Session Description Protocol (SDP) Offer/Answer Procedures for Interactive Connectivity Establishment (ICE)
RFC 8839
| Document | Type | RFC - Proposed Standard (January 2021) IPR | |
|---|---|---|---|
| Authors | Marc Petit-Huguenin , Suhas Nandakumar , Christer Holmberg , Ari Keränen , Roman Shpount | ||
| Last updated | 2021-01-18 | ||
| RFC stream | Internet Engineering Task Force (IETF) | ||
| Formats | |||
| Additional resources | Mailing list discussion | ||
| IESG | Responsible AD | Adam Roach | |
| Send notices to | (None) |
RFC 8839
" SDP line with value '50':
a=ice-pacing:50
5.6. "ice-options" Attribute
The "ice-options" attribute is a session-level and media-level
attribute. It contains a series of tokens that identify the options
supported by the agent. Its grammar is:
ice-options = "ice-options:" ice-option-tag
*(SP ice-option-tag)
ice-option-tag = 1*ice-char
The existence of an "ice-options" in an offer indicates that a
certain extension is supported by the agent, and it is willing to use
it if the peer agent also includes the same extension in the answer.
There might be further extension-specific negotiation needed between
the agents that determine how the extension gets used in a given
session. The details of the negotiation procedures, if present, MUST
be defined by the specification defining the extension
(Section 10.2).
The following example shows an "ice-options" SDP line with 'ice2' and
'rtp+ecn' [RFC6679] values.
a=ice-options:ice2 rtp+ecn
6. Keepalives
All the ICE agents MUST follow the procedures defined in Section 11
of [RFC8445] for sending keepalives. As defined in [RFC8445], the
keepalives will be sent regardless of whether the data stream is
currently inactive, sendonly, recvonly, or sendrecv, and regardless
of the presence or value of the bandwidth attribute. An agent can
determine that its peer supports ICE by the presence of "candidate"
attributes for each media session.
7. SIP Considerations
Note that ICE is not intended for NAT traversal for SIP signaling,
which is assumed to be provided via another mechanism [RFC5626].
When ICE is used with SIP, forking may result in a single offer
generating a multiplicity of answers. In that case, ICE proceeds
completely in parallel and independently for each answer, treating
the combination of its offer and each answer as an independent offer/
answer exchange, with its own set of local candidates, pairs,
checklists, states, and so on.
7.1. Latency Guidelines
ICE requires a series of STUN-based connectivity checks to take place
between endpoints. These checks start from the answerer on
generation of its answer, and start from the offerer when it receives
the answer. These checks can take time to complete, and as such, the
selection of messages to use with offers and answers can affect
perceived user latency. Two latency figures are of particular
interest. These are the post-pickup delay and the post-dial delay.
The post-pickup delay refers to the time between when a user "answers
the phone" and when any speech they utter can be delivered to the
caller. The post-dial delay refers to the time between when a user
enters the destination address for the user and ringback begins as a
consequence of having successfully started alerting the called user
agent.
Two cases can be considered -- one where the offer is present in the
initial INVITE and one where it is in a response.
7.1.1. Offer in INVITE
To reduce post-dial delays, it is RECOMMENDED that the caller begin
gathering candidates prior to actually sending its initial INVITE, so
that the candidates can be provided in the INVITE. This can be
started upon user interface cues that a call is pending, such as
activity on a keypad or the phone going off-hook.
On the receipt of the offer, the answerer SHOULD generate an answer
in a provisional response as soon as it has completed gathering the
candidates. ICE requires that a provisional response with an SDP be
transmitted reliably. This can be done through the existing
Provisional Response Acknowledgment (PRACK) mechanism [RFC3262] or
through an ICE-specific optimization, wherein, the agent retransmits
the provisional response with the exponential backoff timers
described in [RFC3262]. Such retransmissions MUST cease on receipt
of a STUN Binding request with the transport address matching the
candidate address for one of the data streams signaled in that SDP or
on transmission of the answer in a 2xx response. If no Binding
request is received prior to the last retransmit, the agent does not
consider the session terminated. For the ICE-lite peers, the agent
MUST cease retransmitting the 18x response after sending it four
times since there will be no Binding request sent, and the number
four is arbitrarily chosen to limit the number of 18x retransmits.
Once the answer has been sent, the agent SHOULD begin its
connectivity checks. Once candidate pairs for each component of a
data stream enter the valid list, the answerer can begin sending
media on that data stream.
However, prior to this point, any media that needs to be sent towards
the caller (such as SIP early media [RFC3960]) MUST NOT be
transmitted. For this reason, implementations SHOULD delay alerting
the called party until candidates for each component of each data
stream have entered the valid list. In the case of a PSTN gateway,
this would mean that the setup message into the PSTN is delayed until
this point. Doing this increases the post-dial delay, but has the
effect of eliminating 'ghost rings'. Ghost rings are cases where the
called party hears the phone ring, picks up, but hears nothing and
cannot be heard. This technique works without requiring support for,
or usage of, preconditions [RFC3312]. It also has the benefit of
guaranteeing that not a single packet of media will get clipped, so
that post-pickup delay is zero. If an agent chooses to delay local
alerting in this way, it SHOULD generate a 180 response once alerting
begins.
7.1.2. Offer in Response
In addition to uses where the offer is in an INVITE, and the answer
is in the provisional and/or 200 OK response, ICE works with cases
where the offer appears in the response. In such cases, which are
common in third party call control [RFC3725], ICE agents SHOULD
generate their offers in a reliable provisional response (which MUST
utilize [RFC3262]), and not alert the user on receipt of the INVITE.
The answer will arrive in a PRACK. This allows for ICE processing to
take place prior to alerting, so that there is no post-pickup delay,
at the expense of increased call setup delays. Once ICE completes,
the callee can alert the user and then generate a 200 OK when they
answer. The 200 OK would contain no SDP, since the offer/answer
exchange has completed.
Alternatively, agents MAY place the offer in a 2xx instead (in which
case the answer comes in the ACK). When this happens, the callee
will alert the user on receipt of the INVITE, and the ICE exchanges
will take place only after the user answers. This has the effect of
reducing call-setup delay, but can cause substantial post-pickup
delays and media clipping.
7.2. SIP Option Tags and Media Feature Tags
[RFC5768] specifies a SIP option tag and media feature tag for usage
with ICE. ICE implementations using SIP SHOULD support this
specification, which uses a feature tag in registrations to
facilitate interoperability through signaling intermediaries.
7.3. Interactions with Forking
ICE interacts very well with forking. Indeed, ICE fixes some of the
problems associated with forking. Without ICE, when a call forks and
the caller receives multiple incoming data streams, it cannot
determine which data stream corresponds to which callee.
With ICE, this problem is resolved. The connectivity checks which
occur prior to transmission of media carry username fragments which
in turn are correlated to a specific callee. Subsequent media
packets that arrive on the same candidate pair as the connectivity
check will be associated with that same callee. Thus, the caller can
perform this correlation as long as it has received an answer.
7.4. Interactions with Preconditions
Quality of Service (QoS) preconditions, which are defined in
[RFC3312] and [RFC4032], apply only to the transport addresses listed
as the default targets for media in an offer/answer. If ICE changes
the transport address where media is received, this change is
reflected in an updated offer that changes the default destination
for media to match ICE's selection. As such, it appears like any
other re-INVITE would, and is fully treated in RFCs 3312 and 4032,
which apply without regard to the fact that the destination for media
is changing due to ICE negotiations occurring "in the background".
Indeed, an agent SHOULD NOT indicate that QoS preconditions have been
met until the checks have completed and selected the candidate pairs
to be used for media.
ICE also has interactions with connectivity preconditions [RFC5898].
Those interactions are described there. Note that the procedures
described in Section 7.1 describe their own type of "preconditions",
albeit with less functionality than those provided by the explicit
preconditions in [RFC5898].
7.5. Interactions with Third Party Call Control
ICE works with Flows I, III, and IV as described in [RFC3725]. Flow
I works without the controller supporting or being aware of ICE.
Flow IV will work as long as the controller passes along the ICE
attributes without alteration. Flow II is fundamentally incompatible
with ICE; each agent will believe itself to be the answerer and thus
never generate a re-INVITE.
The flows for continued operation, as described in Section 7 of
[RFC3725], require additional behavior of ICE implementations to
support. In particular, if an agent receives a mid-dialog re-INVITE
that contains no offer, it MUST restart ICE for each data stream and
go through the process of gathering new candidates. Furthermore,
that list of candidates SHOULD include the ones currently being used
for media.
8. Interactions with Application Layer Gateways and SIP
Application Layer Gateways (ALGs) are functions present in a Network
Address Translation (NAT) device that inspect the contents of packets
and modify them, in order to facilitate NAT traversal for application
protocols. Session Border Controllers (SBCs) are close cousins of
ALGs, but are less transparent since they actually exist as
application-layer SIP intermediaries. ICE has interactions with SBCs
and ALGs.
If an ALG is SIP aware but not ICE aware, ICE will work through it as
long as the ALG correctly modifies the SDP. A correct ALG
implementation behaves as follows:
* The ALG does not modify the "m=" and "c=" lines or the "rtcp"
attribute if they contain external addresses.
* If the "m=" and "c=" lines contain internal addresses, the
modification depends on the state of the ALG:
- If the ALG already has a binding established that maps an
external port to an internal connection address and port
matching the values in the "m=" and "c=" lines or "rtcp"
attribute, the ALG uses that binding instead of creating a new
one.
- If the ALG does not already have a binding, it creates a new
one and modifies the SDP, rewriting the "m=" and "c=" lines and
"rtcp" attribute.
Unfortunately, many ALGs are known to work poorly in these corner
cases. ICE does not try to work around broken ALGs, as this is
outside the scope of its functionality. ICE can help diagnose these
conditions, which often show up as a mismatch between the set of
candidates and the "m=" and "c=" lines and "rtcp" attributes. The
"ice-mismatch" attribute is used for this purpose.
ICE works best through ALGs when the signaling is run over TLS. This
prevents the ALG from manipulating the SDP messages and interfering
with ICE operation. Implementations that are expected to be deployed
behind ALGs SHOULD provide for TLS transport of the SDP.
If an SBC is SIP aware but not ICE aware, the result depends on the
behavior of the SBC. If it is acting as a proper Back-to-Back User
Agent (B2BUA), the SBC will remove any SDP attributes it doesn't
understand, including the ICE attributes. Consequently, the call
will appear to both endpoints as if the other side doesn't support
ICE. This will result in ICE being disabled, and media flowing
through the SBC, if the SBC has requested it. If, however, the SBC
passes the ICE attributes without modification, yet modifies the
default destination for media (contained in the "m=" and "c=" lines
and "rtcp" attribute), this will be detected as an ICE mismatch, and
ICE processing is aborted for the call. It is outside of the scope
of ICE for it to act as a tool for "working around" SBCs. If one is
present, ICE will not be used and the SBC techniques take precedence.
9. Security Considerations
The generic ICE security considerations are defined in [RFC8445], and
the generic SDP offer/answer security considerations are defined in
[RFC3264]. These security considerations also apply to
implementations of this document.
9.1. IP Address Privacy
In some cases, e.g., for privacy reasons, an agent may not want to
reveal the related address and port. In this case the address MUST
be set to "0.0.0.0" (for IPv4 candidates) or "::" (for IPv6
candidates) and the port to '9'.
9.2. Attacks on the Offer/Answer Exchanges
An attacker that can modify or disrupt the offer/answer exchanges
themselves can readily launch a variety of attacks with ICE. They
could direct media to a target of a DoS attack, they could insert
themselves into the data stream, and so on. These are similar to the
general security considerations for offer/answer exchanges, and the
security considerations in [RFC3264] apply. These require techniques
for message integrity and encryption for offers and answers, which
are satisfied by the TLS mechanism [RFC3261] when SIP is used. As
such, the usage of TLS with ICE is RECOMMENDED.
9.3. The Voice Hammer Attack
The voice hammer attack is an amplification attack, and can be
triggered even if the attacker is an authenticated and valid
participant in a session. In this attack, the attacker initiates
sessions to other agents, and maliciously includes the connection
address and port of a DoS target as the destination for media traffic
signaled in the SDP. This causes substantial amplification; a single
offer/answer exchange can create a continuing flood of media packets,
possibly at high rates (consider video sources). The use of ICE can
help to prevent against this attack.
Specifically, if ICE is used, the agent receiving the malicious SDP
will first perform connectivity checks to the target of media before
sending media there. If this target is a third-party host, the
checks will not succeed, and media is never sent. The ICE extension
defined in [RFC7675] can be used to further protect against voice
hammer attacks.
Unfortunately, ICE doesn't help if it's not used, in which case an
attacker could simply send the offer without the ICE parameters.
However, in environments where the set of clients is known, and is
limited to ones that support ICE, the server can reject any offers or
answers that don't indicate ICE support.
SIP user agents (UA) [RFC3261] that are not willing to receive non-
ICE answers MUST include an "ice" option tag [RFC5768] in the SIP
Require header field in their offer. UAs that reject non-ICE offers
will generally use a 421 response code, together with an option tag
"ice" in the Require header field in the response.
10. IANA Considerations
10.1. SDP Attributes
The original ICE specification defined seven new SDP attributes per
the procedures of Section 8.2.4 of [RFC4566]. The registration
information from the original specification is included here with
modifications to include Mux Category [RFC8859] and also defines a
new SDP attribute "ice-pacing".
10.1.1. "candidate" Attribute
Attribute Name: candidate
Type of Attribute: media-level
Subject to charset: No
Purpose: This attribute is used with Interactive Connectivity
Establishment (ICE), and provides one of many possible candidate
addresses for communication. These addresses are validated with
an end-to-end connectivity check using Session Traversal Utilities
for NAT (STUN).
Appropriate Values: See Section 5 of RFC 8839.
Contact Name: IESG
Contact Email: iesg@ietf.org
Reference: RFC 8839
Mux Category: TRANSPORT
10.1.2. "remote-candidates" Attribute
Attribute Name: remote-candidates
Type of Attribute: media-level
Subject to charset: No
Purpose: This attribute is used with Interactive Connectivity
Establishment (ICE), and provides the identity of the remote
candidates that the offerer wishes the answerer to use in its
answer.
Appropriate Values: See Section 5 of RFC 8839.
Contact Name: IESG
Contact Email: iesg@ietf.org
Reference: RFC 8839
Mux Category: TRANSPORT
10.1.3. "ice-lite" Attribute
Attribute Name: ice-lite
Type of Attribute: session-level
Subject to charset: No
Purpose: This attribute is used with Interactive Connectivity
Establishment (ICE), and indicates that an agent has the minimum
functionality required to support ICE inter-operation with a peer
that has a full implementation.
Appropriate Values: See Section 5 of RFC 8839.
Contact Name: IESG
Contact Email: iesg@ietf.org
Reference: RFC 8839
Mux Category: NORMAL
10.1.4. "ice-mismatch" Attribute
Attribute Name: ice-mismatch
Type of Attribute: media-level
Subject to charset: No
Purpose: This attribute is used with Interactive Connectivity
Establishment (ICE), and indicates that an agent is ICE capable,
but did not proceed with ICE due to a mismatch of candidates with
the default destination for media signaled in the SDP.
Appropriate Values: See Section 5 of RFC 8839.
Contact Name: IESG
Contact e-mail: iesg@ietf.org
Reference: RFC 8839
Mux Category: NORMAL
10.1.5. "ice-pwd" Attribute
Attribute Name: ice-pwd
Type of Attribute: session- or media-level
Subject to charset: No
Purpose: This attribute is used with Interactive Connectivity
Establishment (ICE), and provides the password used to protect
STUN connectivity checks.
Appropriate Values: See Section 5 of RFC 8839.
Contact Name: IESG
Contact e-mail: iesg@ietf.org
Reference: RFC 8839
Mux Category: TRANSPORT
10.1.6. "ice-ufrag" Attribute
Attribute Name: ice-ufrag
Type of Attribute: session- or media-level
Subject to charset: No
Purpose: This attribute is used with Interactive Connectivity
Establishment (ICE), and provides the fragments used to construct
the username in STUN connectivity checks.
Appropriate Values: See Section 5 of RFC 8839.
Contact Name: IESG
Contact e-mail: iesg@ietf.org
Reference: RFC 8839
Mux Category: TRANSPORT
10.1.7. "ice-options" Attribute
Attribute Name: ice-options
Long Form: ice-options
Type of Attribute: session-level
Subject to charset: No
Purpose: This attribute is used with Interactive Connectivity
Establishment (ICE), and indicates the ICE options or extensions
used by the agent.
Appropriate Values: See Section 5 of RFC 8839.
Contact Name: IESG
Contact e-mail: iesg@ietf.org
Reference: RFC 8839
Mux Category: NORMAL
10.1.8. "ice-pacing" Attribute
This specification also defines a new SDP attribute, "ice-pacing",
according to the following data:
Attribute Name: ice-pacing
Type of Attribute: session-level
Subject to charset: No
Purpose: This attribute is used with Interactive Connectivity
Establishment (ICE) to indicate desired connectivity check pacing
values.
Appropriate Values: See Section 5 of RFC 8839.
Contact Name: IESG
Contact e-mail: iesg@ietf.org
Reference: RFC 8839
Mux Category: NORMAL
10.2. Interactive Connectivity Establishment (ICE) Options Registry
IANA maintains a registry for "ice-options" identifiers under the
Specification Required policy as defined in "Guidelines for Writing
an IANA Considerations Section in RFCs" [RFC8126].
ICE options are of unlimited length according to the syntax in
Section 5.6; however, they are RECOMMENDED to be no longer than 20
characters. This is to reduce message sizes and allow for efficient
parsing. ICE options are defined at the session level.
A registration request MUST include the following information:
* The ICE option identifier to be registered
* Name and email address of organization or individuals having
change control
* Short description of the ICE extension to which the option relates
* Reference(s) to the specification defining the ICE option and the
related extensions
10.3. Candidate Attribute Extension Subregistry Establishment
This section creates a new subregistry, "Candidate Attribute
Extensions", under the SDP Parameters registry:
http://www.iana.org/assignments/sdp-parameters.
The purpose of the subregistry is to register SDP "candidate"
attribute extensions.
When a "candidate" extension is registered in the subregistry, it
needs to meet the "Specification Required" policies defined in
[RFC8126].
"candidate" attribute extensions MUST follow the 'cand-extension'
syntax. The attribute extension name MUST follow the 'extension-att-
name' syntax, and the attribute extension value MUST follow the
'extension-att-value' syntax.
A registration request MUST include the following information:
* The name of the attribute extension.
* Name and email address of organization or individuals having
change control
* A short description of the attribute extension.
* A reference to a specification that describes the semantics, usage
and possible values of the attribute extension.
11. Changes from RFC 5245
[RFC8445] describes the changes made to the common SIP procedures,
including removal of aggressive nomination, modifying the procedures
for calculating candidate pair states, scheduling connectivity
checks, and the calculation of timer values.
This document defines the following SDP offer/answer specific
changes:
* SDP offer/answer realization and usage of 'ice2' option.
* Definition and usage of SDP "ice-pacing" attribute.
* Explicit text that an ICE agent must not generate candidates with
FQDNs, and must discard such candidates if received from the peer
agent.
* Relax requirement to include SDP "rtcp" attribute.
* Generic clarifications of SDP offer/answer procedures.
* ICE mismatch is now optional, and an agent has an option to not
trigger mismatch and instead treat the default candidate as an
additional candidate.
* FQDNs and "0.0.0.0"/"::" IP addresses with port "9" default
candidates do not trigger ICE mismatch.
12. References
12.1. Normative References
[RFC2119] Bradner, S., "Key words for use in RFCs to Indicate
Requirement Levels", BCP 14, RFC 2119,
DOI 10.17487/RFC2119, March 1997,
<https://www.rfc-editor.org/info/rfc2119>.
[RFC3261] Rosenberg, J., Schulzrinne, H., Camarillo, G., Johnston,
A., Peterson, J., Sparks, R., Handley, M., and E.
Schooler, "SIP: Session Initiation Protocol", RFC 3261,
DOI 10.17487/RFC3261, June 2002,
<https://www.rfc-editor.org/info/rfc3261>.
[RFC3262] Rosenberg, J. and H. Schulzrinne, "Reliability of
Provisional Responses in Session Initiation Protocol
(SIP)", RFC 3262, DOI 10.17487/RFC3262, June 2002,
<https://www.rfc-editor.org/info/rfc3262>.
[RFC3264] Rosenberg, J. and H. Schulzrinne, "An Offer/Answer Model
with Session Description Protocol (SDP)", RFC 3264,
DOI 10.17487/RFC3264, June 2002,
<https://www.rfc-editor.org/info/rfc3264>.
[RFC3312] Camarillo, G., Ed., Marshall, W., Ed., and J. Rosenberg,
"Integration of Resource Management and Session Initiation
Protocol (SIP)", RFC 3312, DOI 10.17487/RFC3312, October
2002, <https://www.rfc-editor.org/info/rfc3312>.
[RFC3556] Casner, S., "Session Description Protocol (SDP) Bandwidth
Modifiers for RTP Control Protocol (RTCP) Bandwidth",
RFC 3556, DOI 10.17487/RFC3556, July 2003,
<https://www.rfc-editor.org/info/rfc3556>.
[RFC3605] Huitema, C., "Real Time Control Protocol (RTCP) attribute
in Session Description Protocol (SDP)", RFC 3605,
DOI 10.17487/RFC3605, October 2003,
<https://www.rfc-editor.org/info/rfc3605>.
[RFC4032] Camarillo, G. and P. Kyzivat, "Update to the Session
Initiation Protocol (SIP) Preconditions Framework",
RFC 4032, DOI 10.17487/RFC4032, March 2005,
<https://www.rfc-editor.org/info/rfc4032>.
[RFC4566] Handley, M., Jacobson, V., and C. Perkins, "SDP: Session
Description Protocol", RFC 4566, DOI 10.17487/RFC4566,
July 2006, <https://www.rfc-editor.org/info/rfc4566>.
[RFC5234] Crocker, D., Ed. and P. Overell, "Augmented BNF for Syntax
Specifications: ABNF", STD 68, RFC 5234,
DOI 10.17487/RFC5234, January 2008,
<https://www.rfc-editor.org/info/rfc5234>.
[RFC5389] Rosenberg, J., Mahy, R., Matthews, P., and D. Wing,
"Session Traversal Utilities for NAT (STUN)", RFC 5389,
DOI 10.17487/RFC5389, October 2008,
<https://www.rfc-editor.org/info/rfc5389>.
[RFC5766] Mahy, R., Matthews, P., and J. Rosenberg, "Traversal Using
Relays around NAT (TURN): Relay Extensions to Session
Traversal Utilities for NAT (STUN)", RFC 5766,
DOI 10.17487/RFC5766, April 2010,
<https://www.rfc-editor.org/info/rfc5766>.
[RFC5768] Rosenberg, J., "Indicating Support for Interactive
Connectivity Establishment (ICE) in the Session Initiation
Protocol (SIP)", RFC 5768, DOI 10.17487/RFC5768, April
2010, <https://www.rfc-editor.org/info/rfc5768>.
[RFC6336] Westerlund, M. and C. Perkins, "IANA Registry for
Interactive Connectivity Establishment (ICE) Options",
RFC 6336, DOI 10.17487/RFC6336, July 2011,
<https://www.rfc-editor.org/info/rfc6336>.
[RFC8174] Leiba, B., "Ambiguity of Uppercase vs Lowercase in RFC
2119 Key Words", BCP 14, RFC 8174, DOI 10.17487/RFC8174,
May 2017, <https://www.rfc-editor.org/info/rfc8174>.
[RFC8445] Keranen, A., Holmberg, C., and J. Rosenberg, "Interactive
Connectivity Establishment (ICE): A Protocol for Network
Address Translator (NAT) Traversal", RFC 8445,
DOI 10.17487/RFC8445, July 2018,
<https://www.rfc-editor.org/info/rfc8445>.
12.2. Informative References
[RFC3725] Rosenberg, J., Peterson, J., Schulzrinne, H., and G.
Camarillo, "Best Current Practices for Third Party Call
Control (3pcc) in the Session Initiation Protocol (SIP)",
BCP 85, RFC 3725, DOI 10.17487/RFC3725, April 2004,
<https://www.rfc-editor.org/info/rfc3725>.
[RFC3960] Camarillo, G. and H. Schulzrinne, "Early Media and Ringing
Tone Generation in the Session Initiation Protocol (SIP)",
RFC 3960, DOI 10.17487/RFC3960, December 2004,
<https://www.rfc-editor.org/info/rfc3960>.
[RFC5245] Rosenberg, J., "Interactive Connectivity Establishment
(ICE): A Protocol for Network Address Translator (NAT)
Traversal for Offer/Answer Protocols", RFC 5245,
DOI 10.17487/RFC5245, April 2010,
<https://www.rfc-editor.org/info/rfc5245>.
[RFC5626] Jennings, C., Ed., Mahy, R., Ed., and F. Audet, Ed.,
"Managing Client-Initiated Connections in the Session
Initiation Protocol (SIP)", RFC 5626,
DOI 10.17487/RFC5626, October 2009,
<https://www.rfc-editor.org/info/rfc5626>.
[RFC5898] Andreasen, F., Camarillo, G., Oran, D., and D. Wing,
"Connectivity Preconditions for Session Description
Protocol (SDP) Media Streams", RFC 5898,
DOI 10.17487/RFC5898, July 2010,
<https://www.rfc-editor.org/info/rfc5898>.
[RFC6679] Westerlund, M., Johansson, I., Perkins, C., O'Hanlon, P.,
and K. Carlberg, "Explicit Congestion Notification (ECN)
for RTP over UDP", RFC 6679, DOI 10.17487/RFC6679, August
2012, <https://www.rfc-editor.org/info/rfc6679>.
[RFC7675] Perumal, M., Wing, D., Ravindranath, R., Reddy, T., and M.
Thomson, "Session Traversal Utilities for NAT (STUN) Usage
for Consent Freshness", RFC 7675, DOI 10.17487/RFC7675,
October 2015, <https://www.rfc-editor.org/info/rfc7675>.
[RFC8126] Cotton, M., Leiba, B., and T. Narten, "Guidelines for
Writing an IANA Considerations Section in RFCs", BCP 26,
RFC 8126, DOI 10.17487/RFC8126, June 2017,
<https://www.rfc-editor.org/info/rfc8126>.
[RFC8859] Nandakumar, S., "A Framework for Session Description
Protocol (SDP) Attributes When Multiplexing", RFC 8859,
DOI 10.17487/RFC8859, January 2021,
<https://www.rfc-editor.org/info/rfc8859>.
[RFC8863] Holmberg, C. and J. Uberti, "Interactive Connectivity
Establishment Patiently Awaiting Connectivity (ICE PAC)",
RFC 8863, DOI 10.17487/RFC8863, January 2021,
<https://www.rfc-editor.org/info/rfc8863>.
Appendix A. Examples
For the example shown in Section 15 of [RFC8445], the resulting offer
(message 5) encoded in SDP looks like (lines folded for clarity):
v=0
o=jdoe 2890844526 2890842807 IN IP6 $L-PRIV-1.IP
s=
c=IN IP6 $NAT-PUB-1.IP
t=0 0
a=ice-options:ice2
a=ice-pacing:50
a=ice-pwd:asd88fgpdd777uzjYhagZg
a=ice-ufrag:8hhY
m=audio $NAT-PUB-1.PORT RTP/AVP 0
b=RS:0
b=RR:0
a=rtpmap:0 PCMU/8000
a=candidate:1 1 UDP 2130706431 $L-PRIV-1.IP $L-PRIV-1.PORT typ host
a=candidate:2 1 UDP 1694498815 $NAT-PUB-1.IP $NAT-PUB-1.PORT typ
srflx raddr $L-PRIV-1.IP rport $L-PRIV-1.PORT
The offer, with the variables replaced with their values, will look
like (lines folded for clarity):
v=0
o=jdoe 2890844526 2890842807 IN IP6 fe80::6676:baff:fe9c:ee4a
s=
c=IN IP6 2001:db8:8101:3a55:4858:a2a9:22ff:99b9
t=0 0
a=ice-options:ice2
a=ice-pacing:50
a=ice-pwd:asd88fgpdd777uzjYhagZg
a=ice-ufrag:8hhY
m=audio 45664 RTP/AVP 0
b=RS:0
b=RR:0
a=rtpmap:0 PCMU/8000
a=candidate:1 1 UDP 2130706431 fe80::6676:baff:fe9c:ee4a 8998
typ host
a=candidate:2 1 UDP 1694498815 2001:db8:8101:3a55:4858:a2a9:22ff:99b9
45664 typ srflx raddr fe80::6676:baff:fe9c:ee4a rport 8998
The resulting answer looks like:
v=0
o=bob 2808844564 2808844564 IN IP4 $R-PUB-1.IP
s=
c=IN IP4 $R-PUB-1.IP
t=0 0
a=ice-options:ice2
a=ice-pacing:50
a=ice-pwd:YH75Fviy6338Vbrhrlp8Yh
a=ice-ufrag:9uB6
m=audio $R-PUB-1.PORT RTP/AVP 0
b=RS:0
b=RR:0
a=rtpmap:0 PCMU/8000
a=candidate:1 1 UDP 2130706431 $R-PUB-1.IP $R-PUB-1.PORT typ host
With the variables filled in:
v=0
o=bob 2808844564 2808844564 IN IP4 192.0.2.1
s=
c=IN IP4 192.0.2.1
t=0 0
a=ice-options:ice2
a=ice-pacing:50
a=ice-pwd:YH75Fviy6338Vbrhrlp8Yh
a=ice-ufrag:9uB6
m=audio 3478 RTP/AVP 0
b=RS:0
b=RR:0
a=rtpmap:0 PCMU/8000
a=candidate:1 1 UDP 2130706431 192.0.2.1 3478 typ host
Appendix B. The "remote-candidates" Attribute
The "remote-candidates" attribute exists to eliminate a race
condition between the updated offer and the response to the STUN
Binding request that moved a candidate into the valid list. This
race condition is shown in Figure 1. On receipt of message 4, agent
L adds a candidate pair to the valid list. If there was only a
single data stream with a single component, agent L could now send an
updated offer. However, the check from agent R has not yet received
a response, and agent R receives the updated offer (message 7) before
getting the response (message 9). Thus, it does not yet know that
this particular pair is valid. To eliminate this condition, the
actual candidates at R that were selected by the offerer (the remote
candidates) are included in the offer itself, and the answerer delays
its answer until those pairs validate.
Agent L Network Agent R
|(1) Offer | |
|------------------------------------------>|
|(2) Answer | |
|<------------------------------------------|
|(3) STUN Req. | |
|------------------------------------------>|
|(4) STUN Res. | |
|<------------------------------------------|
|(5) STUN Req. | |
|<------------------------------------------|
|(6) STUN Res. | |
|-------------------->| |
| |Lost |
|(7) Offer | |
|------------------------------------------>|
|(8) STUN Req. | |
|<------------------------------------------|
|(9) STUN Res. | |
|------------------------------------------>|
|(10) Answer | |
|<------------------------------------------|
Figure 1: Race Condition Flow
Appendix C. Why Is the Conflict Resolution Mechanism Needed?
When ICE runs between two peers, one agent acts as controlled, and
the other as controlling. Rules are defined as a function of
implementation type and offerer/answerer to determine who is
controlling and who is controlled. However, the specification
mentions that, in some cases, both sides might believe they are
controlling, or both sides might believe they are controlled. How
can this happen?
The condition when both agents believe they are controlled shows up
in third party call control cases. Consider the following flow:
A Controller B
|(1) INV() | |
|<-------------| |
|(2) 200(SDP1) | |
|------------->| |
| |(3) INV() |
| |------------->|
| |(4) 200(SDP2) |
| |<-------------|
|(5) ACK(SDP2) | |
|<-------------| |
| |(6) ACK(SDP1) |
| |------------->|
Figure 2: Role Conflict Flow
This flow is a variation on flow III of RFC 3725 [RFC3725]. In fact,
it works better than flow III since it produces fewer messages. In
this flow, the controller sends an offerless INVITE to agent A, which
responds with its offer, SDP1. The agent then sends an offerless
INVITE to agent B, which it responds to with its offer, SDP2. The
controller then uses the offer from each agent to generate the
answers. When this flow is used, ICE will run between agents A and
B, but both will believe they are in the controlling role. With the
role conflict resolution procedures, this flow will function properly
when ICE is used.
At this time, there are no documented flows that can result in the
case where both agents believe they are controlled. However, the
conflict resolution procedures allow for this case, should a flow
arise that would fit into this category.
Appendix D. Why Send an Updated Offer?
Section 12.1 of [RFC8445] describes rules for sending media. Both
agents can send media once ICE checks complete, without waiting for
an updated offer. Indeed, the only purpose of the updated offer is
to "correct" the SDP so that the default destination for media
matches where media is being sent based on ICE procedures (which will
be the highest-priority nominated candidate pair).
This raises the question -- why is the updated offer/answer exchange
needed at all? Indeed, in a pure offer/answer environment, it would
not be. The offerer and answerer will agree on the candidates to use
through ICE, and then can begin using them. As far as the agents
themselves are concerned, the updated offer/answer provides no new
information. However, in practice, numerous components along the
signaling path look at the SDP information. These include entities
performing off-path QoS reservations, NAT traversal components such
as ALGs and Session Border Controllers (SBCs), and diagnostic tools
that passively monitor the network. For these tools to continue to
function without change, the core property of SDP -- that the
existing, pre-ICE definitions of the addresses used for media -- the
"m=" and "c=" lines and the "rtcp" attribute -- must be retained.
For this reason, an updated offer must be sent.
Acknowledgements
A large part of the text in this document was taken from [RFC5245],
authored by Jonathan Rosenberg.
Some of the text in this document was taken from [RFC6336], authored
by Magnus Westerlund and Colin Perkins.
Many thanks to Flemming Andreasen for shepherd review feedback.
Thanks to following experts for their reviews and constructive
feedback: Thomas Stach, Adam Roach, Peter Saint-Andre, Roman Danyliw,
Alissa Cooper, Benjamin Kaduk, Mirja Kühlewind, Alexey Melnikov, and
Éric Vyncke for their detailed reviews.
Contributors
The following experts have contributed textual and structural
improvements for this work:
Thomas Stach
Email: thomass.stach@gmail.com
Authors' Addresses
Marc Petit-Huguenin
Impedance Mismatch
Email: marc@petit-huguenin.org
Suhas Nandakumar
Cisco Systems
707 Tasman Dr
Milpitas, CA 95035
United States of America
Email: snandaku@cisco.com
Christer Holmberg
Ericsson
Hirsalantie 11
FI-02420 Jorvas
Finland
Email: christer.holmberg@ericsson.com
Ari Keränen
Ericsson
FI-02420 Jorvas
Finland
Email: ari.keranen@ericsson.com
Roman Shpount
TurboBridge
4905 Del Ray Avenue, Suite 300
Bethesda, MD 20814
United States of America
Email: rshpount@turbobridge.com