TOC 
MMUSICJ. Rosenberg
Internet-DraftCisco
Intended status: Standards TrackJuly 09, 2007
Expires: January 10, 2008 


TCP Candidates with Interactive Connectivity Establishment (ICE
draft-ietf-mmusic-ice-tcp-04

Status of this Memo

By submitting this Internet-Draft, each author represents that any applicable patent or other IPR claims of which he or she is aware have been or will be disclosed, and any of which he or she becomes aware will be disclosed, in accordance with Section 6 of BCP 79.

Internet-Drafts are working documents of the Internet Engineering Task Force (IETF), its areas, and its working groups. Note that other groups may also distribute working documents as Internet-Drafts.

Internet-Drafts are draft documents valid for a maximum of six months and may be updated, replaced, or obsoleted by other documents at any time. It is inappropriate to use Internet-Drafts as reference material or to cite them other than as “work in progress.”

The list of current Internet-Drafts can be accessed at http://www.ietf.org/ietf/1id-abstracts.txt.

The list of Internet-Draft Shadow Directories can be accessed at http://www.ietf.org/shadow.html.

This Internet-Draft will expire on January 10, 2008.

Abstract

Interactive Connectivity Establishment (ICE) defines a mechanism for NAT traversal for multimedia communication protocols based on the offer/answer model of session negotiation. ICE works by providing a set of candidate transport addresses for each media stream, which are then validated with peer-to-peer connectivity checks based on Session Traversal Utilities for NAT (STUN). ICE provides a general framework for describing candidates, but only defines UDP-based transport protocols. This specification extends ICE to TCP-based media, including the ability to offer a mix of TCP and UDP-based candidates for a single stream.



Table of Contents

1.  Introduction
2.  Overview of Operation
3.  Sending the Initial Offer
    3.1.  Gathering Candidates
    3.2.  Prioritization
    3.3.  Choosing Default Candidates
    3.4.  Encoding the SDP
4.  Receiving the Initial Offer
    4.1.  Forming the Check Lists
5.  Connectivity Checks
    5.1.  STUN Client Procedures
        5.1.1.  Sending the Request
    5.2.  STUN Server Procedures
6.  Concluding ICE Processing
7.  Subsequent Offer/Answer Exchanges
    7.1.  ICE Restarts
8.  Media Handling
    8.1.  Sending Media
    8.2.  Receiving Media
9.  Connection Management
    9.1.  Connections Formed During Connectivity Checks
    9.2.  Connections formed for Gathering Candidates
10.  Security Considerations
11.  IANA Considerations
12.  Acknowledgements
13.  References
    13.1.  Normative References
    13.2.  Informative References
Appendix 1.  Implementation Considerations for BSD Sockets
§  Author's Address
§  Intellectual Property and Copyright Statements




 TOC 

1.  Introduction

Interactive Connectivity Establishment (ICE) [I‑D.ietf‑mmusic‑ice] (Rosenberg, J., “Interactive Connectivity Establishment (ICE): A Protocol for Network Address Translator (NAT) Traversal for Offer/Answer Protocols,” October 2007.) defines a mechanism for NAT traversal for multimedia communication protocols based on the offer/answer model [RFC3264] (Rosenberg, J. and H. Schulzrinne, “An Offer/Answer Model with Session Description Protocol (SDP),” June 2002.) of session negotiation. ICE works by providing a set of candidate transport addresses for each media stream, which are then validated with peer-to-peer connectivity checks based on Session Traversal Utilities for NAT (STUN) [I‑D.ietf‑behave‑rfc3489bis] (Rosenberg, J., Mahy, R., Matthews, P., and D. Wing, “Session Traversal Utilities for (NAT) (STUN),” July 2008.). However, ICE only defines procedures for UDP-based transport protocols.

There are many reasons why ICE support for TCP is important. Firstly, there are media protocols that only run over TCP. Examples of such protocols are web and application sharing and instant messaging [I‑D.ietf‑simple‑message‑sessions] (Campbell, B., “The Message Session Relay Protocol,” February 2007.). For these protocols to work in the presence of NAT, unless they define their own NAT traversal mechanisms, ICE support for TCP is needed. In addition, RTP itself can run over TCP (without [RFC4571] (Lazzaro, J., “Framing Real-time Transport Protocol (RTP) and RTP Control Protocol (RTCP) Packets over Connection-Oriented Transport,” July 2006.) and with TLS [RFC4572] (Lennox, J., “Connection-Oriented Media Transport over the Transport Layer Security (TLS) Protocol in the Session Description Protocol (SDP),” July 2006.)). Typically, it is preferable to run RTP over UDP, and not TCP. However, in a variety of network environments, overly restrictive NAT and firewall devices prevent UDP-based communications altogether, but general TCP-based communications are permitted. In such environments, sending RTP over TCP, and thus establishing the media session, may be preferable to having it fail altogether. With this specification, agents can gather UDP and TCP candidates for an RTP-based stream, list the UDP ones with higher priority, and then only use the TCP-based ones if the UDP ones fail altogether. This provides a fallback mechanism that allows multimedia communications to be highly reliable.

The usage of RTP over TCP is particularly useful when combined with Traversal Using Relay NAT [I‑D.ietf‑behave‑turn] (Rosenberg, J., Mahy, R., and P. Matthews, “Traversal Using Relays around NAT (TURN): Relay Extensions to Session Traversal Utilities for NAT (STUN),” July 2009.). In this case, one of the agents would connect to its TURN server using TCP, and obtain a TCP-based relayed candidate. It would offer this to its peer agent as a candidate. The answerer would initiate a TCP connection towards the TURN server. When that connection is established, media can flow over the connections, through the TURN server. The benefit of this usage is that it only requires the agents to make outbound TCP connections to a server on the public network. This kind of operation is broadly interoperable through NAT and firewall devices. Since it is a goal of ICE and this extension to provide highly reliable communications that "just works" in as a broad a set of network deployments as possible, this use case is particularly important.

The usage of RTP over TCP/TLS is also useful when communicating between single-user agents (such as a softphone or hardphone) and an agent run by a provider that is meant to service many users, such as a PSTN gateway. In such a deployment, the multi-user agent would act as the TLS server, and have a certificate. The single-user agent can then connect, validate the certificate, but offer none of its own (since its not likely to have one).

This specification extends ICE by defining its usage with TCP candidates. This specification does so by following the outline of ICE itself, and calling out the additions and changes necessary in each section of ICE to support TCP candidates.



 TOC 

2.  Overview of Operation

The usage of ICE with TCP is relatively straightforward. The main area of specification is around how and when connections are opened, and how those connections relate to candidate pairs.

When the agents perform address allocations to gather TCP-based candidates, three types of candidates can be obtained. These are active candidates, passive candidates, and simultaneous-open candidates. An active candidate is one for which the agent will attempt to open an outbound connection, but will not receive incoming connection requests. A passive candidate is one for which the agent will receive incoming connection attempts, but not attempt a connection. A simultaneous-open candidate is one for which the agent will attempt to open a connection simultaneously with its peer.

Because this specification requires multiple candidates for a media stream, it is not compatible with ICE's lite implementation, and can only be used by full implementations.

When gathering candidates from a host interface, the agent typically obtains an active, passive and simultaneous-open candidates. Similarly, communications with a STUN server will provide server reflexive and relayed versions of all three types. Connections to the STUN server are kept open during ICE processing.

When encoding these candidates into offers and answers, the type of the candidate is signaled. In the case of active candidates, an IP address and port is present, but it is meaningless, as it is ignored by the peer. As a consequence, active candidates do not need to be physically allocated at the time of address gathering. Rather, the physical allocations, which occur as a consequence of a connection attempt, occur at the time of the connectivity checks.

When the candidates are paired together, active candidates are always paired with passive, and simultaneous-open candidates with each other. When a connectivity check is to be made on a candidate pair, each agent determines whether it is to make a connection attempt for this pair.

Why have both active and simultaneous-open candidates? Why not just simultaneous-open? The reason is that NAT treatment of simultaneous opens is currently not well defined, though specifications are being developed to address this [I‑D.ietf‑behave‑tcp] (Guha, S., Biswas, K., Ford, B., Sivakumar, S., and P. Srisuresh, “NAT Behavioral Requirements for TCP,” September 2008.). Some NATs block the second TCP SYN packet or improperly process the subsequent SYNACK, which will cause the connection attempt to fail. Therefore, if only simultaneous opens are used, connections may often fail. Alternatively, using unidirectional opens (where one side is active and the other is passive) is more reliable, but will always require a relay if both sides are behind NAT. Therefore, in the spirit of the ICE philosophy, both are tried. Simultaneous-opens are preferred since, if it does work, it will not require a relay even when both sides are behind a different NAT.

The actual processing of generating connectivity checks, managing the state of the check list, and updating the Valid list, work identically for TCP as they do for UDP.

ICE requires an agent to demultiplex STUN and application layer traffic, since they appear on the same port. This demultiplexing is described by ICE, and is done using the magic cookie and other fields of the message. Stream-oriented transports introduce another wrinkle, since they require a way to frame the connection so that the application and STUN packets can be extracted in order to determine which is which. For this reason, TCP media streams utilizing ICE use the basic framing provided in RFC 4571 [RFC4571] (Lazzaro, J., “Framing Real-time Transport Protocol (RTP) and RTP Control Protocol (RTCP) Packets over Connection-Oriented Transport,” July 2006.), even if the application layer protocol is not RTP.

When TLS is in use, TLS itself runs over the RFC 4571 framing shim, so that STUN runs outside of the TLS connection. Pictorially:




                               +----------+
                               |          |
                               |    App   |
                    +----------+----------+
                    |          |          |
                    |   STUN   |    TLS   |
                    +----------+----------+
                    |                     |
                    |      RFC 4571       |
                    +---------------------+
                    |                     |
                    |         TCP         |
                    +---------------------+
                    |                     |
                    |         IP          |
                    +---------------------+
 Figure 1: ICE TCP Stack 

The implication of this is that, for any media stream protected by TLS, the agent will first run ICE procedures, exchanging STUN messages. Then, once ICE completes, TLS procedures begin. ICE and TLS are thus "peers" in the protocol stack. The STUN messages are not sent over the TLS connection, even ones sent for the purposes of keepalive in the middle of the media session.

When an updated offer is generated by the controlling endpoint, the SDP extensions for connection oriented media [RFC4145] (Yon, D. and G. Camarillo, “TCP-Based Media Transport in the Session Description Protocol (SDP),” September 2005.) are used to signal that an existing connection should be used, rather than opening a new one.



 TOC 

3.  Sending the Initial Offer

The offerer MUST be a full ICE implementation.



 TOC 

3.1.  Gathering Candidates

For each TCP capable media stream the agent wishes to use (including ones, like RTP, which can either be UDP or TCP), the agent SHOULD obtain two host candidates (each on a different port) for each component of the media stream on each interface that the host has - one for the simultaneous open, and one for the passive candidate. If an agent is not capable of acting in one of these modes (for example, the TCP connection is being used with TLS and the agent can only act as the client), it would omit those candidates.

Providers of real-time communications services may decide that it is preferable to have no media at all than it is to have media over TCP. To allow for choice, it is RECOMMENDED that agents be configurable with whether they obtain TCP candidates for real time media.

Having it be configurable, and then configuring it to be off, is far better than not having the capability at all. An important goal of this specification is to provide a single mechanism that can be used across all types of endpoints. As such, it is preferable to account for provider and network variation through configuration, instead of hard-coded limitations in an implementation. Furthermore, network characteristics and connectivity assumptions can, and will change over time. Just because a agent is communicating with a server on the public network today, doesn't mean that it won't need to communicate with one behind a NAT tomorrow. Just because a agent is behind a NAT with endpoint indpendent mapping today, doesn't mean that tomorrow they won't pick up their agent and take it to a public network access point where there is a NAT with address and port dependent mapping properties, or one that only allows outbound TCP. The way to handle these cases and build a reliable system is for agents to implement a diverse set of techniques for allocating addresses, so that at least one of them is almost certainly going to work in any situation. Implementors should consider very carefully any assumptions that they make about deployments before electing not to implement one of the mechanisms for address allocation. In particular, implementors should consider whether the elements in the system may be mobile, and connect through different networks with different connectivity. They should also consider whether endpoints which are under their control, in terms of location and network connectivity, would always be under their control. In environments where mobility and user control are possible, a multiplicity of techniques is essential for reliability.

Each agent SHOULD "obtain" an active host candidate for each component of each TCP capable media stream on each interface that the host has. The agent does not have to actually allocate a port for these candidates. These candidates serve as a placeholder for the creation of the check lists.

Using each simultaneous-open and passive host TCP candidate as a base, the agent SHOULD obtain server reflexive candidates. In addition, the agent SHOULD choose, amongst all host TCP candidates for a component that have the same foundation (there will typically be two - a passive and simultaneous-open), one of those candidates, and from it, obtain two relayed candidates - one that will be simultaneous-open, and one that will be passive. Based on these rules, for each host TCP candidate, an agent will be seeking either a server reflexive candidate, or both a server reflexive and relayed candidate:

Once the Allocate or Binding request has completed, the agent MUST keep the TCP connection open until ICE processing has completed. See Section 1 (Implementation Considerations for BSD Sockets) for important implementation guidelines.

OPEN ISSUE: Do we really need S-O candidates from TURN servers? This would only be needed if there are NATs north of the TURN server.

If a media stream is UDP-based (such as RTP), an agent MAY use an additional host TCP candidate to request a UDP-based candidate from a TURN server. Usage of the UDP candidate from the TURN server follows the procedures defined in ICE for UDP candidates.

Each agent SHOULD "obtain" an active relayed candidate for each component of each TCP capable media stream on each interface that the host has. The agent does not have to actually allocate a port for these candidates from the relay at this time. These candidates serve as a placeholder for the creation of the check lists.

Like its UDP counterparts, TCP-based STUN transactions are paced out at one every Ta seconds. This pacing refers strictly to STUN transactions (both Binding and Allocate requests). If performance of the transaction requires establishment of a TCP connection, then the connection gets opened when the transaction is performed.



 TOC 

3.2.  Prioritization

The transport protocol itself is a criteria for choosing one candidate over another. If a particular media stream can run over UDP or TCP, the UDP candidates might be preferred over the TCP candidates. This allows ICE to use the lower latency UDP connectivity if it exists, but fallback to TCP if UDP doesn't work.

To accomplish this, the local preference SHOULD be defined as:


local-preference = (2^12)*(transport-pref) +
                   (2^9)*(direction-pref) +
                   (2^0)*(other-pref)

Transport-pref is the relative preference for candidates with this particular transport protocol (UDP or TCP), and direction-pref is the preference for candidates with this particular establishment directionality (active, passive, or simultaneous-open). Other-pref is used as a differentiator when two candidates would otherwise have identical local preferences.

Transport-pref MUST be between 0 and 15, with 15 being the most preferred. Direction-pref MUST be between 0 and 7, with 7 being the most preferred. Other-pref MUST be between 0 and 511, with 511 being the most preferred. For RTP-based media streams, it is RECOMMENDED that UDP have a transport-pref of 15 and TCP of 6. It is RECOMMENDED that, for all connection-oriented media, simultaneous-open candidates have a direction-pref of 7, active of 5 and passive of 2. If any two candidates have the same type-preference, transport-pref, and direction-pref, they MUST have a unique other-pref. With this specification, the only way that can happen is with multi-homed hosts, in which case other-pref is a preference amongst interfaces.



 TOC 

3.3.  Choosing Default Candidates

The default candidate is chosen primarily based on the likelihood of it working with a non-ICE peer. When media streams supporting mixed modes (both TCP and UDP) are used with ICE, it is RECOMMENDED that, for real-time streams (such as RTP), the default candidates be UDP-based. However, the default SHOULD NOT be the simultaneous-open candidate.

If a media stream is inherently TCP-based, the agent SHOULD NOT select the simultaneous-open candidate as default.



 TOC 

3.4.  Encoding the SDP

TCP-based candidates are encoded into a=candidate lines identically to the UDP encoding described in [I‑D.ietf‑mmusic‑ice] (Rosenberg, J., “Interactive Connectivity Establishment (ICE): A Protocol for Network Address Translator (NAT) Traversal for Offer/Answer Protocols,” October 2007.). However, the transport protocol is set to "tcp-so" for TCP simultaneous-open candidates, "tcp-act" for TCP active candidates, and "tcp-pass" for TCP passive candidates. The addr and port encoded into the candidate attribute for active candidates MUST be set to IP address that will be used for the attempt, but the port MUST be set to 9 (i.e., Discard). For active relayed candidates, the value for addr must be identical to the IP address of a passive or simultaneous-open candidate from the same TURN server.

If the default candidate is TCP, the agent MUST include the a=setup and a=connection attributes from RFC 4145 [RFC4145] (Yon, D. and G. Camarillo, “TCP-Based Media Transport in the Session Description Protocol (SDP),” September 2005.), following the procedures defined there as if ICE was not in use. Furthermore, the agent MUST select a default TCP candidate matching the type in the a=setup attribute. For example, if an agent selects its passive candidate as default in an offer, and the media stream utilizes RFC 4145, the agent MUST include an a=setup:passive attribute with a passive candidate, and the answerer would utilize an active candidate with the a=setup:active attribute. If the peer is not ICE capable, the agents will fall back to non-ICE processing of TCP connections, which is done based on RFC 4145.

If an agent is utilizing DTLS-SRTP [I‑D.ietf‑avt‑dtls‑srtp] (McGrew, D. and E. Rescorla, “Datagram Transport Layer Security (DTLS) Extension to Establish Keys for Secure Real-time Transport Protocol (SRTP),” February 2009.), it MAY include a mix of UDP and TCP candidates. The SDP MUST be constructed as described in [I‑D.fischl‑mmusic‑sdp‑dtls] (Fischl, J. and H. Tschofenig, “Session Description Protocol (SDP) Indicators for Datagram Transport Layer Security (DTLS),” November 2007.), including the a=setup attribute. DTLS will be utilized irregardless of whether a TCP or UDP candidate is selected. If a TCP candidate is selected by ICE, the directionality attributes (a=setup) are utilized strictly to determine the direction of the DTLS handshake. Directionality of the TCP connection establishment are determined by the ICE attributes and procedures defined here. If an agent is securing media by running RTP over a TLS connection, it MUST NOT include UDP candidates. The SDP MUST be constructed as described in RFC 4572 [RFC4572] (Lennox, J., “Connection-Oriented Media Transport over the Transport Layer Security (TLS) Protocol in the Session Description Protocol (SDP),” July 2006.) and MUST include the a=setup attribute in RFC 4145 [RFC4145] (Yon, D. and G. Camarillo, “TCP-Based Media Transport in the Session Description Protocol (SDP),” September 2005.). The directionality attributes (a=setup) are utilized strictly to determine the direction of the TLS handshake. Directionality of the TCP connection establishment are determined by the ICE attributes and procedures defined here.

OPEN ISSUE: The above paragraph assumes that DTLS-SRTP can also be run over TCP. Currently, that is not specified. It would need to be added. The alternative is that, depending on whether a TCP or UDP connection is selected, the next operation is either TLS with RTP, or DTLS with SRTP. This, however, is profoundly confusing and would have horrible interactions with SDPCap negotiation, since it bends layers. For ICE to be able to usefully select either TCP or UDP candidate, the processing of secure media should not vary based on UDP or TCP. Indeed, due to the RFC 4571 framing, DTLS-SRTP should happily run without any change. If we specify that, we should probably disallow RTP over TCP/TLS, since that would provide two ways of doing the same thing, and we might have interop problems.



 TOC 

4.  Receiving the Initial Offer



 TOC 

4.1.  Forming the Check Lists

When forming candidate pairs, the following types of candidates can be paired with each other:



Local             Remote
Candidate         Candidate
----------------------------
tcp-so           tcp-so
tcp-act          tcp-pass
tcp-pass         tcp-act

When the agent prunes the check list, it MUST also remove any pair for which the local candidate is tcp-pass.

The remainder of check list processing works like the UDP case.



 TOC 

5.  Connectivity Checks



 TOC 

5.1.  STUN Client Procedures



 TOC 

5.1.1.  Sending the Request

When an agent wants to send a TCP-based connectivity check, it first opens a TCP connection if none yet exists for the 5-tuple defined by the candidate pair for which the check is to be sent. This connection is opened from the local candidate of the pair to the remote candidate of the pair. If the local candidate is tcp-act, the agent MUST open a connection from the interface associated with that local candidate. This connection MUST be opened from an unallocated port. For host candidates, this is readily done by connecting from the candidates interface. For relayed candidates, the agent uses the procedures in [I‑D.ietf‑behave‑turn] (Rosenberg, J., Mahy, R., and P. Matthews, “Traversal Using Relays around NAT (TURN): Relay Extensions to Session Traversal Utilities for NAT (STUN),” July 2009.) to initiate a new connection from the specified interface on the TURN server.

Once the connection is established, the agent MUST utilize the shim defined in RFC 4571 [RFC4571] (Lazzaro, J., “Framing Real-time Transport Protocol (RTP) and RTP Control Protocol (RTCP) Packets over Connection-Oriented Transport,” July 2006.) for the duration this connection remains open. The STUN Binding requests and responses are sent ontop of this shim, so that the length field defined in RFC 4571 precedes each STUN message. If TLS or DTLS-SRTP is to be utilized for the media session, the TLS or DTLS-SRTP handshakes will take place ontop of this shim as well. However, they only once ICE processing has completed. In essence, the TLS or DTLS-SRTP handshakes are considered a part of the media protocol. STUN is never run within the TLS or DTLS-SRTP session.

If the TCP connection cannot be established, the check is considered to have failed, and a full-mode agent MUST update the pair state to Failed in the check list.

Once the connection is established, client procedures are identical to those for UDP candidates. Note that STUN responses received on an active TCP candidate will typically produce a remote peer reflexive candidate.



 TOC 

5.2.  STUN Server Procedures

An agent MUST be prepared to receive incoming TCP connection requests on any host or relayed TCP candidate that is simultaneous-open or passive. When the connection request is received, the agent MUST accept it. The agent MUST utilize the framing defined in RFC 4571 [RFC4571] (Lazzaro, J., “Framing Real-time Transport Protocol (RTP) and RTP Control Protocol (RTCP) Packets over Connection-Oriented Transport,” July 2006.) for the lifetime of this connection. Due to this framing, the agent will receive data in discrete frames. Each frame can be media (such as RTP or SRTP), TLS, DLTS, and STUN packets. The STUN packets are extracted as described in Section 8.2 (Receiving Media).

Once the connection is established, STUN server procedures are identical to those for UDP candidates. Note that STUN requests received on a passive TCP candidate will typically produce a remote peer reflexive candidate.



 TOC 

6.  Concluding ICE Processing

If there are TCP candidates for a media stream, a controlling agent MUST use a regular selection algorithm.

When ICE processing for a media stream completes, each agent SHOULD close all TCP connections except the one between the candidate pairs selected by ICE.

These two rules are related; the closure of connection on completion of ICE implies that a regular selection algorithm has to be used. This is because aggressive selection might cause transient pairs to be selected. Once such a pair was selected, the agents would close the other connections, one of which may be about to be selected as a better choice. This race condition may result in TCP connections being accidentally closed for the pair that ICE selects.



 TOC 

7.  Subsequent Offer/Answer Exchanges



 TOC 

7.1.  ICE Restarts

If an ICE restart occurs for a media stream with TCP candidate pairs that have been selected by ICE, the agents MUST NOT close the connections after the restart. In the offer or answer that causes the restart, an agent MAY include a simultaneous-open candidate whose transport address matches the previously selected candidate. If both agents do this, the result will be a simultaneous-open candidate pair matching an existing TCP connection. In this case, the agents MUST NOT attempt to open a new connection (or start new TLS or DTLS-SRTP procedures). Instead, that existing connection is reused and STUN checks are performed.

Once the restart completes, if the selected pair does not match the previously selected pair, the TCP connection for the previously selected pair SHOULD be closed by the agent.



 TOC 

8.  Media Handling



 TOC 

8.1.  Sending Media

When sending media, if the selected candidate pair matches an existing TCP connection, that connection MUST be used for sending media.

The framing defined in RFC 4571 MUST be used when sending media. For media streams that are not RTP-based and do not normally use RFC 4571, the agent treats the media stream as a byte stream, and assumes that it has its own framing of some sort. It then takes an arbitrary number of bytes from the bytestream, and places that as a payload in the RFC 4571 frames, including the length. The recipient can extract the bytestream and apply the application-specific framing on it.

If TLS or DTLS-SRTP procedures are being utilized to protect the media stream, those procedures start at the point that media is permitted to flow, as defined in the ICE specification [I‑D.ietf‑mmusic‑ice] (Rosenberg, J., “Interactive Connectivity Establishment (ICE): A Protocol for Network Address Translator (NAT) Traversal for Offer/Answer Protocols,” October 2007.). The TLS or DTLS-SRTP handshakes occur ontop of the RFC 4571 shim, and are considered part of the media stream for purposes of this specification.



 TOC 

8.2.  Receiving Media

The framing defined in RFC 4571 MUST be used when receiving media. For media streams that are not RTP-based and do not normally use RFC 4571, the agent extracts the payload of each RFC 4571 frame, and determines if it is a STUN or an application layer data based on the procedures in ICE [I‑D.ietf‑mmusic‑ice] (Rosenberg, J., “Interactive Connectivity Establishment (ICE): A Protocol for Network Address Translator (NAT) Traversal for Offer/Answer Protocols,” October 2007.). If media is being protected with DTLS-SRTP, the DTLS, RTP and STUN packets are demultiplexed as described in Section 3.6.2 of draft-ietf-avt-dtls-srtp [I‑D.ietf‑avt‑dtls‑srtp] (McGrew, D. and E. Rescorla, “Datagram Transport Layer Security (DTLS) Extension to Establish Keys for Secure Real-time Transport Protocol (SRTP),” February 2009.). If media is being protected with RTP over TLS, the TLS and STUN packets are demultiplexed by TBD.

OPEN ISSUE: With TLS, the demultiplexing would need to be done by lookign for the magic cookie. However due to TLS, the data in that position for a TLS frame will be random. So there is a 1 in 2^32 chance that this matches. We could do better in this particular case by switching from the RFC 4571 framing to the TURN framing, which includes a next-protocol field. This would make demux deterministic.

For non-STUN data, the agent appends this to the ongoing bytestream collected from the frames. It then parses the bytestream as if it had been directly received over the TCP connection. This allows for ICE-tcp to work without regard to the framing mechanism used by the application layer protocol.



 TOC 

9.  Connection Management



 TOC 

9.1.  Connections Formed During Connectivity Checks

Once a TCP or TCP/TLS connection is opened by ICE for the purpose of connectivity checks, its lifecycle depends on how it is used. If that candidate pair is selected by ICE for usage for media, an agent SHOULD keep the connection open until:

In these cases, the agent SHOULD close the connection when that event occurs.

If a connection has been selected by ICE, an agent MAY close it anyway. As described in the next paragraph, this will cause it to be reopened almost immediately, and in the interim media cannot be sent. Consequently, such closures have a negative effect and are NOT RECOMMENDED. However, there may be cases where an agent needs to close a connection for some reason.

If an agent needs to send media on the selected candidate pair, and its TCP connection has closed, either on purpose or due to some error, then:

If the TCP connection is established, the framing of RFC 4571 is utilized. If the agent opened the connection, it MUST send a STUN connectivity check. An agent MUST be prepared to receive a connectivity check over a connection it opened or accepted (note that this is true in general; ICE requires that an agent be prepared to receive a connectivity check at any time, even after ICE processing completes). If an agent receives a connectivity check after re-establishment of the connection, it MUST generate a triggered check over that connection in response if it has not already sent a check. Once an agent has sent a check and received a successful response, the connection is considered Valid and media can be sent (which includes a TLS or DTLS-SRTP session resumption or restart).

If the TCP connection cannot be established, the controlling agent SHOULD restart ICE for this media stream.



 TOC 

9.2.  Connections formed for Gathering Candidates

If the agent opened a connection to a STUN server for the purposes of gathering a server reflexive candidate, that connection SHOULD be closed by the client once ICE processing has completed. This happens irregardless of whether the candidate learned from the STUN server was selected by ICE.

If the agent opened a connection to a TURN server for the purposes of gathering a relayed candidate, that connection MUST be kept open by the client for the duration of the media session if:

Otherwise, the connection to the TURN server SHOULD be closed once ICE processing completes.

If, despite efforts of the client, a TCP connection to a TURN server fails during the lifetime of the media session, the client SHOULD reconnect to the TURN server, and using the procedures defined in TURN [I‑D.ietf‑behave‑turn] (Rosenberg, J., Mahy, R., and P. Matthews, “Traversal Using Relays around NAT (TURN): Relay Extensions to Session Traversal Utilities for NAT (STUN),” July 2009.), request a move of the allocation to the new connection by including the previously allocated IP address and port int the Allocate request. Such a reconnection does not require an ICE restart or any signaling to the peer.



 TOC 

10.  Security Considerations

The main threat in ICE is hijacking of connections for the purposes of directing media streams to DoS targets or to malicious users. ICE-tcp prevents that by only using TCP connections that have been validated. Validation requires a STUN transaction to take place over the connection. This transaction cannot complete without both participants knowing a shared secret exchanged in the rendezvous protocol used with ICE, such as SIP. This shared secret, in turn, is protected by that protocol exchange. In the case of SIP, the usage of the sips mechanism is RECOMMENDED. When this is done, an attacker, even if it knows or can guess the port on which an agent is listening for incoming TCP connections, will not be able to open a connection and send media to the agent.

A more detailed analysis of this attack and the various ways ICE prevents it are described in [I‑D.ietf‑mmusic‑ice] (Rosenberg, J., “Interactive Connectivity Establishment (ICE): A Protocol for Network Address Translator (NAT) Traversal for Offer/Answer Protocols,” October 2007.). Those considerations apply to this specification.



 TOC 

11.  IANA Considerations

There are no IANA considerations associated with this specification.



 TOC 

12.  Acknowledgements

The authors would like to thank Tim Moore, Saikat Guha, Francois Audet and Roni Even for the reviews and input on this document.



 TOC 

13.  References



 TOC 

13.1. Normative References

[I-D.ietf-behave-rfc3489bis] Rosenberg, J., Mahy, R., Matthews, P., and D. Wing, “Session Traversal Utilities for (NAT) (STUN),” draft-ietf-behave-rfc3489bis-18 (work in progress), July 2008 (TXT).
[RFC3264] Rosenberg, J. and H. Schulzrinne, “An Offer/Answer Model with Session Description Protocol (SDP),” RFC 3264, June 2002 (TXT).
[RFC4145] Yon, D. and G. Camarillo, “TCP-Based Media Transport in the Session Description Protocol (SDP),” RFC 4145, September 2005 (TXT).
[RFC4571] Lazzaro, J., “Framing Real-time Transport Protocol (RTP) and RTP Control Protocol (RTCP) Packets over Connection-Oriented Transport,” RFC 4571, July 2006 (TXT).
[RFC4572] Lennox, J., “Connection-Oriented Media Transport over the Transport Layer Security (TLS) Protocol in the Session Description Protocol (SDP),” RFC 4572, July 2006 (TXT).
[I-D.ietf-mmusic-ice] Rosenberg, J., “Interactive Connectivity Establishment (ICE): A Protocol for Network Address Translator (NAT) Traversal for Offer/Answer Protocols,” draft-ietf-mmusic-ice-19 (work in progress), October 2007 (TXT).
[I-D.ietf-avt-dtls-srtp] McGrew, D. and E. Rescorla, “Datagram Transport Layer Security (DTLS) Extension to Establish Keys for Secure Real-time Transport Protocol (SRTP),” draft-ietf-avt-dtls-srtp-07 (work in progress), February 2009 (TXT).
[I-D.fischl-mmusic-sdp-dtls] Fischl, J. and H. Tschofenig, “Session Description Protocol (SDP) Indicators for Datagram Transport Layer Security (DTLS),” draft-fischl-mmusic-sdp-dtls-04 (work in progress), November 2007 (TXT).
[I-D.ietf-behave-turn] Rosenberg, J., Mahy, R., and P. Matthews, “Traversal Using Relays around NAT (TURN): Relay Extensions to Session Traversal Utilities for NAT (STUN),” draft-ietf-behave-turn-16 (work in progress), July 2009 (TXT).


 TOC 

13.2. Informative References

[I-D.ietf-behave-tcp] Guha, S., Biswas, K., Ford, B., Sivakumar, S., and P. Srisuresh, “NAT Behavioral Requirements for TCP,” draft-ietf-behave-tcp-08 (work in progress), September 2008 (TXT).
[I-D.ietf-simple-message-sessions] Campbell, B., “The Message Session Relay Protocol,” draft-ietf-simple-message-sessions-19 (work in progress), February 2007 (TXT).


 TOC 

1.  Implementation Considerations for BSD Sockets

This specification requires unusual handling of TCP connections, the implementation of which in traditional BSD socket APIs is non-trivial.

In particular, ICE requirs an agent to obtain a local TCP candidate, bound to a local IP and port, and then from that local port, initiate a TCP connection (to the STUN server, in order to obtain server reflexive candidates, or to the peer as part of a connectivity check), and be prepared to receive incoming TCP connections (for passive and simultaneous-open candidates). A "typical" BSD socket is used either for initiating or receiving connections, and not for both. The code required to allow incoming and outgoing connections on the same local IP and port is non-obvious. The following pseudocode, contributed by Saikat Guha, has been found to work on many platforms:


for i in 1 to MAX
   sock_i = socket()
   set(sock_i, SO_REUSEPORT)
   bind(sock_i, local)

listen(sock_0)
connect(sock_1, stun)
connect(sock_2, remote_a)
connect(sock_3, remote_b)

The key here is that, prior to the listen() call, the full set of sockets that need to be utilized for outgoing connections must be allocated and bound to the local IP address and port. This number, MAX, represents the maximum number of TCP connections to different destinations that might need to be established from the same local candidate. This number can be potentially large for simultaneous-open candidates. If a request forks, ICE procedures may take place with multiple peers. Furthermore, for each peer, connections would need to be established to each passive or simultaneous-open candidate for the same component. If we assume a worst case of 5 forked branches, and for each peer, five simultaneous-open candidates, that results in MAX=25. For a passive candidate, MAX is equal to the number of STUN servers, since the agent only initiates TCP connections on a passive candidate to its STUN server.



 TOC 

Author's Address

  Jonathan Rosenberg
  Cisco
  Edison, NJ
  US
Email:  jdrosen@cisco.com
URI:  http://www.jdrosen.net


 TOC 

Full Copyright Statement

Intellectual Property