for a particular transport + protocol (with only UDP specified here). There are different types + of candidates; some are derived from physical or logical network + interfaces, and others are discoverable via STUN and TURN. + + The first category of candidates are those with a transport address + obtained directly from a local interface. Such a candidate is called + a "host candidate". The local interface could be Ethernet or Wi-Fi, + or it could be one that is obtained through a tunnel mechanism, such + as a Virtual Private Network (VPN) or Mobile IP (MIP). In all cases, + such a network interface appears to the agent as a local interface + from which ports (and thus candidates) can be allocated. + + Next, the agent uses STUN or TURN to obtain additional candidates. + These come in two flavors: translated addresses on the public side of + a NAT (server-reflexive candidates) and addresses on TURN servers + (relayed candidates). When TURN servers are utilized, both types of + candidates are obtained from the TURN server. If only STUN servers + are utilized, only server-reflexive candidates are obtained from + them. The relationship of these candidates to the host candidate is + + + +Keranen, et al. Standards Track [Page 8] + +RFC 8445 ICE July 2018 + + + shown in Figure 2. In this figure, both types of candidates are + discovered using TURN. In the figure, the notation X:x means IP + address X and UDP port x. + + To Internet + + | + | + | /------------ Relayed + Y:y | / Address + +--------+ + | | + | TURN | + | Server | + | | + +--------+ + | + | + | /------------ Server + X1':x1'|/ Reflexive + +------------+ Address + | NAT | + +------------+ + | + | /------------ Local + X:x |/ Address + +--------+ + | | + | Agent | + | | + +--------+ + + + Figure 2: Candidate Relationships + + When the agent sends a TURN Allocate request from IP address and port + X:x, the NAT (assuming there is one) will create a binding X1':x1', + mapping this server-reflexive candidate to the host candidate X:x. + Outgoing packets sent from the host candidate will be translated by + the NAT to the server-reflexive candidate. Incoming packets sent to + the server-reflexive candidate will be translated by the NAT to the + host candidate and forwarded to the agent. The host candidate + associated with a given server-reflexive candidate is the "base". + + Note: "Base" refers to the address an agent sends from for a + particular candidate. Thus, as a degenerate case, host candidates + also have a base, but it's the same as the host candidate. + + + + +Keranen, et al. Standards Track [Page 9] + +RFC 8445 ICE July 2018 + + + When there are multiple NATs between the agent and the TURN server, + the TURN request will create a binding on each NAT, but only the + outermost server-reflexive candidate (the one nearest the TURN + server) will be discovered by the agent. If the agent is not behind + a NAT, then the base candidate will be the same as the server- + reflexive candidate, and the server-reflexive candidate is redundant + and will be eliminated. + + The Allocate request then arrives at the TURN server. The TURN + server allocates a port y from its local IP address Y, and generates + an Allocate response, informing the agent of this relayed candidate. + The TURN server also informs the agent of the server-reflexive + candidate, X1':x1', by copying the source transport address of the + Allocate request into the Allocate response. The TURN server acts as + a packet relay, forwarding traffic between L and R. In order to send + traffic to L, R sends traffic to the TURN server at Y:y, and the TURN + server forwards that to X1':x1', which passes through the NAT where + it is mapped to X:x and delivered to L. + + When only STUN servers are utilized, the agent sends a STUN Binding + request [RFC5389] to its STUN server. The STUN server will inform + the agent of the server-reflexive candidate X1':x1' by copying the + source transport address of the Binding request into the Binding + response. + +2.2. Connectivity Checks + + Once L has gathered all of its candidates, it orders them by highest- + to-lowest priority and sends them to R over the signaling channel. + When R receives the candidates from L, it performs the same gathering + process and responds with its own list of candidates. At the end of + this process, each ICE agent has a complete list of both its + candidates and its peer's candidates. It pairs them up, resulting in + candidate pairs. To see which pairs work, each agent schedules a + series of connectivity checks. Each check is a STUN request/response + transaction that the client will perform on a particular candidate + pair by sending a STUN request from the local candidate to the remote + candidate. + + The basic principle of the connectivity checks is simple: + + 1. Sort the candidate pairs in priority order. + + 2. Send checks on each candidate pair in priority order. + + 3. Acknowledge checks received from the other agent. + + + + + +Keranen, et al. Standards Track [Page 10] + +RFC 8445 ICE July 2018 + + + With both agents performing a check on a candidate pair, the result + is a 4-way handshake: + + L R + - - + STUN request -> \ L's + <- STUN response / check + + <- STUN request \ R's + STUN response -> / check + + Figure 3: Basic Connectivity Check + + It is important to note that STUN requests are sent to and from the + exact same IP addresses and ports that will be used for data (e.g., + RTP, RTCP, or other protocols). Consequently, agents demultiplex + STUN and data using the contents of the packets rather than the port + on which they are received. + + Because a STUN Binding request is used for the connectivity check, + the STUN Binding response will contain the agent's translated + transport address on the public side of any NATs between the agent + and its peer. If this transport address is different from that of + other candidates the agent already learned, it represents a new + candidate (peer-reflexive candidate), which then gets tested by ICE + just the same as any other candidate. + + Because the algorithm above searches all candidate pairs, if a + working pair exists, the algorithm will eventually find it no matter + what order the candidates are tried in. In order to produce faster + (and better) results, the candidates are sorted in a specified order. + The resulting list of sorted candidate pairs is called the + "checklist". + + The agent works through the checklist by sending a STUN request for + the next candidate pair on the list periodically. These are called + "ordinary checks". When a STUN transaction succeeds, one or more + candidate pairs will become so-called "valid pairs" and will be added + to a candidate-pair list called the "valid list". + + As an optimization, as soon as R gets L's check message, R schedules + a connectivity-check message to be sent to L on the same candidate + pair. This is called a "triggered check", and it accelerates the + process of finding valid pairs. + + At the end of this handshake, both L and R know that they can send + (and receive) messages end to end in both directions. + + + + +Keranen, et al. Standards Track [Page 11] + +RFC 8445 ICE July 2018 + + + In general, the priority algorithm is designed so that candidates of + a similar type get similar priorities so that more direct routes + (that is, routes without data relays or NATs) are preferred over + indirect routes (routes with data relays or NATs). Within those + guidelines, however, agents have a fair amount of discretion about + how to tune their algorithms. + + A data stream might consist of multiple components (pieces of a data + stream that require their own set of candidates, e.g., RTP and RTCP). + +2.3. Nominating Candidate Pairs and Concluding ICE + + ICE assigns one of the ICE agents in the role of the controlling + agent, and the other in the role of the controlled agent. For each + component of a data stream, the controlling agent nominates a valid + pair (from the valid list) to be used for data. The exact timing of + the nomination is based on local policy. + + When nominating, the controlling agent lets the checks continue until + at least one valid pair for each component of a data stream is found, + and then it picks a valid pair and sends a STUN request on that pair, + using an attribute to indicate to the controlled peer that it has + been nominated. This is shown in Figure 4. + + L R + - - + STUN request -> \ L's + <- STUN response / check + + <- STUN request \ R's + STUN response -> / check + + STUN request + attribute -> \ L's + <- STUN response / check + + Figure 4: Nomination + + Once the controlled agent receives the STUN request with the + attribute, it will check (unless the check has already been done) the + same pair. If the transactions above succeed, the agents will set + the nominated flag for the pairs and will cancel any future checks + for that component of the data stream. Once an agent has set the + nominated flag for each component of a data stream, the pairs become + the selected pairs. After that, only the selected pairs will be used + for sending and receiving data associated with that data stream. + + + + + + +Keranen, et al. Standards Track [Page 12] + +RFC 8445 ICE July 2018 + + +2.4. ICE Restart + + Once ICE is concluded, it can be restarted at any time for one or all + of the data streams by either ICE agent. This is done by sending + updated candidate information indicating a restart. + +2.5. Lite Implementations + + Certain ICE agents will always be connected to the public Internet + and have a public IP address at which it can receive packets from any + correspondent. To make it easier for these devices to support ICE, + ICE defines a special type of implementation called "lite" (in + contrast to the normal full implementation). Lite agents only use + host candidates and do not generate connectivity checks or run state + machines, though they need to be able to respond to connectivity + checks. + +3. ICE Usage + + This document specifies generic use of ICE with protocols that + provide means to exchange candidate information between ICE agents. + The specific details (i.e., how to encode candidate information and + the actual candidate exchange process) for different protocols using + ICE (referred to as "using protocol") are described in separate usage + documents. + + One mechanism that allows agents to exchange candidate information is + the utilization of Offer/Answer semantics (which are based on + [RFC3264]) as part of the SIP protocol [RFC3261] [ICE-SIP-SDP]. + + [RFC7825] defines an ICE usage for the Real-Time Streaming Protocol + (RTSP). Note, however, that the ICE usage is based on RFC 5245. + +4. Terminology + + The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", + "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and + "OPTIONAL" in this document are to be interpreted as described in + BCP 14 [RFC2119] [RFC8174] when, and only when, they appear in all + capitals, as shown here. + + Readers need to be familiar with the terminology defined in [RFC5389] + and NAT Behavioral requirements for UDP [RFC4787]. + + + + + + + + +Keranen, et al. Standards Track [Page 13] + +RFC 8445 ICE July 2018 + + + This specification makes use of the following additional terminology: + + ICE Session: An ICE session consists of all ICE-related actions + starting with the candidate gathering, followed by the + interactions (candidate exchange, connectivity checks, + nominations, and keepalives) between the ICE agents until all the + candidates are released or an ICE restart is triggered. + + ICE Agent, Agent: An ICE agent (sometimes simply referred to as an + "agent") is the protocol implementation involved in the ICE + candidate exchange. There are two agents involved in a typical + candidate exchange. + + Initiating Peer, Initiating Agent, Initiator: An initiating agent is + an ICE agent that initiates the ICE candidate exchange process. + + Responding Peer, Responding Agent, Responder: A responding agent is + an ICE agent that receives and responds to the candidate exchange + process initiated by the initiating agent. + + ICE Candidate Exchange, Candidate Exchange: The process where ICE + agents exchange information (e.g., candidates and passwords) that + is needed to perform ICE. Offer/Answer with SDP encoding + [RFC3264] is one example of a protocol that can be used for + exchanging the candidate information. + + Peer: From the perspective of one of the ICE agents in a session, + its peer is the other agent. Specifically, from the perspective + of the initiating agent, the peer is the responding agent. From + the perspective of the responding agent, the peer is the + initiating agent. + + Transport Address: The combination of an IP address and the + transport protocol (such as UDP or TCP) port. + + Data, Data Stream, Data Session: When ICE is used to set up data + sessions, the data is transported using some protocol. Media is + usually transported over RTP, composed of a stream of RTP packets. + Data session refers to data packets that are exchanged between the + peer on the path created and tested with ICE. + + Candidate, Candidate Information: A transport address that is a + potential point of contact for receipt of data. Candidates also + have properties -- their type (server reflexive, relayed, or + host), priority, foundation, and base. + + + + + + +Keranen, et al. Standards Track [Page 14] + +RFC 8445 ICE July 2018 + + + Component: A component is a piece of a data stream. A data stream + may require multiple components, each of which has to work in + order for the data stream as a whole to work. For RTP/RTCP data + streams, unless RTP and RTCP are multiplexed in the same port, + there are two components per data stream -- one for RTP, and one + for RTCP. A component has a candidate pair, which cannot be used + by other components. + + Host Candidate: A candidate obtained by binding to a specific port + from an IP address on the host. This includes IP addresses on + physical interfaces and logical ones, such as ones obtained + through VPNs. + + Server-Reflexive Candidate: A candidate whose IP address and port + are a binding allocated by a NAT for an ICE agent after it sends a + packet through the NAT to a server, such as a STUN server. + + Peer-Reflexive Candidate: A candidate whose IP address and port are + a binding allocated by a NAT for an ICE agent after it sends a + packet through the NAT to its peer. + + Relayed Candidate: A candidate obtained from a relay server, such as + a TURN server. + + Base: The transport address that an ICE agent sends from for a + particular candidate. For host, server-reflexive, and peer- + reflexive candidates, the base is the same as the host candidate. + For relayed candidates, the base is the same as the relayed + candidate (i.e., the transport address used by the TURN server to + send from). + + Related Address and Port: A transport address related to a + candidate, which is useful for diagnostics and other purposes. If + a candidate is server or peer reflexive, the related address and + port is equal to the base for that server or peer-reflexive + candidate. If the candidate is relayed, the related address and + port are equal to the mapped address in the Allocate response that + provided the client with that relayed candidate. If the candidate + is a host candidate, the related address and port is identical to + the host candidate. + + Foundation: An arbitrary string used in the freezing algorithm to + group similar candidates. It is the same for two candidates that + have the same type, base IP address, protocol (UDP, TCP, etc.), + and STUN or TURN server. If any of these are different, then the + foundation will be different. + + + + + +Keranen, et al. Standards Track [Page 15] + +RFC 8445 ICE July 2018 + + + Local Candidate: A candidate that an ICE agent has obtained and may + send to its peer. + + Remote Candidate: A candidate that an ICE agent received from its + peer. + + Default Destination/Candidate: The default destination for a + component of a data stream is the transport address that would be + used by an ICE agent that is not ICE aware. A default candidate + for a component is one whose transport address matches the default + destination for that component. + + Candidate Pair: A pair containing a local candidate and a remote + candidate. + + Check, Connectivity Check, STUN Check: A STUN Binding request for + the purpose of verifying connectivity. A check is sent from the + base of the local candidate to the remote candidate of a candidate + pair. + + Checklist: An ordered set of candidate pairs that an ICE agent will + use to generate checks. + + Ordinary Check: A connectivity check generated by an ICE agent as a + consequence of a timer that fires periodically, instructing it to + send a check. + + Triggered Check: A connectivity check generated as a consequence of + the receipt of a connectivity check from the peer. + + Valid Pair: A candidate pair whose local candidate equals the mapped + address of a successful connectivity-check response and whose + remote candidate equals the destination address to which the + connectivity-check request was sent. + + Valid List: An ordered set of candidate pairs for a data stream that + have been validated by a successful STUN transaction. + + Checklist Set: The ordered list of all checklists. The order is + determined by each ICE usage. + + Full Implementation: An ICE implementation that performs the + complete set of functionality defined by this specification. + + + + + + + + +Keranen, et al. Standards Track [Page 16] + +RFC 8445 ICE July 2018 + + + Lite Implementation: An ICE implementation that omits certain + functions, implementing only as much as is necessary for a peer + that is not a lite implementation to gain the benefits of ICE. + Lite implementations do not maintain any of the state machines and + do not generate connectivity checks. + + Controlling Agent: The ICE agent that nominates a candidate pair. + In any session, there is always one controlling agent and one + controlled agent. + + Controlled Agent: The ICE agent that waits for the controlling agent + to nominate a candidate pair. + + Nomination: The process of the controlling agent indicating to the + controlled agent which candidate pair the ICE agents will use for + sending and receiving data. The nomination process defined in + this specification was referred to as "regular nomination" in RFC + 5245. The nomination process that was referred to as "aggressive + nomination" in RFC 5245 has been deprecated in this specification. + + Nominated, Nominated Flag: Once the nomination of a candidate pair + has succeeded, the candidate pair has become nominated, and the + value of its nominated flag is set to true. + + Selected Pair, Selected Candidate Pair: The candidate pair used for + sending and receiving data for a component of a data stream is + referred to as the "selected pair". Before selected pairs have + been produced for a data stream, any valid pair associated with a + component of a data stream can be used for sending and receiving + data for the component. Once there are nominated pairs for each + component of a data stream, the nominated pairs become the + selected pairs for the data stream. The candidates associated + with the selected pairs are referred to as "selected candidates". + + Using Protocol, ICE Usage: The protocol that uses ICE for NAT + traversal. A usage specification defines the protocol-specific + details on how the procedures defined here are applied to that + protocol. + + Timer Ta: The timer for generating new STUN or TURN transactions. + + Timer RTO (Retransmission Timeout): The retransmission timer for a + given STUN or TURN transaction. + + + + + + + + +Keranen, et al. Standards Track [Page 17] + +RFC 8445 ICE July 2018 + + +5. ICE Candidate Gathering and Exchange + + As part of ICE processing, both the initiating and responding agents + gather candidates, prioritize and eliminate redundant candidates, and + exchange candidate information with the peer as defined by the using + protocol (ICE usage). Specifics of the candidate-encoding mechanism + and the semantics of candidate information exchange is out of scope + of this specification. + +5.1. Full Implementation + +5.1.1. Gathering Candidates + + An ICE agent gathers candidates when it believes that communication + is imminent. An initiating agent can do this based on a user + interface cue or on an explicit request to initiate a session. Every + candidate has a transport address. It also has a type and a base. + Four types are defined and gathered by this specification -- host + candidates, server-reflexive candidates, peer-reflexive candidates, + and relayed candidates. The server-reflexive candidates are gathered + using STUN or TURN, and relayed candidates are obtained through TURN. + Peer-reflexive candidates are obtained in later phases of ICE, as a + consequence of connectivity checks. + + The process for gathering candidates at the responding agent is + identical to the process for the initiating agent. It is RECOMMENDED + that the responding agent begin this process immediately on receipt + of the candidate information, prior to alerting the user of the + application associated with the ICE session. + +5.1.1.1. Host Candidates + + Host candidates are obtained by binding to ports on an IP address + attached to an interface (physical or virtual, including VPN + interfaces) on the host. + + For each component of each data stream the ICE agent wishes to use, + the agent SHOULD obtain a candidate on each IP address that the host + has, with the exceptions listed below. The agent obtains each + candidate by binding to a UDP port on the specific IP address. A + host candidate (and indeed every candidate) is always associated with + a specific component for which it is a candidate. + + Each component has an ID assigned to it, called the "component ID". + For RTP/RTCP data streams, unless both RTP and RTCP are multiplexed + in the same UDP port (RTP/RTCP multiplexing), the RTP itself has a + component ID of 1, and RTCP has a component ID of 2. In case of RTP/ + RTCP multiplexing, a component ID of 1 is used for both RTP and RTCP. + + + +Keranen, et al. Standards Track [Page 18] + +RFC 8445 ICE July 2018 + + + When candidates are obtained, unless the agent knows for sure that + RTP/RTCP multiplexing will be used (i.e., the agent knows that the + other agent also supports, and is willing to use, RTP/RTCP + multiplexing), or unless the agent only supports RTP/RTCP + multiplexing, the agent MUST obtain a separate candidate for RTCP. + If an agent has obtained a candidate for RTCP, and ends up using RTP/ + RTCP multiplexing, the agent does not need to perform connectivity + checks on the RTCP candidate. Absence of a component ID 2 as such + does not imply use of RTCP/RTP multiplexing, as it could also mean + that RTCP is not used. + + If an agent is using separate candidates for RTP and RTCP, it will + end up with 2*K host candidates if an agent has K IP addresses. + + Note that the responding agent, when obtaining its candidates, will + typically know if the other agent supports RTP/RTCP multiplexing, in + which case it will not need to obtain a separate candidate for RTCP. + However, absence of a component ID 2 as such does not imply use of + RTCP/RTP multiplexing, as it could also mean that RTCP is not used. + + The use of multiple components, other than for RTP/RTCP streams, is + discouraged as it increases the complexity of ICE processing. If + multiple components are needed, the component IDs SHOULD start with 1 + and increase by 1 for each component. + + The base for each host candidate is set to the candidate itself. + + The host candidates are gathered from all IP addresses with the + following exceptions: + + o Addresses from a loopback interface MUST NOT be included in the + candidate addresses. + + o Deprecated IPv4-compatible IPv6 addresses [RFC4291] and IPv6 site- + local unicast addresses [RFC3879] MUST NOT be included in the + address candidates. + + o IPv4-mapped IPv6 addresses SHOULD NOT be included in the address + candidates unless the application using ICE does not support IPv4 + (i.e., it is an IPv6-only application [RFC4038]). + + o If gathering one or more host candidates that correspond to an + IPv6 address that was generated using a mechanism that prevents + location tracking [RFC7721], host candidates that correspond to + IPv6 addresses that do allow location tracking, are configured on + the same interface, and are part of the same network prefix MUST + NOT be gathered. Similarly, when host candidates corresponding to + + + + +Keranen, et al. Standards Track [Page 19] + +RFC 8445 ICE July 2018 + + + an IPv6 address generated using a mechanism that prevents location + tracking are gathered, then host candidates corresponding to IPv6 + link-local addresses [RFC4291] MUST NOT be gathered. + + The IPv6 default address selection specification [RFC6724] specifies + that temporary addresses [RFC4941] are to be preferred over permanent + addresses. + +5.1.1.2. Server-Reflexive and Relayed Candidates + + An ICE agent SHOULD gather server-reflexive and relayed candidates. + However, use of STUN and TURN servers may be unnecessary in certain + networks and use of TURN servers may be expensive, so some + deployments may elect not to use them. If an agent does not gather + server-reflexive or relayed candidates, it is RECOMMENDED that the + functionality be implemented and just disabled through configuration, + so that it can be re-enabled through configuration if conditions + change in the future. + + The agent pairs each host candidate with the STUN or TURN servers + with which it is configured or has discovered by some means. It is + RECOMMENDED that a domain name be configured, the DNS procedures in + [RFC5389] (using SRV records with the "stun" service) be used to + discover the STUN server, and the DNS procedures in [RFC5766] (using + SRV records with the "turn" service) be used to discover the TURN + server. + + When multiple STUN or TURN servers are available (or when they are + learned through DNS records and multiple results are returned), the + agent MAY gather candidates for all of them and SHOULD gather + candidates for at least one of them (one STUN server and one TURN + server). It does so by pairing host candidates with STUN or TURN + servers, and for each pair, the agent sends a Binding or Allocate + request to the server from the host candidate. Binding requests to a + STUN server are not authenticated, and any ALTERNATE-SERVER attribute + in a response is ignored. Agents MUST support the backwards- + compatibility mode for the Binding request defined in [RFC5389]. + Allocate requests SHOULD be authenticated using a long-term + credential obtained by the client through some other means. + + The gathering process is controlled using a timer, Ta. Every time Ta + expires, the agent can generate another new STUN or TURN transaction. + This transaction can be either a retry of a previous transaction that + failed with a recoverable error (such as authentication failure) or a + transaction for a new host candidate and STUN or TURN server pair. + The agent SHOULD NOT generate transactions more frequently than once + per each ta expiration. See Section 14 for guidance on how to set Ta + and the STUN retransmit timer, RTO. + + + +Keranen, et al. Standards Track [Page 20] + +RFC 8445 ICE July 2018 + + + The agent will receive a Binding or Allocate response. A successful + Allocate response will provide the agent with a server-reflexive + candidate (obtained from the mapped address) and a relayed candidate + in the XOR-RELAYED-ADDRESS attribute. If the Allocate request is + rejected because the server lacks resources to fulfill it, the agent + SHOULD instead send a Binding request to obtain a server-reflexive + candidate. A Binding response will provide the agent with only a + server-reflexive candidate (also obtained from the mapped address). + The base of the server-reflexive candidate is the host candidate from + which the Allocate or Binding request was sent. The base of a + relayed candidate is that candidate itself. If a relayed candidate + is identical to a host candidate (which can happen in rare cases), + the relayed candidate MUST be discarded. + + If an IPv6-only agent is in a network that utilizes NAT64 [RFC6146] + and DNS64 [RFC6147] technologies, it may also gather IPv4 server- + reflexive and/or relayed candidates from IPv4-only STUN or TURN + servers. IPv6-only agents SHOULD also utilize IPv6 prefix discovery + [RFC7050] to discover the IPv6 prefix used by NAT64 (if any) and + generate server-reflexive candidates for each IPv6-only interface, + accordingly. The NAT64 server-reflexive candidates are prioritized + like IPv4 server-reflexive candidates. + +5.1.1.3. Computing Foundations + + The ICE agent assigns each candidate a foundation. Two candidates + have the same foundation when all of the following are true: + + o They have the same type (host, relayed, server reflexive, or peer + reflexive). + + o Their bases have the same IP address (the ports can be different). + + o For reflexive and relayed candidates, the STUN or TURN servers + used to obtain them have the same IP address (the IP address used + by the agent to contact the STUN or TURN server). + + o They were obtained using the same transport protocol (TCP, UDP). + + Similarly, two candidates have different foundations if their types + are different, their bases have different IP addresses, the STUN or + TURN servers used to obtain them have different IP addresses (the IP + addresses used by the agent to contact the STUN or TURN server), or + their transport protocols are different. + + + + + + + +Keranen, et al. Standards Track [Page 21] + +RFC 8445 ICE July 2018 + + +5.1.1.4. Keeping Candidates Alive + + Once server-reflexive and relayed candidates are allocated, they MUST + be kept alive until ICE processing has completed, as described in + Section 8.3. For server-reflexive candidates learned through a + Binding request, the bindings MUST be kept alive by additional + Binding requests to the server. Refreshes for allocations are done + using the Refresh transaction, as described in [RFC5766]. The + Refresh requests will also refresh the server-reflexive candidate. + + Host candidates do not time out, but the candidate addresses may + change or disappear for a number of reasons. An ICE agent SHOULD + monitor the interfaces it uses, invalidate candidates whose base has + gone away, and acquire new candidates as appropriate when new IP + addresses (on new or currently used interfaces) appear. + +5.1.2. Prioritizing Candidates + + The prioritization process results in the assignment of a priority to + each candidate. Each candidate for a data stream MUST have a unique + priority that MUST be a positive integer between 1 and (2**31 - 1). + This priority will be used by ICE to determine the order of the + connectivity checks and the relative preference for candidates. + Higher-priority values give more priority over lower values. + + An ICE agent SHOULD compute this priority using the formula in + Section 5.1.2.1 and choose its parameters using the guidelines in + Section 5.1.2.2. If an agent elects to use a different formula, ICE + may take longer to converge since the agents will not be coordinated + in their checks. + + The process for prioritizing candidates is common across the + initiating and the responding agent. + +5.1.2.1. Recommended Formula + + The recommended formula combines a preference for the candidate type + (server reflexive, peer reflexive, relayed, and host), a preference + for the IP address for which the candidate was obtained, and a + component ID using the following formula: + + priority = (2^24)*(type preference) + + (2^8)*(local preference) + + (2^0)*(256 - component ID) + + The type preference MUST be an integer from 0 (lowest preference) to + 126 (highest preference) inclusive, MUST be identical for all + candidates of the same type, and MUST be different for candidates of + + + +Keranen, et al. Standards Track [Page 22] + +RFC 8445 ICE July 2018 + + + different types. The type preference for peer-reflexive candidates + MUST be higher than that of server-reflexive candidates. Setting the + value to 0 means that candidates of this type will only be used as a + last resort. Note that candidates gathered based on the procedures + of Section 5.1.1 will never be peer-reflexive candidates; candidates + of this type are learned from the connectivity checks performed by + ICE. + + The local preference MUST be an integer from 0 (lowest preference) to + 65535 (highest preference) inclusive. When there is only a single IP + address, this value SHOULD be set to 65535. If there are multiple + candidates for a particular component for a particular data stream + that have the same type, the local preference MUST be unique for each + one. If an ICE agent is dual stack, the local preference SHOULD be + set according to the current best practice described in [RFC8421]. + + The component ID MUST be an integer between 1 and 256 inclusive. + +5.1.2.2. Guidelines for Choosing Type and Local Preferences + + The RECOMMENDED values for type preferences are 126 for host + candidates, 110 for peer-reflexive candidates, 100 for server- + reflexive candidates, and 0 for relayed candidates. + + If an ICE agent is multihomed and has multiple IP addresses, the + recommendations in [RFC8421] SHOULD be followed. If multiple TURN + servers are used, local priorities for the candidates obtained from + the TURN servers are chosen in a similar fashion as for multihomed + local candidates: the local preference value is used to indicate a + preference among different servers, but the preference MUST be unique + for each one. + + When choosing type preferences, agents may take into account factors + such as latency, packet loss, cost, network topology, security, + privacy, and others. + +5.1.3. Eliminating Redundant Candidates + + Next, the ICE agents (initiating and responding) eliminate redundant + candidates. Two candidates can have the same transport address yet + different bases, and these would not be considered redundant. + Frequently, a server-reflexive candidate and a host candidate will be + redundant when the agent is not behind a NAT. A candidate is + redundant if and only if its transport address and base equal those + of another candidate. The agent SHOULD eliminate the redundant + candidate with the lower priority. + + + + + +Keranen, et al. Standards Track [Page 23] + +RFC 8445 ICE July 2018 + + +5.2. Lite Implementation Procedures + + Lite implementations only utilize host candidates. For each IP + address, independent of an IP address family, there MUST be zero or + one candidate. With the lite implementation, ICE cannot be used to + dynamically choose amongst candidates. Therefore, including more + than one candidate from a particular IP address family is NOT + RECOMMENDED, since only a connectivity check can truly determine + whether to use one address or the other. Instead, it is RECOMMENDED + that agents that have multiple public IP addresses run full ICE + implementations to ensure the best usage of its addresses. + + Each component has an ID assigned to it, called the "component ID". + For RTP/RTCP data streams, unless RTCP is multiplexed in the same + port with RTP, the RTP itself has a component ID of 1 and RTCP a + component ID of 2. If an agent is using RTCP without multiplexing, + it MUST obtain candidates for it. However, absence of a component ID + 2 as such does not imply use of RTCP/RTP multiplexing, as it could + also mean that RTCP is not used. + + Each candidate is assigned a foundation. The foundation MUST be + different for two candidates allocated from different IP addresses; + otherwise, it MUST be the same. A simple integer that increments for + each IP address will suffice. In addition, each candidate MUST be + assigned a unique priority amongst all candidates for the same data + stream. If the formula in Section 5.1.2.1 is used to calculate the + priority, the type preference value SHOULD be set to 126. If a host + is IPv4 only, the local preference value SHOULD be set to 65535. If + a host is IPv6 or dual stack, the local preference value SHOULD be + set to the precedence value for IP addresses described in RFC 6724 + [RFC6724]. + + Next, an agent chooses a default candidate for each component of each + data stream. If a host is IPv4 only, there would only be one + candidate for each component of each data stream; therefore, that + candidate is the default. If a host is IPv6 only, the default + candidate would typically be a globally scoped IPv6 address. Dual- + stack hosts SHOULD allow configuration whether IPv4 or IPv6 is used + for the default candidate, and the configuration needs to be based on + which one its administrator believes has a higher chance of success + in the current network environment. + + The procedures in this section are common across the initiating and + responding agents. + + + + + + + +Keranen, et al. Standards Track [Page 24] + +RFC 8445 ICE July 2018 + + +5.3. Exchanging Candidate Information + + ICE agents (initiating and responding) need the following information + about candidates to be exchanged. Each ICE usage MUST define how the + information is exchanged with the using protocol. This section + describes the information that needs to be exchanged. + + Candidates: One or more candidates. For each candidate: + + Address: The IP address and transport protocol port of the + candidate. + + Transport: The transport protocol of the candidate. This MAY be + omitted if the using protocol only runs over a single transport + protocol. + + Foundation: A sequence of up to 32 characters. + + Component ID: The component ID of the candidate. This MAY be + omitted if the using protocol does not use the concept of + components. + + Priority: The 32-bit priority of the candidate. + + Type: The type of the candidate. + + Related Address and Port: The related IP address and port of the + candidate. These MAY be omitted or set to invalid values if + the agent does not want to reveal them, e.g., for privacy + reasons. + + Extensibility Parameters: The using protocol might define means + for adding new per-candidate ICE parameters in the future. + + Lite or Full: Whether the agent is a lite agent or full agent. + + Connectivity-Check Pacing Value: The pacing value for connectivity + checks that the agent wishes to use. This MAY be omitted if the + agent wishes to use a defined default value. + + Username Fragment and Password: Values used to perform connectivity + checks. The values MUST be unguessable, with at least 128 bits of + random number generator output used to generate the password, and + at least 24 bits of output to generate the username fragment. + + Extensions: New media-stream or session-level attributes (ICE + options). + + + + +Keranen, et al. Standards Track [Page 25] + +RFC 8445 ICE July 2018 + + + If the using protocol is vulnerable to, and able to detect, ICE + mismatch (Section 5.4), a way is needed for the detecting agent to + convey this information to its peer. It is a boolean flag. + + The using protocol may (or may not) need to deal with backwards + compatibility with older implementations that do not support ICE. If + a fallback mechanism to non-ICE is supported and is being used, then + presumably the using protocol provides a way of conveying the default + candidate (its IP address and port) in addition to the ICE + parameters. + + Once an agent has sent its candidate information, it MUST be prepared + to receive both STUN and data packets on each candidate. As + discussed in Section 12.1, data packets can be sent to a candidate + prior to its appearance as the default destination for data. + +5.4. ICE Mismatch + + Certain middleboxes, such as ALGs, can alter signaling information in + ways that break ICE (e.g., by rewriting IP addresses in SDP). This + is referred to as "ICE mismatch". If the using protocol is + vulnerable to ICE mismatch, the responding agent needs to be able to + detect it and inform the peer ICE agent about the ICE mismatch. + + Each using protocol needs to define whether the using protocol is + vulnerable to ICE mismatch, how ICE mismatch is detected, and whether + specific actions need to be taken when ICE mismatch is detected. + +6. ICE Candidate Processing + + Once an ICE agent has gathered its candidates and exchanged + candidates with its peer (Section 5), it will determine its own role. + In addition, full implementations will form checklists and begin + performing connectivity checks with the peer. + +6.1. Procedures for Full Implementation + +6.1.1. Determining Role + + For each session, each ICE agent (initiating and responding) takes on + a role. There are two roles -- controlling and controlled. The + controlling agent is responsible for the choice of the final + candidate pairs used for communications. The sections below describe + in detail the actual procedures followed by controlling and + controlled agents. + + + + + + +Keranen, et al. Standards Track [Page 26] + +RFC 8445 ICE July 2018 + + + The rules for determining the role and the impact on behavior are as + follows: + + Both agents are full: The initiating agent that started the ICE + processing MUST take the controlling role, and the other MUST take + the controlled role. Both agents will form checklists, run the + ICE state machines, and generate connectivity checks. The + controlling agent will execute the logic in Section 8.1 to + nominate pairs that will become (if the connectivity checks + associated with the nominations succeed) the selected pairs, and + then both agents end ICE as described in Section 8.1.2. + + One agent full, one lite: The full agent MUST take the controlling + role, and the lite agent MUST take the controlled role. The full + agent will form checklists, run the ICE state machines, and + generate connectivity checks. That agent will execute the logic + in Section 8.1 to nominate pairs that will become (if the + connectivity checks associated with the nominations succeed) the + selected pairs and use the logic in Section 8.1.2 to end ICE. The + lite implementation will just listen for connectivity checks, + receive them and respond to them, and then conclude ICE as + described in Section 8.2. For the lite implementation, the state + of ICE processing for each data stream is considered to be + Running, and the state of ICE overall is Running. + + Both lite: The initiating agent that started the ICE processing MUST + take the controlling role, and the other MUST take the controlled + role. In this case, no connectivity checks are ever sent. + Rather, once the candidates are exchanged, each agent performs the + processing described in Section 8 without connectivity checks. It + is possible that both agents will believe they are controlled or + controlling. In the latter case, the conflict is resolved through + glare detection capabilities in the signaling protocol enabling + the candidate exchange. The state of ICE processing for each data + stream is considered to be Running, and the state of ICE overall + is Running. + + Once the roles are determined for a session, they persist throughout + the lifetime of the session. The roles can be redetermined as part + of an ICE restart (Section 9), but an ICE agent MUST NOT redetermine + the role as part of an ICE restart unless one or more of the + following criteria is fulfilled: + + Full becomes lite: If the controlling agent is full, and switches to + lite, the roles MUST be redetermined if the peer agent is also + full. + + + + + +Keranen, et al. Standards Track [Page 27] + +RFC 8445 ICE July 2018 + + + Role conflict: If the ICE restart causes a role conflict, the roles + might be redetermined due to the role conflict procedures in + Section 7.3.1.1. + + NOTE: There are certain Third Party Call Control (3PCC) [RFC3725] + scenarios where an ICE restart might cause a role conflict. + + NOTE: The agents need to inform each other whether they are full or + lite before the roles are determined. The mechanism for that is + specific to the signaling protocol and outside the scope of the + document. + + An agent MUST accept if the peer initiates a redetermination of the + roles even if the criteria for doing so are not fulfilled. This can + happen if the peer is compliant with RFC 5245. + +6.1.2. Forming the Checklists + + There is one checklist for each data stream. To form a checklist, + initiating and responding ICE agents form candidate pairs, compute + pair priorities, order pairs by priority, prune pairs, remove lower- + priority pairs, and set checklist states. If candidates are added to + a checklist (e.g., due to detection of peer-reflexive candidates), + the agent will re-perform these steps for the updated checklist. + +6.1.2.1. Checklist State + + Each checklist has a state, which captures the state of ICE checks + for the data stream associated with the checklist. The states are: + + Running: The checklist is neither Completed nor Failed yet. + Checklists are initially set to the Running state. + + Completed: The checklist contains a nominated pair for each + component of the data stream. + + Failed: The checklist does not have a valid pair for each component + of the data stream, and all of the candidate pairs in the + checklist are in either the Failed or the Succeeded state. In + other words, at least one component of the checklist has candidate + pairs that are all in the Failed state, which means the component + has failed, which means the checklist has failed. + +6.1.2.2. Forming Candidate Pairs + + The ICE agent pairs each local candidate with each remote candidate + for the same component of the same data stream with the same IP + address family. It is possible that some of the local candidates + + + +Keranen, et al. Standards Track [Page 28] + +RFC 8445 ICE July 2018 + + + won't get paired with remote candidates, and some of the remote + candidates won't get paired with local candidates. This can happen + if one agent doesn't include candidates for all of the components for + a data stream. If this happens, the number of components for that + data stream is effectively reduced and is considered to be equal to + the minimum across both agents of the maximum component ID provided + by each agent across all components for the data stream. + + In the case of RTP, this would happen when one agent provides + candidates for RTCP, and the other does not. As another example, the + initiating agent can multiplex RTP and RTCP on the same port + [RFC5761]. However, since the initiating agent doesn't know if the + peer agent can perform such multiplexing, it includes candidates for + RTP and RTCP on separate ports. If the peer agent can perform such + multiplexing, it would include just a single component for each + candidate -- for the combined RTP/RTCP mux. ICE would end up acting + as if there was just a single component for this candidate. + + With IPv6, it is common for a host to have multiple host candidates + for each interface. To keep the amount of resulting candidate pairs + reasonable and to avoid candidate pairs that are highly unlikely to + work, IPv6 link-local addresses MUST NOT be paired with other than + link-local addresses. + + The candidate pairs whose local and remote candidates are both the + default candidates for a particular component is called the "default + candidate pair" for that component. This is the pair that would be + used to transmit data if both agents had not been ICE aware. + + + + + + + + + + + + + + + + + + + + + + + +Keranen, et al. Standards Track [Page 29] + +RFC 8445 ICE July 2018 + + + Figure 5 shows the properties of and relationships between transport + addresses, candidates, candidate pairs, and checklists. + + +--------------------------------------------+ + | | + | +---------------------+ | + | |+----+ +----+ +----+ | +Type | + | || IP | |Port| |Tran| | +Priority | + | ||Addr| | | | | | +Foundation | + | |+----+ +----+ +----+ | +Component ID | + | | Transport | +Related Address | + | | Addr | | + | +---------------------+ +Base | + | Candidate | + +--------------------------------------------+ + * * + * ************************************* + * * + +-------------------------------+ + | | + | Local Remote | + | +----+ +----+ +default? | + | |Cand| |Cand| +valid? | + | +----+ +----+ +nominated?| + | +State | + | | + | | + | Candidate Pair | + +-------------------------------+ + * * + * ************ + * * + +------------------+ + | Candidate Pair | + +------------------+ + +------------------+ + | Candidate Pair | + +------------------+ + +------------------+ + | Candidate Pair | + +------------------+ + + Checklist + + + Figure 5: Conceptual Diagram of a Checklist + + + + + +Keranen, et al. Standards Track [Page 30] + +RFC 8445 ICE July 2018 + + +6.1.2.3. Computing Pair Priority and Ordering Pairs + + The ICE agent computes a priority for each candidate pair. Let G be + the priority for the candidate provided by the controlling agent. + Let D be the priority for the candidate provided by the controlled + agent. The priority for a pair is computed as follows: + + pair priority = 2^32*MIN(G,D) + 2*MAX(G,D) + (G>D?1:0) + + The agent sorts each checklist in decreasing order of candidate pair + priority. If two pairs have identical priority, the ordering amongst + them is arbitrary. + +6.1.2.4. Pruning the Pairs + + This sorted list of candidate pairs is used to determine a sequence + of connectivity checks that will be performed. Each check involves + sending a request from a local candidate to a remote candidate. + Since an ICE agent cannot send requests directly from a reflexive + candidate (server reflexive or peer reflexive), but only from its + base, the agent next goes through the sorted list of candidate pairs. + For each pair where the local candidate is reflexive, the candidate + MUST be replaced by its base. + + The agent prunes each checklist. This is done by removing a + candidate pair if it is redundant with a higher-priority candidate + pair in the same checklist. Two candidate pairs are redundant if + their local candidates have the same base and their remote candidates + are identical. The result is a sequence of ordered candidate pairs, + called the "checklist" for that data stream. + +6.1.2.5. Removing Lower-Priority Pairs + + In order to limit the attacks described in Section 19.5.1, an ICE + agent MUST limit the total number of connectivity checks the agent + performs across all checklists in the checklist set. This is done by + limiting the total number of candidate pairs in the checklist set. + The default limit of candidate pairs for the checklist set is 100, + but the value MUST be configurable. The limit is enforced by, within + in each checklist, discarding lower-priority candidate pairs until + the total number of candidate pairs in the checklist set is smaller + than the limit value. The discarding SHOULD be done evenly so that + the number of candidate pairs in each checklist is reduced the same + amount. + + It is RECOMMENDED that a lower-limit value than the default is picked + when possible, and that the value is set to the maximum number of + plausible candidate pairs that might be created in an actual + + + +Keranen, et al. Standards Track [Page 31] + +RFC 8445 ICE July 2018 + + + deployment configuration. The requirement for configuration is meant + to provide a tool for fixing this value in the field if, once + deployed, it is found to be problematic. + +6.1.2.6. Computing Candidate Pair States + + Each candidate pair in the checklist has a foundation (the + combination of the foundations of the local and remote candidates in + the pair) and one of the following states: + + Waiting: A check has not been sent for this pair, but the pair is + not Frozen. + + In-Progress: A check has been sent for this pair, but the + transaction is in progress. + + Succeeded: A check has been sent for this pair, and it produced a + successful result. + + Failed: A check has been sent for this pair, and it failed (a + response to the check was never received, or a failure response + was received). + + Frozen: A check for this pair has not been sent, and it cannot be + sent until the pair is unfrozen and moved into the Waiting state. + + + + + + + + + + + + + + + + + + + + + + + + + + +Keranen, et al. Standards Track [Page 32] + +RFC 8445 ICE July 2018 + + + Pairs move between states as shown in Figure 6. + + +-----------+ + | | + | | + | Frozen | + | | + | | + +-----------+ + | + |unfreeze + | + V + +-----------+ +-----------+ + | | | | + | | perform | | + | Waiting |-------->|In-Progress| + | | | | + | | | | + +-----------+ +-----------+ + / | + // | + // | + // | + / | + // | + failure // |success + // | + / | + // | + // | + // | + V V + +-----------+ +-----------+ + | | | | + | | | | + | Failed | | Succeeded | + | | | | + | | | | + +-----------+ +-----------+ + + Figure 6: Pair State Finite State Machine (FSM) + + + + + + + + + +Keranen, et al. Standards Track [Page 33] + +RFC 8445 ICE July 2018 + + + The initial states for each pair in a checklist are computed by + performing the following sequence of steps: + + 1. The checklists are placed in an ordered list (the order is + determined by each ICE usage), called the "checklist set". + + 2. The ICE agent initially places all candidate pairs in the Frozen + state. + + 3. The agent sets all of the checklists in the checklist set to the + Running state. + + 4. For each foundation, the agent sets the state of exactly one + candidate pair to the Waiting state (unfreezing it). The + candidate pair to unfreeze is chosen by finding the first + candidate pair (ordered by the lowest component ID and then the + highest priority if component IDs are equal) in the first + checklist (according to the usage-defined checklist set order) + that has that foundation. + + NOTE: The procedures above are different from RFC 5245, where only + candidate pairs in the first checklist were initially placed in the + Waiting state. Now it applies to candidate pairs in the first + checklist that have that foundation, even if the checklist is not the + first one in the checklist set. + + The table below illustrates an example. + + + + + + + + + + + + + + + + + + + + + + + + +Keranen, et al. Standards Track [Page 34] + +RFC 8445 ICE July 2018 + + + Table legend: + + Each row (m1, m2,...) represents a checklist associated with a + data stream. m1 represents the first checklist in the checklist + set. + + Each column (f1, f2,...) represents a foundation. Every candidate + pair within a given column share the same foundation. + + f-cp represents a candidate pair in the Frozen state. + + w-cp represents a candidate pair in the Waiting state. + + 1. The agent sets all of the pairs in the checklist set to the + Frozen state. + + f1 f2 f3 f4 f5 + ----------------------------- + m1 | f-cp f-cp f-cp + | + m2 | f-cp f-cp f-cp f-cp + | + m3 | f-cp f-cp + + + 2. For each foundation, the candidate pair with the lowest + component ID is placed in the Waiting state, unless a + candidate pair associated with the same foundation has + already been put in the Waiting state in one of the + other examined checklists in the checklist set. + + f1 f2 f3 f4 f5 + ----------------------------- + m1 | w-cp w-cp w-cp + | + m2 | f-cp f-cp f-cp w-cp + | + m3 | f-cp w-cp + + Table 1: Pair State Example + + In the first checklist (m1), the candidate pair for each foundation + is placed in the Waiting state, as no pairs for the same foundations + have yet been placed in the Waiting state. + + In the second checklist (m2), the candidate pair for foundation f4 is + placed in the Waiting state. The candidate pair for foundations f1, + f2, and f3 are kept in the Frozen state, as candidate pairs for those + + + +Keranen, et al. Standards Track [Page 35] + +RFC 8445 ICE July 2018 + + + foundations have already been placed in the Waiting state (within + checklist m1). + + In the third checklist (m3), the candidate pair for foundation f5 is + placed in the Waiting state. The candidate pair for foundation f1 is + kept in the Frozen state, as a candidate pair for that foundation has + already been placed in the Waiting state (within checklist m1). + + Once each checklist have been processed, one candidate pair for each + foundation in the checklist set has been placed in the Waiting state. + +6.1.3. ICE State + + The ICE agent has a state determined by the state of the checklists. + The state is Completed if all checklists are Completed, Failed if all + checklists are Failed, or Running otherwise. + +6.1.4. Scheduling Checks + +6.1.4.1. Triggered-Check Queue + + Once the ICE agent has computed the checklists and created the + checklist set, as described in Section 6.1.2, the agent will begin + performing connectivity checks (ordinary and triggered). For + triggered connectivity checks, the agent maintains a FIFO queue for + each checklist, referred to as the "triggered-check queue", which + contains candidate pairs for which checks are to be sent at the next + available opportunity. The triggered-check queue is initially empty. + +6.1.4.2. Performing Connectivity Checks + + The generation of ordinary and triggered connectivity checks is + governed by timer Ta. As soon as the initial states for the + candidate pairs in the checklist set have been set, a check is + performed for a candidate pair within the first checklist in the + Running state, following the procedures in Section 7. After that, + whenever Ta fires the next checklist in the Running state in the + checklist set is picked, and a check is performed for a candidate + within that checklist. After the last checklist in the Running state + in the checklist set has been processed, the first checklist is + picked again, etc. + + + + + + + + + + +Keranen, et al. Standards Track [Page 36] + +RFC 8445 ICE July 2018 + + + Whenever Ta fires, the ICE agent will perform a check for a candidate + pair within the checklist that was picked by performing the following + steps: + + 1. If the triggered-check queue associated with the checklist + contains one or more candidate pairs, the agent removes the top + pair from the queue, performs a connectivity check on that pair, + puts the candidate pair state to In-Progress, and aborts the + subsequent steps. + + 2. If there is no candidate pair in the Waiting state, and if there + are one or more pairs in the Frozen state, the agent checks the + foundation associated with each pair in the Frozen state. For a + given foundation, if there is no pair (in any checklist in the + checklist set) in the Waiting or In-Progress state, the agent + puts the candidate pair state to Waiting and continues with the + next step. + + 3. If there are one or more candidate pairs in the Waiting state, + the agent picks the highest-priority candidate pair (if there are + multiple pairs with the same priority, the pair with the lowest + component ID is picked) in the Waiting state, performs a + connectivity check on that pair, puts the candidate pair state to + In-Progress, and aborts the subsequent steps. + + 4. If this step is reached, no check could be performed for the + checklist that was picked. So, without waiting for timer Ta to + expire again, select the next checklist in the Running state and + return to step #1. If this happens for every single checklist in + the Running state, meaning there are no remaining candidate pairs + to perform connectivity checks for, abort these steps. + + Once the agent has picked a candidate pair for which a connectivity + check is to be performed, the agent starts a check and sends the + Binding request from the base associated with the local candidate of + the pair to the remote candidate of the pair, as described in + Section 7.2.4. + + Based on local policy, an agent MAY choose to terminate performing + the connectivity checks for one or more checklists in the checklist + set at any time. However, only the controlling agent is allowed to + conclude ICE (Section 8). + + To compute the message integrity for the check, the agent uses the + remote username fragment and password learned from the candidate + information obtained from its peer. The local username fragment is + known directly by the agent for its own candidate. + + + + +Keranen, et al. Standards Track [Page 37] + +RFC 8445 ICE July 2018 + + +6.2. Lite Implementation Procedures + + Lite implementations skip most of the steps in Section 6 except for + verifying the peer's ICE support and determining its role in the ICE + processing. + + If the lite implementation is the controlling agent (which will only + happen if the peer ICE agent is also a lite implementation), it + selects a candidate pair based on the ones in the candidate exchange + (for IPv4, there is only ever one pair) and then updates the peer + with the new candidate information reflecting that selection, if + needed (it is never needed for an IPv4-only host). + +7. Performing Connectivity Checks + + This section describes how connectivity checks are performed. + + An ICE agent MUST be compliant to [RFC5389]. A full implementation + acts both as a STUN client and a STUN server, while a lite + implementation only acts as a STUN server (as it does not generate + connectivity checks). + +7.1. STUN Extensions + + ICE extends STUN with the attributes: PRIORITY, USE-CANDIDATE, ICE- + CONTROLLED, and ICE-CONTROLLING. These attributes are formally + defined in Section 16.1. This section describes the usage of the + attributes. + + The attributes are only applicable to ICE connectivity checks. + +7.1.1. PRIORITY + + The PRIORITY attribute MUST be included in a Binding request and be + set to the value computed by the algorithm in Section 5.1.2 for the + local candidate, but with the candidate type preference of peer- + reflexive candidates. + +7.1.2. USE-CANDIDATE + + The controlling agent MUST include the USE-CANDIDATE attribute in + order to nominate a candidate pair (Section 8.1.1). The controlled + agent MUST NOT include the USE-CANDIDATE attribute in a Binding + request. + + + + + + + +Keranen, et al. Standards Track [Page 38] + +RFC 8445 ICE July 2018 + + +7.1.3. ICE-CONTROLLED and ICE-CONTROLLING + + The controlling agent MUST include the ICE-CONTROLLING attribute in a + Binding request. The controlled agent MUST include the ICE- + CONTROLLED attribute in a Binding request. + + The content of either attribute is used as tiebreaker values when an + ICE role conflict occurs (Section 7.3.1.1). + +7.2. STUN Client Procedures + +7.2.1. Creating Permissions for Relayed Candidates + + If the connectivity check is being sent using a relayed local + candidate, the client MUST create a permission first if it has not + already created one previously. It would have created one previously + if it had told the TURN server to create a permission for the given + relayed candidate towards the IP address of the remote candidate. To + create the permission, the ICE agent follows the procedures defined + in [RFC5766]. The permission MUST be created towards the IP address + of the remote candidate. It is RECOMMENDED that the agent defer + creation of a TURN channel until ICE completes, in which case + permissions for connectivity checks are normally created using a + CreatePermission request. Once established, the agent MUST keep the + permission active until ICE concludes. + +7.2.2. Forming Credentials + + A connectivity-check Binding request MUST utilize the STUN short-term + credential mechanism. + + The username for the credential is formed by concatenating the + username fragment provided by the peer with the username fragment of + the ICE agent sending the request, separated by a colon (":"). + + The password is equal to the password provided by the peer. + + For example, consider the case where ICE agent L is the initiating + agent and ICE agent R is the responding agent. Agent L included a + username fragment of LFRAG for its candidates and a password of + LPASS. Agent R provided a username fragment of RFRAG and a password + of RPASS. A connectivity check from L to R utilizes the username + RFRAG:LFRAG and a password of RPASS. A connectivity check from R to + L utilizes the username LFRAG:RFRAG and a password of LPASS. The + responses utilize the same usernames and passwords as the requests + (note that the USERNAME attribute is not present in the response). + + + + + +Keranen, et al. Standards Track [Page 39] + +RFC 8445 ICE July 2018 + + +7.2.3. Diffserv Treatment + + If the agent is using Differentiated Services Code Point (DSCP) + markings [RFC2475] in data packets that it will send, the agent + SHOULD apply the same markings to Binding requests and responses that + it will send. + + If multiple DSCP markings are used on the data packets, the agent + SHOULD choose one of them for use with the connectivity check. + +7.2.4. Sending the Request + + A connectivity check is generated by sending a Binding request from + the base associated with a local candidate to a remote candidate. + [RFC5389] describes how Binding requests are constructed and + generated. + + Support for backwards compatibility with RFC 3489 MUST NOT be assumed + when performing connectivity checks. The FINGERPRINT mechanism MUST + be used for connectivity checks. + +7.2.5. Processing the Response + + This section defines additional procedures for processing Binding + responses specific to ICE connectivity checks. + + When a Binding response is received, it is correlated to the + corresponding Binding request using the transaction ID [RFC5389], + which then associates the response with the candidate pair for which + the Binding request was sent. After that, the response is processed + according to the procedures for a role conflict, a failure, or a + success, according to the procedures below. + +7.2.5.1. Role Conflict + + If the Binding request generates a 487 (Role Conflict) error response + (Section 7.3.1.1), and if the ICE agent included an ICE-CONTROLLED + attribute in the request, the agent MUST switch to the controlling + role. If the agent included an ICE-CONTROLLING attribute in the + request, the agent MUST switch to the controlled role. + + Once the agent has switched its role, the agent MUST add the + candidate pair whose check generated the 487 error response to the + triggered-check queue associated with the checklist to which the pair + belongs, and set the candidate pair state to Waiting. When the + triggered connectivity check is later performed, the ICE-CONTROLLING/ + ICE-CONTROLLED attribute of the Binding request will indicate the + agent's new role. The agent MUST change the tiebreaker value. + + + +Keranen, et al. Standards Track [Page 40] + +RFC 8445 ICE July 2018 + + + NOTE: A role switch requires an agent to recompute pair priorities + (Section 6.1.2.3), since the priority values depend on the role. + + NOTE: A role switch will also impact whether the agent is responsible + for nominating candidate pairs, and whether the agent is responsible + for initiating the exchange of the updated candidate information with + the peer once ICE is concluded. + +7.2.5.2. Failure + + This section describes cases when the candidate pair state is set to + Failed. + + NOTE: When the ICE agent sets the candidate pair state to Failed as a + result of a connectivity-check error, the agent does not change the + states of other candidate pairs with the same foundation. + +7.2.5.2.1. Non-Symmetric Transport Addresses + + The ICE agent MUST check that the source and destination transport + addresses in the Binding request and response are symmetric. That + is, the source IP address and port of the response MUST be equal to + the destination IP address and port to which the Binding request was + sent, and the destination IP address and port of the response MUST be + equal to the source IP address and port from which the Binding + request was sent. If the addresses are not symmetric, the agent MUST + set the candidate pair state to Failed. + +7.2.5.2.2. ICMP Error + + An ICE agent MAY support processing of ICMP errors for connectivity + checks. If the agent supports processing of ICMP errors, and if a + Binding request generates a hard ICMP error, the agent SHOULD set the + state of the candidate pair to Failed. Implementers need to be aware + that ICMP errors can be used as a method for Denial-of-Service (DoS) + attacks when making a decision on how and if to process ICMP errors. + +7.2.5.2.3. Timeout + + If the Binding request transaction times out, the ICE agent MUST set + the candidate pair state to Failed. + +7.2.5.2.4. Unrecoverable STUN Response + + If the Binding request generates a STUN error response that is + unrecoverable [RFC5389], the ICE agent SHOULD set the candidate pair + state to Failed. + + + + +Keranen, et al. Standards Track [Page 41] + +RFC 8445 ICE July 2018 + + +7.2.5.3. Success + + A connectivity check is considered a success if each of the following + criteria is true: + + o The Binding request generated a success response; and + + o The source and destination transport addresses in the Binding + request and response are symmetric. + + If a check is considered a success, the ICE agent performs (in order) + the actions described in the following sections. + +7.2.5.3.1. Discovering Peer-Reflexive Candidates + + The ICE agent MUST check the mapped address from the STUN response. + If the transport address does not match any of the local candidates + that the agent knows about, the mapped address represents a new + candidate: a peer-reflexive candidate. Like other candidates, a + peer-reflexive candidate has a type, base, priority, and foundation. + They are computed as follows: + + o The type is peer reflexive. + + o The base is the local candidate of the candidate pair from which + the Binding request was sent. + + o The priority is the value of the PRIORITY attribute in the Binding + request. + + o The foundation is described in Section 5.1.1.3. + + The peer-reflexive candidate is then added to the list of local + candidates for the data stream. The username fragment and password + are the same as for all other local candidates for that data stream. + + The ICE agent does not need to pair the peer-reflexive candidate with + remote candidates, as a valid pair will be created due to the + procedures in Section 7.2.5.3.2. If an agent wishes to pair the + peer-reflexive candidate with remote candidates other than the one in + the valid pair that will be generated, the agent MAY provide updated + candidate information to the peer that includes the peer-reflexive + candidate. This will cause the peer-reflexive candidate to be paired + with all other remote candidates. + + + + + + + +Keranen, et al. Standards Track [Page 42] + +RFC 8445 ICE July 2018 + + +7.2.5.3.2. Constructing a Valid Pair + + The ICE agent constructs a candidate pair whose local candidate + equals the mapped address of the response and whose remote candidate + equals the destination address to which the request was sent. This + is called a "valid pair". + + The valid pair might equal the pair that generated the connectivity + check, a different pair in the checklist, or a pair currently not in + the checklist. + + The agent maintains a separate list, referred to as the "valid list". + There is a valid list for each checklist in the checklist set. The + valid list will contain valid pairs. Initially, each valid list is + empty. + + Each valid pair within the valid list has a flag, called the + "nominated flag". When a valid pair is added to a valid list, the + flag value is set to 'false'. + + The valid pair will be added to a valid list as follows: + + 1. If the valid pair equals the pair that generated the check, the + pair is added to the valid list associated with the checklist to + which the pair belongs; or + + 2. If the valid pair equals another pair in a checklist, that pair + is added to the valid list associated with the checklist of that + pair. The pair that generated the check is not added to a valid + list; or + + 3. If the valid pair is not in any checklist, the agent computes the + priority for the pair based on the priority of each candidate, + using the algorithm in Section 6.1.2. The priority of the local + candidate depends on its type. Unless the type is peer + reflexive, the priority is equal to the priority signaled for + that candidate in the candidate exchange. If the type is peer + reflexive, it is equal to the PRIORITY attribute the agent placed + in the Binding request that just completed. The priority of the + remote candidate is taken from the candidate information of the + peer. If the candidate does not appear there, then the check has + been a triggered check to a new remote candidate. In that case, + the priority is taken as the value of the PRIORITY attribute in + the Binding request that triggered the check that just completed. + The pair is then added to the valid list. + + + + + + +Keranen, et al. Standards Track [Page 43] + +RFC 8445 ICE July 2018 + + + NOTE: It will be very common that the valid pair will not be in any + checklist. Recall that the checklist has pairs whose local + candidates are never reflexive; those pairs had their local + candidates converted to the base of the reflexive candidates and were + then pruned if they were redundant. When the response to the Binding + request arrives, the mapped address will be reflexive if there is a + NAT between the two. In that case, the valid pair will have a local + candidate that doesn't match any of the pairs in the checklist. + +7.2.5.3.3. Updating Candidate Pair States + + The ICE agent sets the states of both the candidate pair that + generated the check and the constructed valid pair (which may be + different) to Succeeded. + + The agent MUST set the states for all other Frozen candidate pairs in + all checklists with the same foundation to Waiting. + + NOTE: Within a given checklist, candidate pairs with the same + foundations will typically have different component ID values. + +7.2.5.3.4. Updating the Nominated Flag + + If the controlling agent sends a Binding request with the USE- + CANDIDATE attribute set, and if the ICE agent receives a successful + response to the request, the agent sets the nominated flag of the + pair to true. If the request fails (Section 7.2.5.2), the agent MUST + remove the candidate pair from the valid list, set the candidate pair + state to Failed, and set the checklist state to Failed. + + If the controlled agent receives a successful response to a Binding + request sent by the agent, and that Binding request was triggered by + a received Binding request with the USE-CANDIDATE attribute set + (Section 7.3.1.4), the agent sets the nominated flag of the pair to + true. If the triggered request fails, the agent MUST remove the + candidate pair from the valid list, set the candidate pair state to + Failed, and set the checklist state to Failed. + + Once the nominated flag is set for a component of a data stream, it + concludes the ICE processing for that component (Section 8). + +7.2.5.4. Checklist State Updates + + Regardless of whether a connectivity check was successful or failed, + the completion of the check may require updating of checklist states. + For each checklist in the checklist set, if all of the candidate + pairs are in either Failed or Succeeded state, and if there is not a + valid pair in the valid list for each component of the data stream + + + +Keranen, et al. Standards Track [Page 44] + +RFC 8445 ICE July 2018 + + + associated with the checklist, the state of the checklist is set to + Failed. If there is a valid pair for each component in the valid + list, the state of the checklist is set to Succeeded. + +7.3. STUN Server Procedures + + An ICE agent (lite or full) MUST be prepared to receive Binding + requests on the base of each candidate it included in its most recent + candidate exchange. + + The agent MUST use the short-term credential mechanism (i.e., the + MESSAGE-INTEGRITY attribute) to authenticate the request and perform + a message integrity check. Likewise, the short-term credential + mechanism MUST be used for the response. The agent MUST consider the + username to be valid if it consists of two values separated by a + colon, where the first value is equal to the username fragment + generated by the agent in a candidate exchange for a session in + progress. It is possible (and in fact very likely) that the + initiating agent will receive a Binding request prior to receiving + the candidates from its peer. If this happens, the agent MUST + immediately generate a response (including computation of the mapped + address as described in Section 7.3.1.2). The agent has sufficient + information at this point to generate the response; the password from + the peer is not required. Once the answer is received, it MUST + proceed with the remaining steps required; namely, see Sections + 7.3.1.3, 7.3.1.4, and 7.3.1.5 for full implementations. In cases + where multiple STUN requests are received before the answer, this may + cause several pairs to be queued up in the triggered-check queue. + + An agent MUST NOT utilize the ALTERNATE-SERVER mechanism and MUST NOT + support the backwards-compatibility mechanisms defined in RFC 5389 + (for working with the protocol in RFC 3489). It MUST utilize the + FINGERPRINT mechanism. + + If the agent is using DSCP markings [RFC2475] in its data packets, it + SHOULD apply the same markings to Binding responses. The same would + apply to any Layer 2 markings the endpoint might be applying to data + packets. + +7.3.1. Additional Procedures for Full Implementations + + This subsection defines the additional server procedures applicable + to full implementations, when the full implementation accepts the + Binding request. + + + + + + + +Keranen, et al. Standards Track [Page 45] + +RFC 8445 ICE July 2018 + + +7.3.1.1. Detecting and Repairing Role Conflicts + + In certain usages of ICE (such as 3PCC), both ICE agents may end up + choosing the same role, resulting in a role conflict. The section + describes a mechanism for detecting and repairing role conflicts. + The usage document MUST specify whether this mechanism is needed. + + An agent MUST examine the Binding request for either the ICE- + CONTROLLING or ICE-CONTROLLED attribute. It MUST follow these + procedures: + + o If the agent is in the controlling role, and the ICE-CONTROLLING + attribute is present in the request: + + * If the agent's tiebreaker value is larger than or equal to the + contents of the ICE-CONTROLLING attribute, the agent generates + a Binding error response and includes an ERROR-CODE attribute + with a value of 487 (Role Conflict) but retains its role. + + * If the agent's tiebreaker value is less than the contents of + the ICE-CONTROLLING attribute, the agent switches to the + controlled role. + + o If the agent is in the controlled role, and the ICE-CONTROLLED + attribute is present in the request: + + * If the agent's tiebreaker value is larger than or equal to the + contents of the ICE-CONTROLLED attribute, the agent switches to + the controlling role. + + * If the agent's tiebreaker value is less than the contents of + the ICE-CONTROLLED attribute, the agent generates a Binding + error response and includes an ERROR-CODE attribute with a + value of 487 (Role Conflict) but retains its role. + + o If the agent is in the controlled role and the ICE-CONTROLLING + attribute was present in the request, or if the agent was in the + controlling role and the ICE-CONTROLLED attribute was present in + the request, there is no conflict. + + A change in roles will require an agent to recompute pair priorities + (Section 6.1.2.3), since those priorities are a function of role. + The change in role will also impact whether the agent is responsible + for selecting nominated pairs and initiating exchange with updated + candidate information upon conclusion of ICE. + + + + + + +Keranen, et al. Standards Track [Page 46] + +RFC 8445 ICE July 2018 + + + The remaining subsections in Section 7.3.1 are followed if the agent + generated a successful response to the Binding request, even if the + agent changed roles. + +7.3.1.2. Computing Mapped Addresses + + For requests received on a relayed candidate, the source transport + address used for STUN processing (namely, generation of the + XOR-MAPPED-ADDRESS attribute) is the transport address as seen by the + TURN server. That source transport address will be present in the + XOR-PEER-ADDRESS attribute of a Data Indication message, if the + Binding request was delivered through a Data Indication. If the + Binding request was delivered through a ChannelData message, the + source transport address is the one that was bound to the channel. + +7.3.1.3. Learning Peer-Reflexive Candidates + + If the source transport address of the request does not match any + existing remote candidates, it represents a new peer-reflexive remote + candidate. This candidate is constructed as follows: + + o The type is peer reflexive. + + o The priority is the value of the PRIORITY attribute in the Binding + request. + + o The foundation is an arbitrary value, different from the + foundations of all other remote candidates. If any subsequent + candidate exchanges contain this peer-reflexive candidate, it will + signal the actual foundation for the candidate. + + o The component ID is the component ID of the local candidate to + which the request was sent. + + This candidate is added to the list of remote candidates. However, + the ICE agent does not pair this candidate with any local candidates. + +7.3.1.4. Triggered Checks + + Next, the agent constructs a pair whose local candidate has the + transport address (as seen by the agent) on which the STUN request + was received and a remote candidate equal to the source transport + address where the request came from (which may be the peer-reflexive + remote candidate that was just learned). The local candidate will be + either a host candidate (for cases where the request was not received + through a relay) or a relayed candidate (for cases where it is + received through a relay). The local candidate can never be a + server-reflexive candidate. Since both candidates are known to the + + + +Keranen, et al. Standards Track [Page 47] + +RFC 8445 ICE July 2018 + + + agent, it can obtain their priorities and compute the candidate pair + priority. This pair is then looked up in the checklist. There can + be one of several outcomes: + + o When the pair is already on the checklist: + + * If the state of that pair is Succeeded, nothing further is + done. + + * If the state of that pair is In-Progress, the agent cancels the + In-Progress transaction. Cancellation means that the agent + will not retransmit the Binding requests associated with the + connectivity-check transaction, will not treat the lack of + response to be a failure, but will wait the duration of the + transaction timeout for a response. In addition, the agent + MUST enqueue the pair in the triggered checklist associated + with the checklist, and set the state of the pair to Waiting, + in order to trigger a new connectivity check of the pair. + Creating a new connectivity check enables validating + In-Progress pairs as soon as possible, without having to wait + for retransmissions of the Binding requests associated with the + original connectivity-check transaction. + + * If the state of that pair is Waiting, Frozen, or Failed, the + agent MUST enqueue the pair in the triggered checklist + associated with the checklist (if not already present), and set + the state of the pair to Waiting, in order to trigger a new + connectivity check of the pair. Note that a state change of + the pair from Failed to Waiting might also trigger a state + change of the associated checklist. + + These steps are done to facilitate rapid completion of ICE when both + agents are behind NAT. + + o If the pair is not already on the checklist: + + * The pair is inserted into the checklist based on its priority. + + * Its state is set to Waiting. + + * The pair is enqueued into the triggered-check queue. + + When a triggered check is to be sent, it is constructed and processed + as described in Section 7.2.4. These procedures require the agent to + know the transport address, username fragment, and password for the + peer. The username fragment for the remote candidate is equal to the + part after the colon of the USERNAME in the Binding request that was + just received. Using that username fragment, the agent can check the + + + +Keranen, et al. Standards Track [Page 48] + +RFC 8445 ICE July 2018 + + + candidates received from its peer (there may be more than one in + cases of forking) and find this username fragment. The corresponding + password is then picked. + +7.3.1.5. Updating the Nominated Flag + + If the controlled agent receives a Binding request with the USE- + CANDIDATE attribute set, and if the ICE agent accepts the request, + the following action is based on the state of the pair computed in + Section 7.3.1.4: + + o If the state of this pair is Succeeded, it means that the check + previously sent by this pair produced a successful response and + generated a valid pair (Section 7.2.5.3.2). The agent sets the + nominated flag value of the valid pair to true. + + o If the received Binding request triggered a new check to be + enqueued in the triggered-check queue (Section 7.3.1.4), once the + check is sent and if it generates a successful response, and + generates a valid pair, the agent sets the nominated flag of the + pair to true. If the request fails (Section 7.2.5.2), the agent + MUST remove the candidate pair from the valid list, set the + candidate pair state to Failed, and set the checklist state to + Failed. + + If the controlled agent does not accept the request from the + controlling agent, the controlled agent MUST reject the nomination + request with an appropriate error code response (e.g., 400) + [RFC5389]. + + Once the nominated flag is set for a component of a data stream, it + concludes the ICE processing for that component. See Section 8. + +7.3.2. Additional Procedures for Lite Implementations + + If the controlled agent receives a Binding request with the USE- + CANDIDATE attribute set, and if the ICE agent accepts the request, + the agent constructs a candidate pair whose local candidate has the + transport address on which the request was received, and whose remote + candidate is equal to the source transport address of the request + that was received. This candidate pair is assigned an arbitrary + priority and placed into the valid list of the associated checklist. + The agent sets the nominated flag for that pair to true. + + Once the nominated flag is set for a component of a data stream, it + concludes the ICE processing for that component. See Section 8. + + + + + +Keranen, et al. Standards Track [Page 49] + +RFC 8445 ICE July 2018 + + +8. Concluding ICE Processing + + This section describes how an ICE agent completes ICE. + +8.1. Procedures for Full Implementations + + Concluding ICE involves nominating pairs by the controlling agent and + updating state machinery. + +8.1.1. Nominating Pairs + + Prior to nominating, the controlling agent lets connectivity checks + continue until some stopping criterion is met. After that, based on + an evaluation criterion, the controlling agent picks a pair among the + valid pairs in the valid list for nomination. + + Once the controlling agent has picked a valid pair for nomination, it + repeats the connectivity check that produced this valid pair (by + enqueueing the pair that generated the check into the triggered-check + queue), this time with the USE-CANDIDATE attribute + (Section 7.2.5.3.4). The procedures for the controlled agent are + described in Section 7.3.1.5. + + Eventually, if the nominations succeed, both the controlling and + controlled agents will have a single nominated pair in the valid list + for each component of the data stream. Once an ICE agent sets the + state of the checklist to Completed (when there is a nominated pair + for each component of the data stream), that pair becomes the + selected pair for that agent and is used for sending and receiving + data for that component of the data stream. + + If an agent is not able to produce selected pairs for each component + of a data stream, the agent MUST take proper actions for informing + the other agent, e.g., by removing the stream. The exact actions are + outside the scope of this specification. + + The criteria for stopping the connectivity checks and for picking a + pair for nomination are outside the scope of this specification. + They are a matter of local optimization. The only requirement is + that the agent MUST eventually pick one and only one candidate pair + and generate a check for that pair with the USE-CANDIDATE attribute + set. + + Once the controlling agent has successfully nominated a candidate + pair (Section 7.2.5.3.4), the agent MUST NOT nominate another pair + for same component of the data stream within the ICE session. Doing + so requires an ICE restart. + + + + +Keranen, et al. Standards Track [Page 50] + +RFC 8445 ICE July 2018 + + + A controlling agent that does not support this specification (i.e., + it is implemented according to RFC 5245) might nominate more than one + candidate pair. This was referred to as "aggressive nomination" in + RFC 5245. If more than one candidate pair is nominated by the + controlling agent, and if the controlled agent accepts multiple + nominations requests, the agents MUST produce the selected pairs and + use the pairs with the highest priority. + + The usage of the 'ice2' ICE option (Section 10) by endpoints + supporting this specification is supposed to prevent controlling + agents that are implemented according to RFC 5245 from using + aggressive nomination. + + NOTE: In RFC 5245, usage of "aggressive nomination" allowed agents to + continuously nominate pairs, before a pair was eventually selected, + in order to allow sending of data on those pairs. In this + specification, data can always be sent on any valid pair, without + nomination. Hence, there is no longer a need for aggressive + nomination. + +8.1.2. Updating Checklist and ICE States + + For both a controlling and a controlled agent, when a candidate pair + for a component of a data stream gets nominated, it might impact + other pairs in the checklist associated with the data stream. It + might also impact the state of the checklist: + + o Once a candidate pair for a component of a data stream has been + nominated, and the state of the checklist associated with the data + stream is Running, the ICE agent MUST remove all candidate pairs + for the same component from the checklist and from the triggered- + check queue. If the state of a pair is In-Progress, the agent + cancels the In-Progress transaction. Cancellation means that the + agent will not retransmit the Binding requests associated with the + connectivity-check transaction, will not treat the lack of + response to be a failure, but will wait the duration of the + transaction timeout for a response. + + o Once candidate pairs for each component of a data stream have been + nominated, and the state of the checklist associated with the data + stream is Running, the ICE agent sets the state of the checklist + to Completed. + + o Once a candidate pair for a component of a data stream has been + nominated, an agent MUST continue to respond to any Binding + request it might still receive for the nominated pair and for any + remaining candidate pairs in the checklist associated with the + + + + +Keranen, et al. Standards Track [Page 51] + +RFC 8445 ICE July 2018 + + + data stream. As defined in Section 7.3.1.4, when the state of a + pair is Succeeded, an agent will no longer generate triggered + checks when receiving a Binding request for the pair. + + Once the state of each checklist in the checklist set is Completed, + the agent sets the state of the ICE session to Completed. + + If the state of a checklist is Failed, ICE has not been able to + successfully complete the process for the data stream associated with + the checklist. The correct behavior depends on the state of the + checklists in the checklist set. If the controlling agent wants to + continue the session without the data stream associated with the + Failed checklist, and if there are still one or more checklists in + Running or Completed mode, the agent can let the ICE processing + continue. The agent MUST take proper actions for removing the failed + data stream. If the controlling agent does not want to continue the + session and MUST terminate the session, the state of the ICE session + is set to Failed. + + If the state of each checklist in the checklist set is Failed, the + state of the ICE session is set to Failed. Unless the controlling + agent wants to continue the session without the data streams, it MUST + terminate the session. + +8.2. Procedures for Lite Implementations + + When ICE concludes, a lite ICE agent can free host candidates that + were not used by ICE, as described in Section 8.3. + + If the peer is a full agent, once the lite agent accepts a nomination + request for a candidate pair, the lite agent considers the pair + nominated. Once there are nominated pairs for each component of a + data stream, the pairs become the selected pairs for the components + of the data stream. Once the lite agent has produced selected pairs + for all components of all data streams, the ICE session state is set + to Completed. + + If the peer is a lite agent, the agent pairs local candidates with + remote candidates that are of the same data stream and have the same + component, transport protocol, and IP address family. For each + component of each data stream, if there is only one candidate pair, + that pair is added to the valid list. If there is more than one + pair, it is RECOMMENDED that an agent follow the procedures of RFC + 6724 [RFC6724] to select a pair and add it to the valid list. + + + + + + + +Keranen, et al. Standards Track [Page 52] + +RFC 8445 ICE July 2018 + + + If all of the components for all data streams had one pair, the state + of ICE processing is Completed. Otherwise, the controlling agent + MUST send an updated candidate list to reconcile different agents + selecting different candidate pairs. ICE processing is complete + after and only after the updated candidate exchange is complete. + +8.3. Freeing Candidates + +8.3.1. Full Implementation Procedures + + The rules in this section describe when it is safe for an agent to + cease sending or receiving checks on a candidate that did not become + a selected candidate (i.e., is not associated with a selected pair) + and when to free the candidate. + + Once a checklist has reached the Completed state, the agent SHOULD + wait an additional three seconds, and then it can cease responding to + checks or generating triggered checks on all local candidates other + than the ones that became selected candidates. Once all ICE sessions + have ceased using a given local candidate (a candidate may be used by + multiple ICE sessions, e.g., in forking scenarios), the agent can + free that candidate. The three-second delay handles cases when + aggressive nomination is used, and the selected pairs can quickly + change after ICE has completed. + + Freeing of server-reflexive candidates is never explicit; it happens + by lack of a keepalive. + +8.3.2. Lite Implementation Procedures + + A lite implementation can free candidates that did not become + selected candidates as soon as ICE processing has reached the + Completed state for all ICE sessions using those candidates. + +9. ICE Restarts + + An ICE agent MAY restart ICE for existing data streams. An ICE + restart causes all previous states of the data streams, excluding the + roles of the agents, to be flushed. The only difference between an + ICE restart and a brand new data session is that during the restart, + data can continue to be sent using existing data sessions, and a new + data session always requires the roles to be determined. + + + + + + + + + +Keranen, et al. Standards Track [Page 53] + +RFC 8445 ICE July 2018 + + + The following actions can be accomplished only by using an ICE + restart (the agent MUST use ICE restarts to do so): + + o Change the destinations of data streams. + + o Change from a lite implementation to a full implementation. + + o Change from a full implementation to a lite implementation. + + To restart ICE, an agent MUST change both the password and the + username fragment for the data stream(s) being restarted. + + When the ICE is restarted, the candidate set for the new ICE session + might include some, none, or all of the candidates used in the + current ICE session. + + As described in Section 6.1.1, agents MUST NOT redetermine the roles + as part as an ICE restart, unless certain criteria that require the + roles to be redetermined are fulfilled. + +10. ICE Option + + This section defines a new ICE option, 'ice2'. When an ICE agent + includes 'ice2' in a candidate exchange, the ICE option indicates + that it is compliant to this specification. For example, the agent + will not use the aggressive nomination procedure defined in RFC 5245. + In addition, it will ensure that a peer compliant with RFC 5245 does + not use aggressive nomination either, as required by Section 14 of + RFC 5245 for peers that receive unknown ICE options. + + An agent compliant to this specification MUST inform the peer about + the compliance using the 'ice2' option. + + NOTE: The encoding of the 'ice2' option, and the message(s) used to + carry it to the peer, are protocol specific. The encoding for SDP + [RFC4566] is defined in [ICE-SIP-SDP]. + +11. Keepalives + + All endpoints MUST send keepalives for each data session. These + keepalives serve the purpose of keeping NAT bindings alive for the + data session. The keepalives SHOULD be sent using a format that is + supported by its peer. ICE endpoints allow for STUN-based keepalives + for UDP streams, and as such, STUN keepalives MUST be used when an + ICE agent is a full ICE implementation and is communicating with a + peer that supports ICE (lite or full). + + + + + +Keranen, et al. Standards Track [Page 54] + +RFC 8445 ICE July 2018 + + + An agent MUST send a keepalive on each candidate pair that is used + for sending data if no packet has been sent on that pair in the last + Tr seconds. Agents SHOULD use a Tr value of 15 seconds. Agents MAY + use a bigger value but MUST NOT use a value smaller than 15 seconds. + + Once selected pairs have been produced for a data stream, keepalives + are only sent on those pairs. + + An agent MUST stop sending keepalives on a data stream if the data + stream is removed. If the ICE session is terminated, an agent MUST + stop sending keepalives on all data streams. + + An agent MAY use another value for Tr, e.g., based on configuration + or network/NAT characteristics. For example, if an agent has a + dynamic way to discover the binding lifetimes of the intervening + NATs, it can use that value to determine Tr. Administrators + deploying ICE in more controlled networking environments SHOULD set + Tr to the longest duration possible in their environment. + + When STUN is being used for keepalives, a STUN Binding Indication is + used [RFC5389]. The Indication MUST NOT utilize any authentication + mechanism. It SHOULD contain the FINGERPRINT attribute to aid in + demultiplexing, but it SHOULD NOT contain any other attributes. It + is used solely to keep the NAT bindings alive. The Binding + Indication is sent using the same local and remote candidates that + are being used for data. Though Binding Indications are used for + keepalives, an agent MUST be prepared to receive a connectivity check + as well. If a connectivity check is received, a response is + generated as discussed in [RFC5389], but there is no impact on ICE + processing otherwise. + + Agents MUST by default use STUN keepalives. Individual ICE usages + and ICE extensions MAY specify usage-/extension-specific keepalives. + +12. Data Handling + +12.1. Sending Data + + An ICE agent MAY send data on any valid pair before selected pairs + have been produced for the data stream. + + Once selected pairs have been produced for a data stream, an agent + MUST send data on those pairs only. + + An agent sends data from the base of the local candidate to the + remote candidate. In the case of a local relayed candidate, data is + forwarded through the base (located in the TURN server), using the + procedures defined in [RFC5766]. + + + +Keranen, et al. Standards Track [Page 55] + +RFC 8445 ICE July 2018 + + + If the local candidate is a relayed candidate, it is RECOMMENDED that + an agent creates a channel on the TURN server towards the remote + candidate. This is done using the procedures for channel creation as + defined in Section 11 of [RFC5766]. + + The selected pair for a component of a data stream is: + + o empty if the state of the checklist for that data stream is + Running, and there is no previous selected pair for that component + due to an ICE restart + + o equal to the previous selected pair for a component of a data + stream if the state of the checklist for that data stream is + Running, and there was a previous selected pair for that component + due to an ICE restart + + Unless an agent is able to produce a selected pair for each component + associated with a data stream, the agent MUST NOT continue sending + data for any component associated with that data stream. + +12.1.1. Procedures for Lite Implementations + + A lite implementation MUST NOT send data until it has a valid list + that contains a candidate pair for each component of that data + stream. Once that happens, the ICE agent MAY begin sending data + packets. To do that, it sends data to the remote candidate in the + pair (setting the destination address and port of the packet equal to + that remote candidate) and will send it from the base associated with + the candidate pair used for sending data. In case of a relayed + candidate, data is sent from the agent and forwarded through the base + (located in the TURN server), using the procedures defined in + [RFC5766]. + +12.2. Receiving Data + + Even though ICE agents are only allowed to send data using valid + candidate pairs (and, once selected pairs have been produced, only on + the selected pairs), ICE implementations SHOULD by default be + prepared to receive data on any of the candidates provided in the + most recent candidate exchange with the peer. ICE usages MAY define + rules that differ from this, e.g., by defining that data will not be + sent until selected pairs have been produced for a data stream. + + When an agent receives an RTP packet with a new source or destination + IP address for a particular RTP/RTCP data stream, it is RECOMMENDED + that the agent readjust its jitter buffers. + + + + + +Keranen, et al. Standards Track [Page 56] + +RFC 8445 ICE July 2018 + + + Section 8.2 of RFC 3550 [RFC3550] describes an algorithm for + detecting synchronization source (SSRC) collisions and loops. These + algorithms are based, in part, on seeing different source transport + addresses with the same SSRC. However, when ICE is used, such + changes will sometimes occur as the data streams switch between + candidates. An agent will be able to determine that a data stream is + from the same peer as a consequence of the STUN exchange that + proceeds media data transmission. Thus, if there is a change in the + source transport address, but the media data packets come from the + same peer agent, this MUST NOT be treated as an SSRC collision. + +13. Extensibility Considerations + + This specification makes very specific choices about how both ICE + agents in a session coordinate to arrive at the set of candidate + pairs that are selected for data. It is anticipated that future + specifications will want to alter these algorithms, whether they are + simple changes like timer tweaks or larger changes like a revamp of + the priority algorithm. When such a change is made, providing + interoperability between the two agents in a session is critical. + + First, ICE provides the ICE option concept. Each extension or change + to ICE is associated with an ICE option. When an agent supports such + an extension or change, it provides the ICE option to the peer agent + as part of the candidate exchange. + + One of the complications in achieving interoperability is that ICE + relies on a distributed algorithm running on both agents to converge + on an agreed set of candidate pairs. If the two agents run different + algorithms, it can be difficult to guarantee convergence on the same + candidate pairs. The nomination procedure described in Section 8 + eliminates some of the need for tight coordination by delegating the + selection algorithm completely to the controlling agent, and ICE will + converge perfectly even when both agents use different pair + prioritization algorithms. One of the keys to such convergence is + triggered checks, which ensure that the nominated pair is validated + by both agents. + + ICE is also extensible to other data streams beyond RTP and for + transport protocols beyond UDP. Extensions to ICE for non-RTP data + streams need to specify how many components they utilize and assign + component IDs to them, starting at 1 for the most important component + ID. Specifications for new transport protocols MUST define how, if + at all, various steps in the ICE processing differ from UDP. + + + + + + + +Keranen, et al. Standards Track [Page 57] + +RFC 8445 ICE July 2018 + + +14. Setting Ta and RTO + +14.1. General + + During the ICE gathering phase (Section 5.1.1) and while ICE is + performing connectivity checks (Section 7), an ICE agent triggers + STUN and TURN transactions. These transactions are paced at a rate + indicated by Ta, and the retransmission interval for each transaction + is calculated based on the retransmission timer for the STUN + transactions (RTO) [RFC5389]. + + This section describes how the Ta and RTO values are computed during + the ICE gathering phase and while ICE is performing connectivity + checks. + + NOTE: Previously, in RFC 5245, different formulas were defined for + computing Ta and RTO, depending on whether or not ICE was used for a + real-time data stream (e.g., RTP). + + The formulas below result in a behavior whereby an agent will send + its first packet for every single connectivity check before + performing a retransmit. This can be seen in the formulas for the + RTO (which represents the retransmit interval). Those formulas scale + with N, the number of checks to be performed. As a result of this, + ICE maintains a nicely constant rate, but it becomes more sensitive + to packet loss. The loss of the first single packet for any + connectivity check is likely to cause that pair to take a long time + to be validated, and instead, a lower-priority check (but one for + which there was no packet loss) is much more likely to complete + first. This results in ICE performing suboptimally, choosing lower- + priority pairs over higher-priority pairs. + +14.2. Ta + + ICE agents SHOULD use a default Ta value, 50 ms, but MAY use another + value based on the characteristics of the associated data. + + If an agent wants to use a Ta value other than the default value, the + agent MUST indicate the proposed value to its peer during the + establishment of the ICE session. Both agents MUST use the higher + value of the proposed values. If an agent does not propose a value, + the default value is used for that agent when comparing which value + is higher. + + Regardless of the Ta value chosen for each agent, the combination of + all transactions from all agents (if a given implementation runs + several concurrent agents) MUST NOT be sent more often than once + + + + +Keranen, et al. Standards Track [Page 58] + +RFC 8445 ICE July 2018 + + + every 5 ms (as though there were one global Ta value for pacing all + agents). See Appendix B.1 for the background of using a value of + 5 ms with ICE. + + NOTE: Appendix C shows examples of required bandwidth, using + different Ta values. + +14.3. RTO + + During the ICE gathering phase, ICE agents SHOULD calculate the RTO + value using the following formula: + + RTO = MAX (500ms, Ta * (Num-Of-Cands)) + + Num-Of-Cands: the number of server-reflexive and relay candidates + + For connectivity checks, agents SHOULD calculate the RTO value using + the following formula: + + RTO = MAX (500ms, Ta * N * (Num-Waiting + Num-In-Progress)) + + N: the total number of connectivity checks to be performed. + + Num-Waiting: the number of checks in the checklist set in the + Waiting state. + + Num-In-Progress: the number of checks in the checklist set in the + In-Progress state. + + Note that the RTO will be different for each transaction as the + number of checks in the Waiting and In-Progress states change. + + + Agents MAY calculate the RTO value using other mechanisms than those + described above. Agents MUST NOT use an RTO value smaller than + 500 ms. + +15. Examples + + This section shows two ICE examples: one using IPv4 addresses and one + using IPv6 addresses. + + To facilitate understanding, transport addresses are listed using + variables that have mnemonic names. The format of the name is + entity-type-seqno: "entity" refers to the entity whose IP address the + transport address is on and is one of "L", "R", "STUN", or "NAT". + The type is either "PUB" for transport addresses that are public or + "PRIV" for transport addresses that are private [RFC1918]. Finally, + + + +Keranen, et al. Standards Track [Page 59] + +RFC 8445 ICE July 2018 + + + seq-no is a sequence number that is different for each transport + address of the same type on a particular entity. Each variable has + an IP address and port, denoted by varname.IP and varname.PORT, + respectively, where varname is the name of the variable. + + In the call flow itself, STUN messages are annotated with several + attributes. The "S=" attribute indicates the source transport + address of the message. The "D=" attribute indicates the destination + transport address of the message. The "MA=" attribute is used in + STUN Binding response messages and refers to the mapped address. + "USE-CAND" implies the presence of the USE-CANDIDATE attribute. + + The call flow examples omit STUN authentication operations and focus + on a single data stream between two full implementations. + +15.1. Example with IPv4 Addresses + + The example below is using the topology shown in Figure 7. + + + +-------+ + |STUN | + |Server | + +-------+ + | + +---------------------+ + | | + | Internet | + | | + +---------------------+ + | | + | | + +---------+ | + | NAT | | + +---------+ | + | | + | | + +-----+ +-----+ + | L | | R | + +-----+ +-----+ + + Figure 7: Example Topology + + + + + + + + + +Keranen, et al. Standards Track [Page 60] + +RFC 8445 ICE July 2018 + + + In the example, ICE agents L and R are full ICE implementations. + Both agents have a single IPv4 address, and both are configured with + the same STUN server. The NAT has an endpoint-independent mapping + property and an address-dependent filtering property. The IP + addresses of the ICE agents, the STUN server, and the NAT are shown + below: + + ENTITY IP Address Mnemonic name + -------------------------------------------------- + ICE Agent L: 10.0.1.1 L-PRIV-1 + ICE Agent R: 192.0.2.1 R-PUB-1 + STUN Server: 192.0.2.2 STUN-PUB-1 + NAT (Public): 192.0.2.3 NAT-PUB-1 + + + L NAT STUN R + |STUN alloc. | | | + |(1) STUN Req | | | + |S=$L-PRIV-1 | | | + |D=$STUN-PUB-1 | | | + |------------->| | | + | |(2) STUN Req | | + | |S=$NAT-PUB-1 | | + | |D=$STUN-PUB-1 | | + | |------------->| | + | |(3) STUN Res | | + | |S=$STUN-PUB-1 | | + | |D=$NAT-PUB-1 | | + | |MA=$NAT-PUB-1 | | + | |<-------------| | + |(4) STUN Res | | | + |S=$STUN-PUB-1 | | | + |D=$L-PRIV-1 | | | + |MA=$NAT-PUB-1 | | | + |<-------------| | | + |(5) L's Candidate Information| | + |------------------------------------------->| + | | | | STUN + | | | | alloc. + | | |(6) STUN Req | + | | |S=$R-PUB-1 | + | | |D=$STUN-PUB-1 | + | | |<-------------| + | | |(7) STUN Res | + | | |S=$STUN-PUB-1 | + | | |D=$R-PUB-1 | + | | |MA=$R-PUB-1 | + | | |------------->| + + + +Keranen, et al. Standards Track [Page 61] + +RFC 8445 ICE July 2018 + + + |(8) R's Candidate Information| | + |<-------------------------------------------| + | | (9) Bind Req |Begin + | | S=$R-PUB-1 |Connectivity + | | D=$L-PRIV-1 |Checks + | | <-------------------| + | | Dropped | + |(10) Bind Req | | | + |S=$L-PRIV-1 | | | + |D=$R-PUB-1 | | | + |------------->| | | + | |(11) Bind Req | | + | |S=$NAT-PUB-1 | | + | |D=$R-PUB-1 | | + | |---------------------------->| + | |(12) Bind Res | | + | |S=$R-PUB-1 | | + | |D=$NAT-PUB-1 | | + | |MA=$NAT-PUB-1 | | + | |<----------------------------| + |(13) Bind Res | | | + |S=$R-PUB-1 | | | + |D=$L-PRIV-1 | | | + |MA=$NAT-PUB-1 | | | + |<-------------| | | + |Data | | | + |===========================================>| + | | | | + | |(14) Bind Req | | + | |S=$R-PUB-1 | | + | |D=$NAT-PUB-1 | | + | |<----------------------------| + |(15) Bind Req | | | + |S=$R-PUB-1 | | | + |D=$L-PRIV-1 | | | + |<-------------| | | + |(16) Bind Res | | | + |S=$L-PRIV-1 | | | + |D=$R-PUB-1 | | | + |MA=$R-PUB-1 | | | + |------------->| | | + | |(17) Bind Res | | + | |S=$NAT-PUB-1 | | + | |D=$R-PUB-1 | | + | |MA=$R-PUB-1 | | + | |---------------------------->| + |Data | | | + |<===========================================| + + + +Keranen, et al. Standards Track [Page 62] + +RFC 8445 ICE July 2018 + + + | | | | + ....... + | | | | + |(18) Bind Req | | | + |S=$L-PRIV-1 | | | + |D=$R-PUB-1 | | | + |USE-CAND | | | + |------------->| | | + | |(19) Bind Req | | + | |S=$NAT-PUB-1 | | + | |D=$R-PUB-1 | | + | |USE-CAND | | + | |---------------------------->| + | |(20) Bind Res | | + | |S=$R-PUB-1 | | + | |D=$NAT-PUB-1 | | + | |MA=$NAT-PUB-1 | | + | |<----------------------------| + |(21) Bind Res | | | + |S=$R-PUB-1 | | | + |D=$L-PRIV-1 | | | + |MA=$NAT-PUB-1 | | | + |<-------------| | | + | | | | + + Figure 8: Example Flow + + Messages 1-4: Agent L gathers a host candidate from its local IP + address, and from that it sends a STUN Binding request to the STUN + server. The request creates a NAT binding. The NAT public IP + address of the binding becomes agent L's server-reflexive candidate. + + Message 5: Agent L sends its local candidate information to agent R, + using the signaling protocol associated with the ICE usage. + + Messages 6-7: Agent R gathers a host candidate from its local IP + address, and from that it sends a STUN Binding request to the STUN + server. Since agent R is not behind a NAT, R's server-reflexive + candidate will be identical to the host candidate. + + Message 8: Agent R sends its local candidate information to agent L, + using the signaling protocol associated with the ICE usage. + + Since both agents are full ICE implementations, the initiating agent + (agent L) becomes the controlling agent. + + + + + + +Keranen, et al. Standards Track [Page 63] + +RFC 8445 ICE July 2018 + + + Agents L and R both pair up the candidates. Both agents initially + have two pairs. However, agent L will prune the pair containing its + server-reflexive candidate, resulting in just one (L1). At agent L, + this pair has a local candidate of $L_PRIV_1 and a remote candidate + of $R_PUB_1. At agent R, there are two pairs. The highest-priority + pair (R1) has a local candidate of $R_PUB_1 and a remote candidate of + $L_PRIV_1, and the second pair (R2) has a local candidate of $R_PUB_1 + and a remote candidate of $NAT_PUB_1. The pairs are shown below (the + pair numbers are for reference purposes only): + + Pairs + ENTITY Local Remote Pair # Valid + ------------------------------------------------------------------ + ICE Agent L: L_PRIV_1 R_PUB_1 L1 + + ICE Agent R: R_PUB_1 L_PRIV_1 R1 + R_PUB_1 NAT_PUB_1 R2 + + Message 9: Agent R initiates a connectivity check for pair #2. As + the remote candidate of the pair is the private address of agent L, + the check will not be successful, as the request cannot be routed + from R to L, and will be dropped by the network. + + Messages 10-13: Agent L initiates a connectivity check for pair L1. + The check succeeds, and L creates a new pair (L2). The local + candidate of the new pair is $NAT_PUB_1, and the remote candidate is + $R_PUB_1. The pair (L2) is added to the valid list of agent L. + Agent L can now send and receive data on the pair (L2) if it wishes. + + Pairs + ENTITY Local Remote Pair # Valid + ------------------------------------------------------------------ + ICE Agent L: L_PRIV_1 R_PUB_1 L1 + NAT_PUB_1 R_PUB_1 L2 X + + ICE Agent R: R_PUB_1 L_PRIV_1 R1 + R_PUB_1 NAT_PUB_1 R2 + + Messages 14-17: When agent R receives the Binding request from agent + L (message 11), it will initiate a triggered connectivity check. The + pair matches one of agent R's existing pairs (R2). The check + succeeds, and the pair (R2) is added to the valid list of agent R. + Agent R can now send and receive data on the pair (R2) if it wishes. + + + + + + + + +Keranen, et al. Standards Track [Page 64] + +RFC 8445 ICE July 2018 + + + Pairs + ENTITY Local Remote Pair # Valid + ------------------------------------------------------------------ + ICE Agent L: L_PRIV_1 R_PUB_1 L1 + NAT_PUB_1 R_PUB_1 L2 X + + ICE Agent R: R_PUB_1 L_PRIV_1 R1 + R_PUB_1 NAT_PUB_1 R2 X + + Messages 18-21: At some point, the controlling agent (agent L) + decides to nominate a pair (L2) in the valid list. It performs a + connectivity check on the pair (L2) and includes the USE-CANDIDATE + attribute in the Binding request. As the check succeeds, agent L + sets the nominated flag value of the pair (L2) to 'true', and agent R + sets the nominated flag value of the matching pair (R2) to 'true'. + As there are no more components associated with the stream, the + nominated pairs become the selected pairs. Consequently, processing + for this stream moves into the Completed state. The ICE process also + moves into the Completed state. + +15.2. Example with IPv6 Addresses + + The example below is using the topology shown in Figure 9. + + +-------+ + |STUN | + |Server | + +-------+ + | + +---------------------+ + | | + | Internet | + | | + +---------------------+ + | | + | | + | | + | | + | | + | | + | | + +-----+ +-----+ + | L | | R | + +-----+ +-----+ + + Figure 9: Example Topology + + + + + +Keranen, et al. Standards Track [Page 65] + +RFC 8445 ICE July 2018 + + + In the example, ICE agents L and R are full ICE implementations. + Both agents have a single IPv6 address, and both are configured with + the same STUN server. The IP addresses of the ICE agents and the + STUN server are shown below: + + ENTITY IP Address mnemonic name + -------------------------------------------------- + ICE Agent L: 2001:db8::3 L-PUB-1 + ICE Agent R: 2001:db8::5 R-PUB-1 + STUN Server: 2001:db8::9 STUN-PUB-1 + + + L STUN R + |STUN alloc. | | + |(1) STUN Req | | + |S=$L-PUB-1 | | + |D=$STUN-PUB-1 | | + |---------------------------->| | + |(2) STUN Res | | + | S=$STUN-PUB-1 | | + | D=$L-PUB-1 | | + | MA=$L-PUB-1 | | + |<----------------------------| | + |(3) L's Candidate Information| | + |------------------------------------------->| + | | | STUN + | | | alloc. + | |(4) STUN Req | + | |S=$R-PUB-1 | + | |D=$STUN-PUB-1 | + | |<-------------| + | |(5) STUN Res | + | |S=$STUN-PUB-1 | + | |D=$R-PUB-1 | + | |MA=$R-PUB-1 | + | |------------->| + |(6) R's Candidate Information| | + |<-------------------------------------------| + |(7) Bind Req | | + |S=$L-PUB-1 | | + |D=$R-PUB-1 | | + |------------------------------------------->| + |(8) Bind Res | | + |S=$R-PUB-1 | | + |D=$L-PUB-1 | | + |MA=$L-PUB-1 | | + |<-------------------------------------------| + + + + +Keranen, et al. Standards Track [Page 66] + +RFC 8445 ICE July 2018 + + + |Data | | + |===========================================>| + | | | + |(9) Bind Req | | + |S=$R-PUB-1 | | + |D=$L-PUB-1 | | + |<-------------------------------------------| + |(10) Bind Res | | + |S=$L-PUB-1 | | + |D=$R-PUB-1 | | + |MA=$R-PUB-1 | | + |------------------------------------------->| + |Data | | + |<===========================================| + | | | + ....... + | | | + |(11) Bind Req | | + |S=$L-PUB-1 | | + |D=$R-PUB-1 | | + |USE-CAND | | + |------------------------------------------->| + |(12) Bind Res | | + |S=$R-PUB-1 | | + |D=$L-PUB-1 | | + |MA=$L-PUB-1 | | + |<-------------------------------------------| + | | | | + + Figure 10: Example Flow + + Messages 1-2: Agent L gathers a host candidate from its local IP + address, and from that it sends a STUN Binding request to the STUN + server. Since agent L is not behind a NAT, L's server-reflexive + candidate will be identical to the host candidate. + + Message 3: Agent L sends its local candidate information to agent R, + using the signaling protocol associated with the ICE usage. + + Messages 4-5: Agent R gathers a host candidate from its local IP + address, and from that it sends a STUN Binding request to the STUN + server. Since agent R is not behind a NAT, R's server-reflexive + candidate will be identical to the host candidate. + + Message 6: Agent R sends its local candidate information to agent L, + using the signaling protocol associated with the ICE usage. + + + + + +Keranen, et al. Standards Track [Page 67] + +RFC 8445 ICE July 2018 + + + Since both agents are full ICE implementations, the initiating agent + (agent L) becomes the controlling agent. + + Agents L and R both pair up the candidates. Both agents initially + have one pair each. At agent L, the pair (L1) has a local candidate + of $L_PUB_1 and a remote candidate of $R_PUB_1. At agent R, the pair + (R1) has a local candidate of $R_PUB_1 and a remote candidate of + $L_PUB_1. The pairs are shown below (the pair numbers are for + reference purpose only): + + Pairs + ENTITY Local Remote Pair # Valid + ------------------------------------------------------------------ + ICE Agent L: L_PUB_1 R_PUB_1 L1 + + ICE Agent R: R_PUB_1 L_PUB_1 R1 + + Messages 7-8: Agent L initiates a connectivity check for pair L1. + The check succeeds, and the pair (L1) is added to the valid list of + agent L. Agent L can now send and receive data on the pair (L1) if + it wishes. + + Pairs + ENTITY Local Remote Pair # Valid + ------------------------------------------------------------------ + ICE Agent L: L_PUB_1 R_PUB_1 L1 X + + ICE Agent R: R_PUB_1 L_PUB_1 R1 + + Messages 9-10: When agent R receives the Binding request from agent L + (message 7), it will initiate a triggered connectivity check. The + pair matches agent R's existing pair (R1). The check succeeds, and + the pair (R1) is added to the valid list of agent R. Agent R can now + send and receive data on the pair (R1) if it wishes. + + Pairs + ENTITY Local Remote Pair # Valid + ------------------------------------------------------------------ + ICE Agent L: L_PUB_1 R_PUB_1 L1 X + + ICE Agent R: R_PUB_1 L_PUB_1 R1 X + + Messages 11-12: At some point, the controlling agent (agent L) + decides to nominate a pair (L1) in the valid list. It performs a + connectivity check on the pair (L1) and includes the USE-CANDIDATE + attribute in the Binding request. As the check succeeds, agent L + sets the nominated flag value of the pair (L1) to 'true', and agent R + sets the nominated flag value of the matching pair (R1) to 'true'. + + + +Keranen, et al. Standards Track [Page 68] + +RFC 8445 ICE July 2018 + + + As there are no more components associated with the stream, the + nominated pairs become the selected pairs. Consequently, processing + for this stream moves into the Completed state. The ICE process also + moves into the Completed state. + +16. STUN Extensions + +16.1. Attributes + + This specification defines four STUN attributes: PRIORITY, + USE-CANDIDATE, ICE-CONTROLLED, and ICE-CONTROLLING. + + The PRIORITY attribute indicates the priority that is to be + associated with a peer-reflexive candidate, if one will be discovered + by this check. It is a 32-bit unsigned integer and has an attribute + value of 0x0024. + + The USE-CANDIDATE attribute indicates that the candidate pair + resulting from this check will be used for transmission of data. The + attribute has no content (the Length field of the attribute is zero); + it serves as a flag. It has an attribute value of 0x0025. + + The ICE-CONTROLLED attribute is present in a Binding request. The + attribute indicates that the client believes it is currently in the + controlled role. The content of the attribute is a 64-bit unsigned + integer in network byte order, which contains a random number. The + number is used for solving role conflicts, when it is referred to as + the "tiebreaker value". An ICE agent MUST use the same number for + all Binding requests, for all streams, within an ICE session, unless + it has received a 487 response, in which case it MUST change the + number (Section 7.2.5.1). The agent MAY change the number when an + ICE restart occurs. + + The ICE-CONTROLLING attribute is present in a Binding request. The + attribute indicates that the client believes it is currently in the + controlling role. The content of the attribute is a 64-bit unsigned + integer in network byte order, which contains a random number. As + for the ICE-CONTROLLED attribute, the number is used for solving role + conflicts. An agent MUST use the same number for all Binding + requests, for all streams, within an ICE session, unless it has + received a 487 response, in which case it MUST change the number + (Section 7.2.5.1). The agent MAY change the number when an ICE + restart occurs. + + + + + + + + +Keranen, et al. Standards Track [Page 69] + +RFC 8445 ICE July 2018 + + +16.2. New Error-Response Codes + + This specification defines a single error-response code: + + 487 (Role Conflict): The Binding request contained either the ICE- + CONTROLLING or ICE-CONTROLLED attribute, indicating an ICE role + that conflicted with the server. The remote server compared the + tiebreaker values of the client and the server and determined that + the client needs to switch roles. + +17. Operational Considerations + + This section discusses issues relevant to operators operating + networks where ICE will be used by endpoints. + +17.1. NAT and Firewall Types + + ICE was designed to work with existing NAT and firewall equipment. + Consequently, it is not necessary to replace or reconfigure existing + firewall and NAT equipment in order to facilitate deployment of ICE. + Indeed, ICE was developed to be deployed in environments where the + Voice over IP (VoIP) operator has no control over the IP network + infrastructure, including firewalls and NATs. + + That said, ICE works best in environments where the NAT devices are + "behave" compliant, meeting the recommendations defined in [RFC4787] + and [RFC5382]. In networks with behave-compliant NAT, ICE will work + without the need for a TURN server, thus improving voice quality, + decreasing call setup times, and reducing the bandwidth demands on + the network operator. + +17.2. Bandwidth Requirements + + Deployment of ICE can have several interactions with available + network capacity that operators need to take into consideration. + +17.2.1. STUN and TURN Server-Capacity Planning + + First and foremost, ICE makes use of TURN and STUN servers, which + would typically be located in data centers. The STUN servers require + relatively little bandwidth. For each component of each data stream, + there will be one or more STUN transactions from each client to the + STUN server. In a basic voice-only IPv4 VoIP deployment, there will + be four transactions per call (one for RTP and one for RTCP, for both + the caller and callee). Each transaction is a single request and a + single response, the former being 20 bytes long, and the latter, 28. + + + + + +Keranen, et al. Standards Track [Page 70] + +RFC 8445 ICE July 2018 + + + Consequently, if a system has N users, and each makes four calls in a + busy hour, this would require N*1.7bps. For one million users, this + is 1.7 Mbps, a very small number (relatively speaking). + + TURN traffic is more substantial. The TURN server will see traffic + volume equal to the STUN volume (indeed, if TURN servers are + deployed, there is no need for a separate STUN server), in addition + to the traffic for the actual data. The amount of calls requiring + TURN for data relay is highly dependent on network topologies, and + can and will vary over time. In a network with 100% behave-compliant + NATs, it is exactly zero. + + The planning considerations above become more significant in + multimedia scenarios (e.g., audio and video conferences) and when the + numbers of participants in a session grow. + +17.2.2. Gathering and Connectivity Checks + + The process of gathering candidates and performing connectivity + checks can be bandwidth intensive. ICE has been designed to pace + both of these processes. The gathering and connectivity-check phases + are meant to generate traffic at roughly the same bandwidth as the + data traffic itself will consume once the ICE process concludes. + This was done to ensure that if a network is designed to support + communication traffic of a certain type (voice, video, or just text), + it will have sufficient capacity to support the ICE checks for that + data. Once ICE has concluded, the subsequent ICE keepalives will + later cause a marginal increase in the total bandwidth utilization; + however, this will typically be an extremely small increase. + + Congestion due to the gathering and check phases has proven to be a + problem in deployments that did not utilize pacing. Typically, + access links became congested as the endpoints flooded the network + with checks as fast as they could send them. Consequently, network + operators need to ensure that their ICE implementations support the + pacing feature. Though this pacing does increase call setup times, + it makes ICE network friendly and easier to deploy. + +17.2.3. Keepalives + + STUN keepalives (in the form of STUN Binding Indications) are sent in + the middle of a data session. However, they are sent only in the + absence of actual data traffic. In deployments with continuous media + and without utilizing Voice Activity Detection (VAD), or deployments + where VAD is utilized together with short interval (max 1 second) + comfort noise, the keepalives are never used and there is no increase + in bandwidth usage. When VAD is being used without comfort noise, + keepalives will be sent during silence periods. This involves a + + + +Keranen, et al. Standards Track [Page 71] + +RFC 8445 ICE July 2018 + + + single packet every 15-20 seconds, far less than the packet every + 20-30 ms that is sent when there is voice. Therefore, keepalives do + not have any real impact on capacity planning. + +17.3. ICE and ICE-Lite + + Deployments utilizing a mix of ICE and ICE-lite interoperate with + each other. They have been explicitly designed to do so. + + However, ICE-lite can only be deployed in limited use cases. Those + cases, and the caveats involved in doing so, are documented in + Appendix A. + +17.4. Troubleshooting and Performance Management + + ICE utilizes end-to-end connectivity checks and places much of the + processing in the endpoints. This introduces a challenge to the + network operator -- how can they troubleshoot ICE deployments? How + can they know how ICE is performing? + + ICE has built-in features to help deal with these problems. + Signaling servers, typically deployed in data centers of the network + operator, will see the contents of the candidate exchanges that + convey the ICE parameters. These parameters include the type of each + candidate (host, server reflexive, or relayed), along with their + related addresses. Once ICE processing has completed, an updated + candidate exchange takes place, signaling the selected address (and + its type). This updated signaling is performed exactly for the + purposes of educating network equipment (such as a diagnostic tool + attached to a signaling) about the results of ICE processing. + + As a consequence, through the logs generated by a signaling server, a + network operator can observe what types of candidates are being used + for each call and what addresses were selected by ICE. This is the + primary information that helps evaluate how ICE is performing. + +17.5. Endpoint Configuration + + ICE relies on several pieces of data being configured into the + endpoints. This configuration data includes timers, credentials for + TURN servers, and hostnames for STUN and TURN servers. ICE itself + does not provide a mechanism for this configuration. Instead, it is + assumed that this information is attached to whatever mechanism is + used to configure all of the other parameters in the endpoint. For + SIP phones, standard solutions such as the configuration framework + [RFC6080] have been defined. + + + + + +Keranen, et al. Standards Track [Page 72] + +RFC 8445 ICE July 2018 + + +18. IAB Considerations + + The IAB has studied the problem of "Unilateral Self-Address Fixing" + (UNSAF), which is the general process by which an ICE agent attempts + to determine its address in another realm on the other side of a NAT + through a collaborative protocol reflection mechanism [RFC3424]. ICE + is an example of a protocol that performs this type of function. + Interestingly, the process for ICE is not unilateral, but bilateral, + and the difference has a significant impact on the issues raised by + the IAB. Indeed, ICE can be considered a Bilateral Self-Address + Fixing (B-SAF) protocol, rather than an UNSAF protocol. Regardless, + the IAB has mandated that any protocols developed for this purpose + document a specific set of considerations. This section meets those + requirements. + +18.1. Problem Definition + + From RFC 3424, any UNSAF proposal needs to provide: + + Precise definition of a specific, limited-scope problem that is to + be solved with the UNSAF proposal. A short term fix should not be + generalized to solve other problems. Such generalizations lead to + the the prolonged dependence on and usage of the supposed short + term fix -- meaning that it is no longer accurate to call it + "short term". + + The specific problems being solved by ICE are: + + Providing a means for two peers to determine the set of transport + addresses that can be used for communication. + + Providing a means for an agent to determine an address that is + reachable by another peer with which it wishes to communicate. + +18.2. Exit Strategy + + From RFC 3424, any UNSAF proposal needs to provide: + + Description of an exit strategy/transition plan. The better short + term fixes are the ones that will naturally see less and less use + as the appropriate technology is deployed. + + ICE itself doesn't easily get phased out. However, it is useful even + in a globally connected Internet, to serve as a means for detecting + whether a router failure has temporarily disrupted connectivity, for + example. ICE also helps prevent certain security attacks that have + nothing to do with NAT. However, what ICE does is help phase out + other UNSAF mechanisms. ICE effectively picks amongst those + + + +Keranen, et al. Standards Track [Page 73] + +RFC 8445 ICE July 2018 + + + mechanisms, prioritizing ones that are better and deprioritizing ones + that are worse. As NATs begin to dissipate as IPv6 is introduced, + server-reflexive and relayed candidates (both forms of UNSAF + addresses) simply never get used, because higher-priority + connectivity exists to the native host candidates. Therefore, the + servers get used less and less and can eventually be removed when + their usage goes to zero. + + Indeed, ICE can assist in the transition from IPv4 to IPv6. It can + be used to determine whether to use IPv6 or IPv4 when two dual-stack + hosts communicate with SIP (IPv6 gets used). It can also allow a + network with both 6to4 and native v6 connectivity to determine which + address to use when communicating with a peer. + +18.3. Brittleness Introduced by ICE + + From RFC 3424, any UNSAF proposal needs to provide: + + Discussion of specific issues that may render systems more + "brittle". For example, approaches that involve using data at + multiple network layers create more dependencies, increase + debugging challenges, and make it harder to transition. + + ICE actually removes brittleness from existing UNSAF mechanisms. In + particular, classic STUN (as described in RFC 3489 [RFC3489]) has + several points of brittleness. One of them is the discovery process + that requires an ICE agent to try to classify the type of NAT it is + behind. This process is error prone. With ICE, that discovery + process is simply not used. Rather than unilaterally assessing the + validity of the address, its validity is dynamically determined by + measuring connectivity to a peer. The process of determining + connectivity is very robust. + + Another point of brittleness in classic STUN and any other unilateral + mechanism is its absolute reliance on an additional server. ICE + makes use of a server for allocating unilateral addresses, but it + allows agents to directly connect if possible. Therefore, in some + cases, the failure of a STUN server would still allow for a call to + progress when ICE is used. + + Another point of brittleness in classic STUN is that it assumes the + STUN server is on the public Internet. Interestingly, with ICE, that + is not necessary. There can be a multitude of STUN servers in a + variety of address realms. ICE will discover the one that has + provided a usable address. + + + + + + +Keranen, et al. Standards Track [Page 74] + +RFC 8445 ICE July 2018 + + + The most troubling point of brittleness in classic STUN is that it + doesn't work in all network topologies. In cases where there is a + shared NAT between each agent and the STUN server, traditional STUN + may not work. With ICE, that restriction is removed. + + Classic STUN also introduces some security considerations. + Fortunately, those security considerations are also mitigated by ICE. + + Consequently, ICE serves to repair the brittleness introduced in + classic STUN, and it does not introduce any additional brittleness + into the system. + + The penalty of these improvements is that ICE increases session + establishment times. + +18.4. Requirements for a Long-Term Solution + + From RFC 3424, any UNSAF proposal needs to provide the following: + + Identify requirements for longer term, sound technical solutions; + contribute to the process of finding the right longer term + solution. + + Our conclusions from RFC 3489 remain unchanged. However, we feel ICE + actually helps because we believe it can be part of the long-term + solution. + +18.5. Issues with Existing NAPT Boxes + + From RFC 3424, any UNSAF proposal needs to provide: + + Discussion of the impact of the noted practical issues with + existing, deployed NA[P]Ts and experience reports. + + A number of NAT boxes are now being deployed into the market that try + to provide "generic" ALG functionality. These generic ALGs hunt for + IP addresses, in either text or binary form within a packet, and + rewrite them if they match a binding. This interferes with classic + STUN. However, the update to STUN [RFC5389] uses an encoding that + hides these binary addresses from generic ALGs. + + Existing NAPT boxes have non-deterministic and typically short + expiration times for UDP-based bindings. This requires + implementations to send periodic keepalives to maintain those + bindings. ICE uses a default of 15 s, which is a very conservative + estimate. Eventually, over time, as NAT boxes become compliant to + behave [RFC4787], this minimum keepalive will become deterministic + + + + +Keranen, et al. Standards Track [Page 75] + +RFC 8445 ICE July 2018 + + + and well known, and the ICE timers can be adjusted. Having a way to + discover and control the minimum keepalive interval would be far + better still. + +19. Security Considerations + +19.1. IP Address Privacy + + The process of probing for candidates reveals the source addresses of + the client and its peer to any on-network listening attacker, and the + process of exchanging candidates reveals the addresses to any + attacker that is able to see the negotiation. Some addresses, such + as the server-reflexive addresses gathered through the local + interface of VPN users, may be sensitive information. If these + potential attacks cannot be mitigated, ICE usages can define + mechanisms for controlling which addresses are revealed to the + negotiation and/or probing process. Individual implementations may + also have implementation-specific rules for controlling which + addresses are revealed. For example, [WebRTC-IP-HANDLING] provides + additional information about the privacy aspects of revealing IP + addresses via ICE for WebRTC applications. ICE implementations where + such issues can arise are RECOMMENDED to provide a programmatic or + user interface that provides control over which network interfaces + are used to generate candidates. + + Based on the types of candidates provided by the peer, and the + results of the connectivity tests performed against those candidates, + the peer might be able to determine characteristics of the local + network, e.g., if different timings are apparent to the peer. Within + the limit, the peer might be able to probe the local network. + + There are several types of attacks possible in an ICE system. The + subsections consider these attacks and their countermeasures. + +19.2. Attacks on Connectivity Checks + + An attacker might attempt to disrupt the STUN connectivity checks. + Ultimately, all of these attacks fool an ICE agent into thinking + something incorrect about the results of the connectivity checks. + Depending on the type of attack, the attacker needs to have different + capabilities. In some cases, the attacker needs to be on the path of + the connectivity checks. In other cases, the attacker does not need + to be on the path, as long as it is able to generate STUN + connectivity checks. While attacks on connectivity checks are + typically performed by network entities, if an attacker is able to + control an endpoint, it might be able to trigger connectivity-check + attacks. The possible false conclusions an attacker can try and + cause are: + + + +Keranen, et al. Standards Track [Page 76] + +RFC 8445 ICE July 2018 + + + False Invalid: An attacker can fool a pair of agents into thinking a + candidate pair is invalid, when it isn't. This can be used to + cause an agent to prefer a different candidate (such as one + injected by the attacker) or to disrupt a call by forcing all + candidates to fail. + + False Valid: An attacker can fool a pair of agents into thinking a + candidate pair is valid, when it isn't. This can cause an agent + to proceed with a session but then not be able to receive any + data. + + False Peer-Reflexive Candidate: An attacker can cause an agent to + discover a new peer-reflexive candidate when it is not expected + to. This can be used to redirect data streams to a DoS target or + to the attacker, for eavesdropping or other purposes. + + False Valid on False Candidate: An attacker has already convinced an + agent that there is a candidate with an address that does not + actually route to that agent (e.g., by injecting a false peer- + reflexive candidate or false server-reflexive candidate). The + attacker then launches an attack that forces the agents to believe + that this candidate is valid. + + If an attacker can cause a false peer-reflexive candidate or false + valid on a false candidate, it can launch any of the attacks + described in [RFC5389]. + + To force the false invalid result, the attacker has to wait for the + connectivity check from one of the agents to be sent. When it is, + the attacker needs to inject a fake response with an unrecoverable + error response (such as a 400), or drop the response so that it never + reaches the agent. However, since the candidate is, in fact, valid, + the original request may reach the peer agent and result in a success + response. The attacker needs to force this packet or its response to + be dropped through a DoS attack, a Layer 2 network disruption, or + another technique. If it doesn't do this, the success response will + also reach the originator, alerting it to a possible attack. The + ability for the attacker to generate a fake response is mitigated + through the STUN short-term credential mechanism. In order for this + response to be processed, the attacker needs the password. If the + candidate exchange signaling is secured, the attacker will not have + the password, and its response will be discarded. + + Spoofed ICMP Hard Errors (Type 3, codes 2-4) can also be used to + create false invalid results. If an ICE agent implements a response + to these ICMP errors, the attacker is capable of generating an ICMP + message that is delivered to the agent sending the connectivity + check. The validation of the ICMP error message by the agent is its + + + +Keranen, et al. Standards Track [Page 77] + +RFC 8445 ICE July 2018 + + + only defense. For Type 3 code=4, the outer IP header provides no + validation, unless the connectivity check was sent with DF=0. For + codes 2 or 3, which are originated by the host, the address is + expected to be any of the remote agent's host, reflexive, or relay + candidate IP addresses. The ICMP message includes the IP header and + UDP header of the message triggering the error. These fields also + need to be validated. The IP destination and UDP destination port + need to match either the targeted candidate address and port or the + candidate's base address. The source IP address and port can be any + candidate for the same base address of the agent sending the + connectivity check. Thus, any attacker having access to the exchange + of the candidates will have the necessary information. Hence, the + validation is a weak defense, and the sending of spoofed ICMP attacks + is also possible for off-path attackers from a node in a network + without source address validation. + + Forcing the fake valid result works in a similar way. The attacker + needs to wait for the Binding request from each agent and inject a + fake success response. Again, due to the STUN short-term credential + mechanism, in order for the attacker to inject a valid success + response, the attacker needs the password. Alternatively, the + attacker can route (e.g., using a tunneling mechanism) a valid + success response, which normally would be dropped or rejected by the + network, to the agent. + + Forcing the false peer-reflexive candidate result can be done with + either fake requests or responses, or with replays. We consider the + fake requests and responses case first. It requires the attacker to + send a Binding request to one agent with a source IP address and port + for the false candidate. In addition, the attacker needs to wait for + a Binding request from the other agent and generate a fake response + with a XOR-MAPPED-ADDRESS attribute containing the false candidate. + Like the other attacks described here, this attack is mitigated by + the STUN message integrity mechanisms and secure candidate exchanges. + + Forcing the false peer-reflexive candidate result with packet replays + is different. The attacker waits until one of the agents sends a + check. It intercepts this request and replays it towards the other + agent with a faked source IP address. It also needs to prevent the + original request from reaching the remote agent, by either launching + a DoS attack to cause the packet to be dropped or forcing it to be + dropped using Layer 2 mechanisms. The replayed packet is received at + the other agent, and accepted, since the integrity check passes (the + integrity check cannot and does not cover the source IP address and + port). It is then responded to. This response will contain a XOR- + MAPPED-ADDRESS with the false candidate, and it will be sent to that + false candidate. The attacker then needs to receive it and relay it + towards the originator. + + + +Keranen, et al. Standards Track [Page 78] + +RFC 8445 ICE July 2018 + + + The other agent will then initiate a connectivity check towards that + false candidate. This validation needs to succeed. This requires + the attacker to force a false valid on a false candidate. The + injecting of fake requests or responses to achieve this goal is + prevented using the integrity mechanisms of STUN and the candidate + exchange. Thus, this attack can only be launched through replays. + To do that, the attacker needs to intercept the check towards this + false candidate and replay it towards the other agent. Then, it + needs to intercept the response and replay that back as well. + + This attack is very hard to launch unless the attacker is identified + by the fake candidate. This is because it requires the attacker to + intercept and replay packets sent by two different hosts. If both + agents are on different networks (e.g., across the public Internet), + this attack can be hard to coordinate, since it needs to occur + against two different endpoints on different parts of the network at + the same time. + + If the attacker itself is identified by the fake candidate, the + attack is easier to coordinate. However, if the data path is secured + (e.g., using the Secure Real-time Transport Protocol (SRTP) + [RFC3711]), the attacker will not be able to process the data + packets, but will only be able to discard them, effectively disabling + the data stream. However, this attack requires the agent to disrupt + packets in order to block the connectivity check from reaching the + target. In that case, if the goal is to disrupt the data stream, + it's much easier to just disrupt it with the same mechanism, rather + than attack ICE. + +19.3. Attacks on Server-Reflexive Address Gathering + + ICE endpoints make use of STUN Binding requests for gathering server- + reflexive candidates from a STUN server. These requests are not + authenticated in any way. As a consequence, there are numerous + techniques an attacker can employ to provide the client with a false + server-reflexive candidate: + + o An attacker can compromise the DNS, causing DNS queries to return + a rogue STUN server address. That server can provide the client + with fake server-reflexive candidates. This attack is mitigated + by DNS security, though DNSSEC is not required to address it. + + o An attacker that can observe STUN messages (such as an attacker on + a shared network segment, like Wi-Fi) can inject a fake response + that is valid and will be accepted by the client. + + o An attacker can compromise a STUN server and cause it to send + responses with incorrect mapped addresses. + + + +Keranen, et al. Standards Track [Page 79] + +RFC 8445 ICE July 2018 + + + A false mapped address learned by these attacks will be used as a + server-reflexive candidate in the establishment of the ICE session. + For this candidate to actually be used for data, the attacker also + needs to attack the connectivity checks, and in particular, force a + false valid on a false candidate. This attack is very hard to launch + if the false address identifies a fourth party (neither the + initiator, responder, nor attacker), since it requires attacking the + checks generated by each ICE agent in the session and is prevented by + SRTP if it identifies the attacker itself. + + If the attacker elects not to attack the connectivity checks, the + worst it can do is prevent the server-reflexive candidate from being + used. However, if the peer agent has at least one candidate that is + reachable by the agent under attack, the STUN connectivity checks + themselves will provide a peer-reflexive candidate that can be used + for the exchange of data. Peer-reflexive candidates are generally + preferred over server-reflexive candidates. As such, an attack + solely on the STUN address gathering will normally have no impact on + a session at all. + +19.4. Attacks on Relayed Candidate Gathering + + An attacker might attempt to disrupt the gathering of relayed + candidates, forcing the client to believe it has a false relayed + candidate. Exchanges with the TURN server are authenticated using a + long-term credential. Consequently, injection of fake responses or + requests will not work. In addition, unlike Binding requests, + Allocate requests are not susceptible to replay attacks with modified + source IP addresses and ports, since the source IP address and port + are not utilized to provide the client with its relayed candidate. + + Even if an attacker has caused the client to believe in a false + relayed candidate, the connectivity checks cause such a candidate to + be used only if they succeed. Thus, an attacker needs to launch a + false valid on a false candidate, per above, which is a very + difficult attack to coordinate. + +19.5. Insider Attacks + + In addition to attacks where the attacker is a third party trying to + insert fake candidate information or STUN messages, there are attacks + possible with ICE when the attacker is an authenticated and valid + participant in the ICE exchange. + + + + + + + + +Keranen, et al. Standards Track [Page 80] + +RFC 8445 ICE July 2018 + + +19.5.1. STUN Amplification Attack + + The STUN amplification attack is similar to a "voice hammer" attack, + where the attacker causes other agents to direct voice packets to the + attack target. However, instead of voice packets being directed to + the target, STUN connectivity checks are directed to the target. The + attacker sends a large number of candidates, say, 50. The responding + agent receives the candidate information and starts its checks, which + are directed at the target, and consequently, never generate a + response. In the case of WebRTC, the user might not even be aware + that this attack is ongoing, since it might be triggered in the + background by malicious JavaScript code that the user has fetched. + The answerer will start a new connectivity check every Ta ms (say, + Ta=50ms). However, the retransmission timers are set to a large + number due to the large number of candidates. As a consequence, + packets will be sent at an interval of one every Ta milliseconds and + then with increasing intervals after that. Thus, STUN will not send + packets at a rate faster than data would be sent, and the STUN + packets persist only briefly, until ICE fails for the session. + Nonetheless, this is an amplification mechanism. + + It is impossible to eliminate the amplification, but the volume can + be reduced through a variety of heuristics. ICE agents SHOULD limit + the total number of connectivity checks they perform to 100. + Additionally, agents MAY limit the number of candidates they will + accept. + + Frequently, protocols that wish to avoid these kinds of attacks force + the initiator to wait for a response prior to sending the next + message. However, in the case of ICE, this is not possible. It is + not possible to differentiate the following two cases: + + o There was no response because the initiator is being used to + launch a DoS attack against an unsuspecting target that will not + respond. + + o There was no response because the IP address and port are not + reachable by the initiator. + + In the second case, another check will be sent at the next + opportunity, while in the former case, no further checks will be + sent. + + + + + + + + + +Keranen, et al. Standards Track [Page 81] + +RFC 8445 ICE July 2018 + + +20. IANA Considerations + + The original ICE specification registered four STUN attributes and + one new STUN error response. The STUN attributes and error response + are reproduced here. In addition, this specification registers a new + ICE option. + +20.1. STUN Attributes + + IANA has registered four STUN attributes: + + 0x0024 PRIORITY + 0x0025 USE-CANDIDATE + 0x8029 ICE-CONTROLLED + 0x802A ICE-CONTROLLING + +20.2. STUN Error Responses + + IANA has registered the following STUN error-response code: + + 487 Role Conflict: The client asserted an ICE role (controlling or + controlled) that is in conflict with the role of the server. + +20.3. ICE Options + + IANA has registered the following ICE option in the "ICE Options" + subregistry of the "Interactive Connectivity Establishment (ICE)" + registry, following the procedures defined in [RFC6336]. + + ICE Option name: + ice2 + + Contact: + Name: IESG + Email: iesg@ietf.org + + Change Controller: + IESG + + Description: + The ICE option indicates that the ICE agent using the ICE option + is implemented according to RFC 8445. + + Reference: + RFC 8445 + + + + + + +Keranen, et al. Standards Track [Page 82] + +RFC 8445 ICE July 2018 + + +21. Changes from RFC 5245 + + The purpose of this updated ICE specification is to: + + o Clarify procedures in RFC 5245. + + o Make technical changes, due to discovered flaws in RFC 5245 and + feedback from the community that has implemented and deployed ICE + applications based on RFC 5245. + + o Make the procedures independent of the signaling protocol, by + removing the SIP and SDP procedures. Procedures specific to a + signaling protocol will be defined in separate usage documents. + [ICE-SIP-SDP] defines ICE usage with SIP and SDP. + + The following technical changes have been done: + + o Aggressive nomination removed. + + o The procedures for calculating candidate pair states and + scheduling connectivity checks modified. + + o Procedures for calculation of Ta and RTO modified. + + o Active checklist and Frozen checklist definitions removed. + + o 'ice2' ICE option added. + + o IPv6 considerations modified. + + o Usage with no-op for keepalives, and keepalives with non-ICE + peers, removed. + +22. References + +22.1. Normative References + + [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate + Requirement Levels", BCP 14, RFC 2119, + DOI 10.17487/RFC2119, March 1997, + . + + [RFC4941] Narten, T., Draves, R., and S. Krishnan, "Privacy + Extensions for Stateless Address Autoconfiguration in + IPv6", RFC 4941, DOI 10.17487/RFC4941, September 2007, + . + + + + + +Keranen, et al. Standards Track [Page 83] + +RFC 8445 ICE July 2018 + + + [RFC5389] Rosenberg, J., Mahy, R., Matthews, P., and D. Wing, + "Session Traversal Utilities for NAT (STUN)", RFC 5389, + DOI 10.17487/RFC5389, October 2008, + . + + [RFC5766] Mahy, R., Matthews, P., and J. Rosenberg, "Traversal Using + Relays around NAT (TURN): Relay Extensions to Session + Traversal Utilities for NAT (STUN)", RFC 5766, + DOI 10.17487/RFC5766, April 2010, + . + + [RFC6336] Westerlund, M. and C. Perkins, "IANA Registry for + Interactive Connectivity Establishment (ICE) Options", + RFC 6336, DOI 10.17487/RFC6336, July 2011, + . + + [RFC6724] Thaler, D., Ed., Draves, R., Matsumoto, A., and T. Chown, + "Default Address Selection for Internet Protocol Version 6 + (IPv6)", RFC 6724, DOI 10.17487/RFC6724, September 2012, + . + + [RFC8174] Leiba, B., "Ambiguity of Uppercase vs Lowercase in RFC + 2119 Key Words", BCP 14, RFC 8174, DOI 10.17487/RFC8174, + May 2017, . + +22.2. Informative References + + [ICE-SIP-SDP] + Petit-Huguenin, M., Nandakumar, S., and A. Keranen, + "Session Description Protocol (SDP) Offer/Answer + procedures for Interactive Connectivity Establishment + (ICE)", Work in Progress, + draft-ietf-mmusic-ice-sip-sdp-21, June 2018. + + [RFC1918] Rekhter, Y., Moskowitz, B., Karrenberg, D., de Groot, G., + and E. Lear, "Address Allocation for Private Internets", + BCP 5, RFC 1918, DOI 10.17487/RFC1918, February 1996, + . + + [RFC2475] Blake, S., Black, D., Carlson, M., Davies, E., Wang, Z., + and W. Weiss, "An Architecture for Differentiated + Services", RFC 2475, DOI 10.17487/RFC2475, December 1998, + . + + [RFC3102] Borella, M., Lo, J., Grabelsky, D., and G. Montenegro, + "Realm Specific IP: Framework", RFC 3102, + DOI 10.17487/RFC3102, October 2001, + . + + + +Keranen, et al. Standards Track [Page 84] + +RFC 8445 ICE July 2018 + + + [RFC3103] Borella, M., Grabelsky, D., Lo, J., and K. Taniguchi, + "Realm Specific IP: Protocol Specification", RFC 3103, + DOI 10.17487/RFC3103, October 2001, + . + + [RFC3235] Senie, D., "Network Address Translator (NAT)-Friendly + Application Design Guidelines", RFC 3235, + DOI 10.17487/RFC3235, January 2002, + . + + [RFC3261] Rosenberg, J., Schulzrinne, H., Camarillo, G., Johnston, + A., Peterson, J., Sparks, R., Handley, M., and E. + Schooler, "SIP: Session Initiation Protocol", RFC 3261, + DOI 10.17487/RFC3261, June 2002, + . + + [RFC3264] Rosenberg, J. and H. Schulzrinne, "An Offer/Answer Model + with Session Description Protocol (SDP)", RFC 3264, + DOI 10.17487/RFC3264, June 2002, + . + + [RFC3303] Srisuresh, P., Kuthan, J., Rosenberg, J., Molitor, A., and + A. Rayhan, "Middlebox communication architecture and + framework", RFC 3303, DOI 10.17487/RFC3303, August 2002, + . + + [RFC3424] Daigle, L., Ed. and IAB, "IAB Considerations for + UNilateral Self-Address Fixing (UNSAF) Across Network + Address Translation", RFC 3424, DOI 10.17487/RFC3424, + November 2002, . + + [RFC3489] Rosenberg, J., Weinberger, J., Huitema, C., and R. Mahy, + "STUN - Simple Traversal of User Datagram Protocol (UDP) + Through Network Address Translators (NATs)", RFC 3489, + DOI 10.17487/RFC3489, March 2003, + . + + [RFC3550] Schulzrinne, H., Casner, S., Frederick, R., and V. + Jacobson, "RTP: A Transport Protocol for Real-Time + Applications", STD 64, RFC 3550, DOI 10.17487/RFC3550, + July 2003, . + + [RFC3605] Huitema, C., "Real Time Control Protocol (RTCP) attribute + in Session Description Protocol (SDP)", RFC 3605, + DOI 10.17487/RFC3605, October 2003, + . + + + + + +Keranen, et al. Standards Track [Page 85] + +RFC 8445 ICE July 2018 + + + [RFC3711] Baugher, M., McGrew, D., Naslund, M., Carrara, E., and K. + Norrman, "The Secure Real-time Transport Protocol (SRTP)", + RFC 3711, DOI 10.17487/RFC3711, March 2004, + . + + [RFC3725] Rosenberg, J., Peterson, J., Schulzrinne, H., and G. + Camarillo, "Best Current Practices for Third Party Call + Control (3pcc) in the Session Initiation Protocol (SIP)", + BCP 85, RFC 3725, DOI 10.17487/RFC3725, April 2004, + . + + [RFC3879] Huitema, C. and B. Carpenter, "Deprecating Site Local + Addresses", RFC 3879, DOI 10.17487/RFC3879, September + 2004, . + + [RFC4038] Shin, M-K., Ed., Hong, Y-G., Hagino, J., Savola, P., and + E. Castro, "Application Aspects of IPv6 Transition", + RFC 4038, DOI 10.17487/RFC4038, March 2005, + . + + [RFC4091] Camarillo, G. and J. Rosenberg, "The Alternative Network + Address Types (ANAT) Semantics for the Session Description + Protocol (SDP) Grouping Framework", RFC 4091, + DOI 10.17487/RFC4091, June 2005, + . + + [RFC4092] Camarillo, G. and J. Rosenberg, "Usage of the Session + Description Protocol (SDP) Alternative Network Address + Types (ANAT) Semantics in the Session Initiation Protocol + (SIP)", RFC 4092, DOI 10.17487/RFC4092, June 2005, + . + + [RFC4103] Hellstrom, G. and P. Jones, "RTP Payload for Text + Conversation", RFC 4103, DOI 10.17487/RFC4103, June 2005, + . + + [RFC4291] Hinden, R. and S. Deering, "IP Version 6 Addressing + Architecture", RFC 4291, DOI 10.17487/RFC4291, February + 2006, . + + [RFC4566] Handley, M., Jacobson, V., and C. Perkins, "SDP: Session + Description Protocol", RFC 4566, DOI 10.17487/RFC4566, + July 2006, . + + [RFC4787] Audet, F., Ed. and C. Jennings, "Network Address + Translation (NAT) Behavioral Requirements for Unicast + UDP", BCP 127, RFC 4787, DOI 10.17487/RFC4787, January + 2007, . + + + +Keranen, et al. Standards Track [Page 86] + +RFC 8445 ICE July 2018 + + + [RFC5245] Rosenberg, J., "Interactive Connectivity Establishment + (ICE): A Protocol for Network Address Translator (NAT) + Traversal for Offer/Answer Protocols", RFC 5245, + DOI 10.17487/RFC5245, April 2010, + . + + [RFC5382] Guha, S., Ed., Biswas, K., Ford, B., Sivakumar, S., and P. + Srisuresh, "NAT Behavioral Requirements for TCP", BCP 142, + RFC 5382, DOI 10.17487/RFC5382, October 2008, + . + + [RFC5761] Perkins, C. and M. Westerlund, "Multiplexing RTP Data and + Control Packets on a Single Port", RFC 5761, + DOI 10.17487/RFC5761, April 2010, + . + + [RFC6080] Petrie, D. and S. Channabasappa, Ed., "A Framework for + Session Initiation Protocol User Agent Profile Delivery", + RFC 6080, DOI 10.17487/RFC6080, March 2011, + . + + [RFC6146] Bagnulo, M., Matthews, P., and I. van Beijnum, "Stateful + NAT64: Network Address and Protocol Translation from IPv6 + Clients to IPv4 Servers", RFC 6146, DOI 10.17487/RFC6146, + April 2011, . + + [RFC6147] Bagnulo, M., Sullivan, A., Matthews, P., and I. van + Beijnum, "DNS64: DNS Extensions for Network Address + Translation from IPv6 Clients to IPv4 Servers", RFC 6147, + DOI 10.17487/RFC6147, April 2011, + . + + [RFC6298] Paxson, V., Allman, M., Chu, J., and M. Sargent, + "Computing TCP's Retransmission Timer", RFC 6298, + DOI 10.17487/RFC6298, June 2011, + . + + [RFC6544] Rosenberg, J., Keranen, A., Lowekamp, B., and A. Roach, + "TCP Candidates with Interactive Connectivity + Establishment (ICE)", RFC 6544, DOI 10.17487/RFC6544, + March 2012, . + + [RFC6928] Chu, J., Dukkipati, N., Cheng, Y., and M. Mathis, + "Increasing TCP's Initial Window", RFC 6928, + DOI 10.17487/RFC6928, April 2013, + . + + + + + +Keranen, et al. Standards Track [Page 87] + +RFC 8445 ICE July 2018 + + + [RFC7050] Savolainen, T., Korhonen, J., and D. Wing, "Discovery of + the IPv6 Prefix Used for IPv6 Address Synthesis", + RFC 7050, DOI 10.17487/RFC7050, November 2013, + . + + [RFC7721] Cooper, A., Gont, F., and D. Thaler, "Security and Privacy + Considerations for IPv6 Address Generation Mechanisms", + RFC 7721, DOI 10.17487/RFC7721, March 2016, + . + + [RFC7825] Goldberg, J., Westerlund, M., and T. Zeng, "A Network + Address Translator (NAT) Traversal Mechanism for Media + Controlled by the Real-Time Streaming Protocol (RTSP)", + RFC 7825, DOI 10.17487/RFC7825, December 2016, + . + + [RFC8421] Martinsen, P., Reddy, T., and P. Patil, "Interactive + Connectivity Establishment (ICE) Multihomed and IPv4/IPv6 + Dual-Stack Guidelines", RFC 8421, DOI 10.17487/RFC8421, + July 2018, . + + [WebRTC-IP-HANDLING] + Uberti, J. and G. Shieh, "WebRTC IP Address Handling + Requirements", Work in Progress, draft-ietf-rtcweb-ip- + handling-09, June 2018. + + + + + + + + + + + + + + + + + + + + + + + + + + +Keranen, et al. Standards Track [Page 88] + +RFC 8445 ICE July 2018 + + +Appendix A. Lite and Full Implementations + + ICE allows for two types of implementations. A full implementation + supports the controlling and controlled roles in a session and can + also perform address gathering. In contrast, a lite implementation + is a minimalist implementation that does little but respond to STUN + checks, and it only supports the controlled role in a session. + + Because ICE requires both endpoints to support it in order to bring + benefits to either endpoint, incremental deployment of ICE in a + network is more complicated. Many sessions involve an endpoint that + is, by itself, not behind a NAT and not one that would worry about + NAT traversal. A very common case is to have one endpoint that + requires NAT traversal (such as a VoIP hard phone or soft phone) make + a call to one of these devices. Even if the phone supports a full + ICE implementation, ICE won't be used at all if the other device + doesn't support it. The lite implementation allows for a low-cost + entry point for these devices. Once they support the lite + implementation, full implementations can connect to them and get the + full benefits of ICE. + + Consequently, a lite implementation is only appropriate for devices + that will *always* be connected to the public Internet and have a + public IP address at which it can receive packets from any + correspondent. ICE will not function when a lite implementation is + placed behind a NAT. + + ICE allows a lite implementation to have a single IPv4 host candidate + and several IPv6 addresses. In that case, candidate pairs are + selected by the controlling agent using a static algorithm, such as + the one in RFC 6724, which is recommended by this specification. + However, static mechanisms for address selection are always prone to + error, since they can never reflect the actual topology or provide + actual guarantees on connectivity. They are always heuristics. + Consequently, if an ICE agent is implementing ICE just to select + between its IPv4 and IPv6 addresses, and none of its IP addresses are + behind NAT, usage of full ICE is still RECOMMENDED in order to + provide the most robust form of address selection possible. + + It is important to note that the lite implementation was added to + this specification to provide a stepping stone to full + implementation. Even for devices that are always connected to the + public Internet with just a single IPv4 address, a full + implementation is preferable if achievable. Full implementations + also obtain the security benefits of ICE unrelated to NAT traversal. + Finally, it is often the case that a device that finds itself with a + public address today will be placed in a network tomorrow where it + will be behind a NAT. It is difficult to definitively know, over the + + + +Keranen, et al. Standards Track [Page 89] + +RFC 8445 ICE July 2018 + + + lifetime of a device or product, if it will always be used on the + public Internet. Full implementation provides assurance that + communications will always work. + +Appendix B. Design Motivations + + ICE contains a number of normative behaviors that may themselves be + simple but derive from complicated or non-obvious thinking or use + cases that merit further discussion. Since these design motivations + are not necessary to understand for purposes of implementation, they + are discussed here. This appendix is non-normative. + +B.1. Pacing of STUN Transactions + + STUN transactions used to gather candidates and to verify + connectivity are paced out at an approximate rate of one new + transaction every Ta milliseconds. Each transaction, in turn, has a + retransmission timer RTO that is a function of Ta as well. Why are + these transactions paced, and why are these formulas used? + + Sending of these STUN requests will often have the effect of creating + bindings on NAT devices between the client and the STUN servers. + Experience has shown that many NAT devices have upper limits on the + rate at which they will create new bindings. Discussions in the IETF + ICE WG during the work on this specification concluded that once + every 5 ms is well supported. This is why Ta has a lower bound of + 5 ms. Furthermore, transmission of these packets on the network + makes use of bandwidth and needs to be rate limited by the ICE agent. + Deployments based on earlier draft versions of [RFC5245] tended to + overload rate-constrained access links and perform poorly overall, in + addition to negatively impacting the network. As a consequence, the + pacing ensures that the NAT device does not get overloaded and that + traffic is kept at a reasonable rate. + + The definition of a "reasonable" rate is that STUN MUST NOT use more + bandwidth than the RTP itself will use, once data starts flowing. + The formula for Ta is designed so that, if a STUN packet were sent + every Ta seconds, it would consume the same amount of bandwidth as + RTP packets, summed across all data streams. Of course, STUN has + retransmits, and the desire is to pace those as well. For this + reason, RTO is set such that the first retransmit on the first + transaction happens just as the first STUN request on the last + transaction occurs. Pictorially: + + + + + + + + +Keranen, et al. Standards Track [Page 90] + +RFC 8445 ICE July 2018 + + + First Packets Retransmits + + + + | | + | | + -------+------ -------+------ + / \ / \ + / \ / \ + + +--+ +--+ +--+ +--+ +--+ +--+ + |A1| |B1| |C1| |A2| |B2| |C2| + +--+ +--+ +--+ +--+ +--+ +--+ + + ---+-------+-------+-------+-------+-------+------------ Time + 0 Ta 2Ta 3Ta 4Ta 5Ta + + In this picture, there are three transactions that will be sent (for + example, in the case of candidate gathering, there are three host + candidate/STUN server pairs). These are transactions A, B, and C. + The retransmit timer is set so that the first retransmission on the + first transaction (packet A2) is sent at time 3Ta. + + Subsequent retransmits after the first will occur even less + frequently than Ta milliseconds apart, since STUN uses an exponential + backoff on its retransmissions. + + This mechanism of a global minimum pacing interval of 5 ms is not + generally applicable to transport protocols, but it is applicable to + ICE based on the following reasoning. + + o Start with the following rules that would be generally applicable + to transport protocols: + + 1. Let MaxBytes be the maximum number of bytes allowed to be + outstanding in the network at startup, which SHOULD be 14600, + as defined in Section 2 of [RFC6928]. + + 2. Let HTO be the transaction timeout, which SHOULD be 2*RTT if + RTT is known or 500 ms otherwise. This is based on the RTO + for STUN messages from [RFC5389] and the TCP initial RTO, + which is 1 sec in [RFC6298]. + + 3. Let MinPacing be the minimum pacing interval between + transactions, which is 5 ms (see above). + + + + + + +Keranen, et al. Standards Track [Page 91] + +RFC 8445 ICE July 2018 + + + o Observe that agents typically do not know the RTT for ICE + transactions (connectivity checks in particular), meaning that HTO + will almost always be 500 ms. + + o Observe that a MinPacing of 5 ms and HTO of 500 ms gives at most + 100 packets/HTO, which for a typical ICE check of less than 120 + bytes means a maximum of 12000 outstanding bytes in the network, + which is less than the maximum expressed by rule 1. + + o Thus, for ICE, the rule set reduces to just the MinPacing rule, + which is equivalent to having a global Ta value. + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +Keranen, et al. Standards Track [Page 92] + +RFC 8445 ICE July 2018 + + +B.2. Candidates with Multiple Bases + + Section 5.1.3 talks about eliminating candidates that have the same + transport address and base. However, candidates with the same + transport addresses but different bases are not redundant. When can + an ICE agent have two candidates that have the same IP address and + port but different bases? Consider the topology of Figure 11: + + +----------+ + | STUN Srvr| + +----------+ + | + | + ----- + // \\ + | | + | B:net10 | + | | + \\ // + ----- + | + | + +----------+ + | NAT | + +----------+ + | + | + ----- + // \\ + | A | + |192.168/16 | + | | + \\ // + ----- + | + | + |192.168.1.100 ----- + +----------+ // \\ +----------+ + | | | | | | + | Initiator|---------| C:net10 |-----------| Responder| + | |10.0.1.100| | 10.0.1.101 | | + +----------+ \\ // +----------+ + ----- + + Figure 11: Identical Candidates with Different Bases + + + + + + +Keranen, et al. Standards Track [Page 93] + +RFC 8445 ICE July 2018 + + + In this case, the initiating agent is multihomed. It has one IP + address, 10.0.1.100, on network C, which is a net 10 private network. + The responding agent is on this same network. The initiating agent + is also connected to network A, which is 192.168/16, and has an IP + address of 192.168.1.100. There is a NAT on this network, natting + into network B, which is another net 10 private network, but it is + not connected to network C. There is a STUN server on network B. + + The initiating agent obtains a host candidate on its IP address on + network C (10.0.1.100:2498) and a host candidate on its IP address on + network A (192.168.1.100:3344). It performs a STUN query to its + configured STUN server from 192.168.1.100:3344. This query passes + through the NAT, which happens to assign the binding 10.0.1.100:2498. + The STUN server reflects this in the STUN Binding response. Now, the + initiating agent has obtained a server-reflexive candidate with a + transport address that is identical to a host candidate + (10.0.1.100:2498). However, the server-reflexive candidate has a + base of 192.168.1.100:3344, and the host candidate has a base of + 10.0.1.100:2498. + +B.3. Purpose of the Related-Address and Related-Port Attributes + + The candidate attribute contains two values that are not used at all + by ICE itself -- related address and related port. Why are they + present? + + There are two motivations for its inclusion. The first is + diagnostic. It is very useful to know the relationship between the + different types of candidates. By including it, an ICE agent can + know which relayed candidate is associated with which reflexive + candidate, which in turn is associated with a specific host + candidate. When checks for one candidate succeed but not for others, + this provides useful diagnostics on what is going on in the network. + + The second reason has to do with off-path Quality-of-Service (QoS) + mechanisms. When ICE is used in environments such as PacketCable + 2.0, proxies will, in addition to performing normal SIP operations, + inspect the SDP in SIP messages and extract the IP address and port + for data traffic. They can then interact, through policy servers, + with access routers in the network, to establish guaranteed QoS for + the data flows. This QoS is provided by classifying the RTP traffic + based on 5-tuple and then providing it a guaranteed rate, or marking + its DSCP appropriately. When a residential NAT is present, and a + relayed candidate gets selected for data, this relayed candidate will + be a transport address on an actual TURN server. That address says + nothing about the actual transport address in the access router that + would be used to classify packets for QoS treatment. Rather, the + + + + +Keranen, et al. Standards Track [Page 94] + +RFC 8445 ICE July 2018 + + + server-reflexive candidate towards the TURN server is needed. By + carrying the translation in the SDP, the proxy can use that transport + address to request QoS from the access router. + +B.4. Importance of the STUN Username + + ICE requires the usage of message integrity with STUN using its + short-term credential functionality. The actual short-term + credential is formed by exchanging username fragments in the + candidate exchange. The need for this mechanism goes beyond just + security; it is actually required for correct operation of ICE in the + first place. + + Consider ICE agents L, R, and Z. L and R are within private + enterprise 1, which is using 10.0.0.0/8. Z is within private + enterprise 2, which is also using 10.0.0.0/8. As it turns out, R and + Z both have IP address 10.0.1.1. L sends candidates to Z. Z + responds to L with its host candidates. In this case, those + candidates are 10.0.1.1:8866 and 10.0.1.1:8877. As it turns out, R + is in a session at that same time and is also using 10.0.1.1:8866 and + 10.0.1.1:8877 as host candidates. This means that R is prepared to + accept STUN messages on those ports, just as Z is. L will send a + STUN request to 10.0.1.1:8866 and another to 10.0.1.1:8877. However, + these do not go to Z as expected. Instead, they go to R! If R just + replied to them, L would believe it has connectivity to Z, when in + fact it has connectivity to a completely different user, R. To fix + this, STUN short-term credential mechanisms are used. The username + fragments are sufficiently random; thus it is highly unlikely that R + would be using the same values as Z. Consequently, R would reject + the STUN request since the credentials were invalid. In essence, the + STUN username fragments provide a form of transient host identifiers, + bound to a particular session established as part of the candidate + exchange. + + An unfortunate consequence of the non-uniqueness of IP addresses is + that, in the above example, R might not even be an ICE agent. It + could be any host, and the port to which the STUN packet is directed + could be any ephemeral port on that host. If there is an application + listening on this socket for packets, and it is not prepared to + handle malformed packets for whatever protocol is in use, the + operation of that application could be affected. Fortunately, since + the ports exchanged are ephemeral and usually drawn from the dynamic + or registered range, the odds are good that the port is not used to + run a server on host R, but rather is the agent side of some + protocol. This decreases the probability of hitting an allocated + port, due to the transient nature of port usage in this range. + However, the possibility of a problem does exist, and network + deployers need to be prepared for it. Note that this is not a + + + +Keranen, et al. Standards Track [Page 95] + +RFC 8445 ICE July 2018 + + + problem specific to ICE; stray packets can arrive at a port at any + time for any type of protocol, especially ones on the public + Internet. As such, this requirement is just restating a general + design guideline for Internet applications -- be prepared for unknown + packets on any port. + +B.5. The Candidate Pair Priority Formula + + The priority for a candidate pair has an odd form. It is: + + pair priority = 2^32*MIN(G,D) + 2*MAX(G,D) + (G>D?1:0) + + Why is this? When the candidate pairs are sorted based on this + value, the resulting sorting has the MAX/MIN property. This means + that the pairs are first sorted based on decreasing value of the + minimum of the two priorities. For pairs that have the same value of + the minimum priority, the maximum priority is used to sort amongst + them. If the max and the min priorities are the same, the + controlling agent's priority is used as the tiebreaker in the last + part of the expression. The factor of 2*32 is used since the + priority of a single candidate is always less than 2*32, resulting in + the pair priority being a "concatenation" of the two component + priorities. This creates the MAX/MIN sorting. MAX/MIN ensures that, + for a particular ICE agent, a lower-priority candidate is never used + until all higher-priority candidates have been tried. + +B.6. Why Are Keepalives Needed? + + Once data begins flowing on a candidate pair, it is still necessary + to keep the bindings alive at intermediate NATs for the duration of + the session. Normally, the data stream packets themselves (e.g., + RTP) meet this objective. However, several cases merit further + discussion. Firstly, in some RTP usages, such as SIP, the data + streams can be "put on hold". This is accomplished by using the SDP + "sendonly" or "inactive" attributes, as defined in RFC 3264 + [RFC3264]. RFC 3264 directs implementations to cease transmission of + data in these cases. However, doing so may cause NAT bindings to + time out, and data won't be able to come off hold. + + Secondly, some RTP payload formats, such as the payload format for + text conversation [RFC4103], may send packets so infrequently that + the interval exceeds the NAT binding timeouts. + + Thirdly, if silence suppression is in use, long periods of silence + may cause data transmission to cease sufficiently long for NAT + bindings to time out. + + + + + +Keranen, et al. Standards Track [Page 96] + +RFC 8445 ICE July 2018 + + + For these reasons, the data packets themselves cannot be relied upon. + ICE defines a simple periodic keepalive utilizing STUN Binding + Indications. This makes its bandwidth requirements highly + predictable and thus amenable to QoS reservations. + +B.7. Why Prefer Peer-Reflexive Candidates? + + Section 5.1.2 describes procedures for computing the priority of a + candidate based on its type and local preferences. That section + requires that the type preference for peer-reflexive candidates + always be higher than server reflexive. Why is that? The reason has + to do with the security considerations in Section 19. It is much + easier for an attacker to cause an ICE agent to use a false server- + reflexive candidate rather than a false peer-reflexive candidate. + Consequently, attacks against address gathering with Binding requests + are thwarted by ICE by preferring the peer-reflexive candidates. + +B.8. Why Are Binding Indications Used for Keepalives? + + Data keepalives are described in Section 11. These keepalives make + use of STUN when both endpoints are ICE capable. However, rather + than using a Binding request transaction (which generates a + response), the keepalives use an Indication. Why is that? + + The primary reason has to do with network QoS mechanisms. Once data + begins flowing, network elements will assume that the data stream has + a fairly regular structure, making use of periodic packets at fixed + intervals, with the possibility of jitter. If an ICE agent is + sending data packets, and then receives a Binding request, it would + need to generate a response packet along with its data packets. This + will increase the actual bandwidth requirements for the 5-tuple + carrying the data packets and introduce jitter in the delivery of + those packets. Analysis has shown that this is a concern in certain + Layer 2 access networks that use fairly tight packet schedulers for + data. + + Additionally, using a Binding Indication allows integrity to be + disabled, which may result in better performance. This is useful for + large-scale endpoints, such as Public Switched Telephone Network + (PSTN) gateways and Session Border Controllers (SBCs). + +B.9. Selecting Candidate Type Preference + + One criterion for selecting type and local preference values is the + use of a data intermediary, such as a TURN server, a tunnel service + such as a VPN server, or NAT. With a data intermediary, if data is + sent to that candidate, it will first transit the data intermediary + before being received. One type of candidate that involves a data + + + +Keranen, et al. Standards Track [Page 97] + +RFC 8445 ICE July 2018 + + + intermediary is the relayed candidate. Another type is the host + candidate, which is obtained from a VPN interface. When data is + transited through a data intermediary, it can have a positive or + negative effect on the latency between transmission and reception. + It may or may not increase the packet losses, because of the + additional router hops that may be taken. It may increase the cost + of providing service, since data will be routed in and right back out + of a data intermediary run by a provider. If these concerns are + important, the type preference for relayed candidates needs to be + carefully chosen. + + Another criterion for selecting preferences is the IP address family. + ICE works with both IPv4 and IPv6. It provides a transition + mechanism that allows dual-stack hosts to prefer connectivity over + IPv6 but to fall back to IPv4 in case the v6 networks are + disconnected. Implementation SHOULD follow the guidelines from + [RFC8421] to avoid excessive delays in the connectivity-check phase + if broken paths exist. + + Another criterion for selecting preferences is topological awareness. + This is beneficial for candidates that make use of intermediaries. + In those cases, if an ICE agent has preconfigured or dynamically + discovered knowledge of the topological proximity of the + intermediaries to itself, it can use that to assign higher local + preferences to candidates obtained from closer intermediaries. + + Another criterion for selecting preferences might be security or + privacy. If a user is a telecommuter, and therefore connected to a + corporate network and a local home network, the user may prefer their + voice traffic to be routed over the VPN or similar tunnel in order to + keep it on the corporate network when communicating within the + enterprise but may use the local network when communicating with + users outside of the enterprise. In such a case, a VPN address would + have a higher local preference than any other address. + + + + + + + + + + + + + + + + + +Keranen, et al. Standards Track [Page 98] + +RFC 8445 ICE July 2018 + + +Appendix C. Connectivity-Check Bandwidth + + The tables below show, for IPv4 and IPv6, the bandwidth required for + performing connectivity checks, using different Ta values (given in + ms) and different ufrag sizes (given in bytes). + + The results were provided by Jusin Uberti (Google) on 11 April 2016. + + IP version: IPv4 + Packet len (bytes): 108 + ufrag + | + ms | 4 8 12 16 + -----|------------------------ + 500 | 1.86k 1.98k 2.11k 2.24k + 200 | 4.64k 4.96k 5.28k 5.6k + 100 | 9.28k 9.92k 10.6k 11.2k + 50 | 18.6k 19.8k 21.1k 22.4k + 20 | 46.4k 49.6k 52.8k 56.0k + 10 | 92.8k 99.2k 105k 112k + 5 | 185k 198k 211k 224k + 2 | 464k 496k 528k 560k + 1 | 928k 992k 1.06M 1.12M + + IP version: IPv6 + Packet len (bytes): 128 + ufrag + | + ms | 4 8 12 16 + -----|------------------------ + 500 | 2.18k 2.3k 2.43k 2.56k + 200 | 5.44k 5.76k 6.08k 6.4k + 100 | 10.9k 11.5k 12.2k 12.8k + 50 | 21.8k 23.0k 24.3k 25.6k + 20 | 54.4k 57.6k 60.8k 64.0k + 10 | 108k 115k 121k 128k + 5 | 217k 230k 243k 256k + 2 | 544k 576k 608k 640k + 1 | 1.09M 1.15M 1.22M 1.28M + + + Figure 12: Connectivity-Check Bandwidth + + + + + + + + + + + +Keranen, et al. Standards Track [Page 99] + +RFC 8445 ICE July 2018 + + +Acknowledgements + + Most of the text in this document comes from the original ICE + specification, RFC 5245. The authors would like to thank everyone + who has contributed to that document. For additional contributions + to this revision of the specification, we would like to thank Emil + Ivov, Paul Kyzivat, Pal-Erik Martinsen, Simon Perrault, Eric + Rescorla, Thomas Stach, Peter Thatcher, Martin Thomson, Justin + Uberti, Suhas Nandakumar, Taylor Brandstetter, Peter Saint-Andre, + Harald Alvestrand, and Roman Shpount. Ben Campbell did the AD + review. Stephen Farrell did the sec-dir review. Stewart Bryant did + the gen-art review. Qin We did the ops-dir review. Magnus + Westerlund did the tsv-art review. + +Authors' Addresses + + Ari Keranen + Ericsson + Hirsalantie 11 + 02420 Jorvas + Finland + + Email: ari.keranen@ericsson.com + + + Christer Holmberg + Ericsson + Hirsalantie 11 + 02420 Jorvas + Finland + + Email: christer.holmberg@ericsson.com + + + Jonathan Rosenberg + jdrosen.net + Monmouth, NJ + United States of America + + Email: jdrosen@jdrosen.net + URI: http://www.jdrosen.net + + + + + + + + + + +Keranen, et al. Standards Track [Page 100] + -- cgit v1.2.3