-
Notifications
You must be signed in to change notification settings - Fork 4
/
draft-ietf-ice-rfc5245bis.xml
5156 lines (4356 loc) · 202 KB
/
draft-ietf-ice-rfc5245bis.xml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480
481
482
483
484
485
486
487
488
489
490
491
492
493
494
495
496
497
498
499
500
501
502
503
504
505
506
507
508
509
510
511
512
513
514
515
516
517
518
519
520
521
522
523
524
525
526
527
528
529
530
531
532
533
534
535
536
537
538
539
540
541
542
543
544
545
546
547
548
549
550
551
552
553
554
555
556
557
558
559
560
561
562
563
564
565
566
567
568
569
570
571
572
573
574
575
576
577
578
579
580
581
582
583
584
585
586
587
588
589
590
591
592
593
594
595
596
597
598
599
600
601
602
603
604
605
606
607
608
609
610
611
612
613
614
615
616
617
618
619
620
621
622
623
624
625
626
627
628
629
630
631
632
633
634
635
636
637
638
639
640
641
642
643
644
645
646
647
648
649
650
651
652
653
654
655
656
657
658
659
660
661
662
663
664
665
666
667
668
669
670
671
672
673
674
675
676
677
678
679
680
681
682
683
684
685
686
687
688
689
690
691
692
693
694
695
696
697
698
699
700
701
702
703
704
705
706
707
708
709
710
711
712
713
714
715
716
717
718
719
720
721
722
723
724
725
726
727
728
729
730
731
732
733
734
735
736
737
738
739
740
741
742
743
744
745
746
747
748
749
750
751
752
753
754
755
756
757
758
759
760
761
762
763
764
765
766
767
768
769
770
771
772
773
774
775
776
777
778
779
780
781
782
783
784
785
786
787
788
789
790
791
792
793
794
795
796
797
798
799
800
801
802
803
804
805
806
807
808
809
810
811
812
813
814
815
816
817
818
819
820
821
822
823
824
825
826
827
828
829
830
831
832
833
834
835
836
837
838
839
840
841
842
843
844
845
846
847
848
849
850
851
852
853
854
855
856
857
858
859
860
861
862
863
864
865
866
867
868
869
870
871
872
873
874
875
876
877
878
879
880
881
882
883
884
885
886
887
888
889
890
891
892
893
894
895
896
897
898
899
900
901
902
903
904
905
906
907
908
909
910
911
912
913
914
915
916
917
918
919
920
921
922
923
924
925
926
927
928
929
930
931
932
933
934
935
936
937
938
939
940
941
942
943
944
945
946
947
948
949
950
951
952
953
954
955
956
957
958
959
960
961
962
963
964
965
966
967
968
969
970
971
972
973
974
975
976
977
978
979
980
981
982
983
984
985
986
987
988
989
990
991
992
993
994
995
996
997
998
999
1000
<?xml version="1.0" encoding="utf-8"?>
<!DOCTYPE rfc SYSTEM "rfc2629.dtd">
<?rfc toc='yes'?>
<?rfc tocdepth='5'?>
<?rfc symrefs='yes'?>
<?rfc compact='yes'?>
<?rfc subcompact='no'?>
<rfc ipr="pre5378Trust200902" category="std" obsoletes="5245"
docName="draft-ietf-ice-rfc5245bis-latest"
>
<front>
<title abbrev="ICE">Interactive Connectivity Establishment (ICE): A Protocol for Network Address Translator (NAT) Traversal</title>
<author fullname="Ari Keranen" initials="A." surname="Keranen">
<organization abbrev="Ericsson">Ericsson</organization>
<address>
<postal>
<street>Hirsalantie 11</street>
<city>02420 Jorvas</city>
<country>Finland</country>
</postal>
<email>[email protected]</email>
</address>
</author>
<author fullname="Christer Holmberg" initials="C." surname="Holmberg">
<organization abbrev="Ericsson">Ericsson</organization>
<address>
<postal>
<street>Hirsalantie 11</street>
<city>02420 Jorvas</city>
<country>Finland</country>
</postal>
<email>[email protected]</email>
</address>
</author>
<author initials="J.R." surname="Rosenberg"
fullname="Jonathan Rosenberg">
<organization>jdrosen.net</organization>
<address>
<postal>
<street/>
<city>Monmouth</city> <region>NJ</region>
<country>US</country>
</postal>
<email>[email protected]</email>
<uri>http://www.jdrosen.net</uri>
</address>
</author>
<date year="2018" />
<area>ART</area>
<workgroup>ICE</workgroup>
<keyword>NAT</keyword>
<abstract>
<t>This document describes a protocol for Network Address
Translator (NAT) traversal for UDP-based communication. This
protocol is called Interactive Connectivity Establishment
(ICE). ICE makes use of the Session Traversal Utilities
for NAT (STUN) protocol and its extension, Traversal Using
Relay NAT (TURN).</t>
<t>This document obsoletes RFC 5245.</t>
</abstract>
</front>
<middle>
<section title="Introduction">
<t>Protocols establishing communication sessions between peers typically
involve exchanging IP addresses and ports for the data sources and
sinks. However, this poses challenges when operated through Network Address
Translators (NATs) <xref target="RFC3235"/>. These protocols also seek to
create a data flow directly between participants, so that there is
no application layer intermediary between them. This is done to
reduce data latency, decrease packet loss, and reduce the
operational costs of deploying the application. However, this is
difficult to accomplish through NATs. A full treatment of the reasons
for this is beyond the scope of this specification. </t>
<t> Numerous solutions have been defined for allowing these protocols
to operate through NATs. These include Application Layer Gateways
(ALGs), the <xref target="RFC3303"> Middlebox Control Protocol</xref>,
the original <xref target="RFC3489">Simple Traversal of UDP Through
NAT (STUN)</xref> specification, and <xref target="RFC3102">Realm
Specific IP</xref> <xref target="RFC3103"/> along with session
description extensions needed to make them work, such as the Session
Description Protocol (SDP) <xref target="RFC4566"/> attribute for the
Real Time Control Protocol (RTCP) <xref
target="RFC3605"/>. Unfortunately, these techniques all have pros and
cons that make each one optimal in some network topologies, but a
poor choice in others. The result is that administrators and
implementers are making assumptions about the topologies of the
networks in which their solutions will be deployed. This introduces
complexity and brittleness into the system.</t>
<t> This specification defines Interactive Connectivity Establishment
(ICE) as a technique for NAT traversal for UDP-based data streams
(though ICE has been extended to handle other transport protocols,
such as TCP <xref target="RFC6544"/>). ICE works by exchanging a
multiplicity of IP addresses and ports which are then tested for
connectivity by peer-to-peer connectivity checks. The IP addresses and
ports are exchanged using ICE usage-specific mechanisms (e.g., including in a
offer/answer exchange) and the connectivity checks are performed using
STUN <xref target="RFC5389"/>. ICE also makes use of Traversal Using Relays
around NAT (TURN) <xref target="RFC5766"/>, an extension to STUN.
Because ICE exchanges a multiplicity of IP addresses and ports for each media
stream, it also allows for address selection for multihomed and dual-
stack hosts. For this reason, RFC 5245 <xref target="RFC5245"/> deprecated
the solutions previously defined in RFC 4091 <xref target="RFC4091"/> and
RFC 4092 <xref target="RFC4092"/>.
</t>
<t> <xref target="sec-designmotivations"/> provides background information and
motivations regarding the design decisions that were made when designing ICE.
</t>
</section>
<section title="Overview of ICE">
<t> In a typical ICE deployment, there are two endpoints (ICE agents)
that want to communicate. Note that ICE is not intended for NAT traversal
for the signaling protocol, which is assumed to be provided via another mechanism.
ICE assumes that the agents are able to establish a signaling connection between
each other.
</t>
<t>
Initially, the agents are ignorant of their own topologies. In particular, the
agents may or may not be behind NATs (or multiple tiers of NATs). ICE allows the
agents to discover enough information about their topologies to potentially find
one or more paths by which they can establish a data session.
</t>
<t>
<xref target="fig-ice-ref-arch"/> shows a typical ICE deployment. The agents are
labelled L and R. Both L and R are behind their own respective NATs though they may
not be aware of it. The type of NAT and its properties are also unknown. L and R
are capable of engaging in a candidate exchange process, whose purpose is to set
up a data session between L and R. Typically, this exchange will
occur through a signaling server (e.g., SIP proxy).
</t>
<t>
In addition to the agents, a signaling server, and NATs, ICE is
typically used in concert with STUN or TURN servers in the
network. Each agent can have its own STUN or TURN server, or they can
be the same.
</t>
<figure title="ICE Deployment Scenario" anchor="fig-ice-ref-arch"
align="center"><artwork>
<![CDATA[
+---------+
+--------+ |Signaling| +--------+
| STUN | |Server | | STUN |
| Server | +---------+ | Server |
+--------+ / \ +--------+
/ \
/ \
/ <- Signaling -> \
/ \
+--------+ +--------+
| NAT | | NAT |
+--------+ +--------+
/ \
/ \
+-------+ +-------+
| Agent | | Agent |
| L | | R |
+-------+ +-------+
]]></artwork></figure>
<t>The basic idea behind ICE is as follows: each agent has a variety
of candidate transport addresses (combination of IP address and port
for a particular transport protocol, which is always UDP in this
specification) it could use to communicate with the other agent. These
might include:
<list style="symbols">
<t>A transport address on a directly attached network interface</t>
<t>A translated transport address on the public side of a NAT (a "server
reflexive" address)</t>
<t>A transport address allocated from a TURN server (a "relayed
address")</t>
</list>
</t>
<t>
Potentially, any of L's candidate transport addresses can be used to
communicate with any of R's candidate transport addresses. In
practice, however, many combinations will not work. For instance, if L
and R are both behind NATs, their directly attached interface
addresses are unlikely to be able to communicate directly (this is why
ICE is needed, after all!). The purpose of ICE is to discover which
pairs of addresses will work. The way that ICE does this is to
systematically try all possible pairs (in a carefully sorted order)
until it finds one or more that work.
</t>
<section title="Gathering Candidates">
<t>
In order to execute ICE, an ICE agent identifies and gathers one or more
address candidates. A candidate has a transport address -- a combination of IP
address and port for a particular transport protocol (with only UDP
specified here). There are different types of candidates, some
derived from physical or logical network interfaces, others
discoverable via STUN and TURN.
</t>
<t>
The first category of candidates are those with a transport address obtained directly
from a local interface. Such a candidate is called a host candidate.
The local interface could be Ethernet or WiFi, or it could be one that
is obtained through a tunnel mechanism, such as a Virtual Private Network
(VPN) or Mobile IP (MIP). In all cases, such a network interface appears
to the agent as a local interface from which ports (and thus candidates)
can be allocated.
</t>
<t> Next, the agent uses STUN or TURN to obtain additional
candidates. These come in two flavors: translated addresses on the
public side of a NAT (server reflexive candidates) and addresses on
TURN servers (relayed candidates). When TURN servers are utilized,
both types of candidates are obtained from the TURN server. If only
STUN servers are utilized, only server reflexive candidates are
obtained from them. The relationship of these candidates to the host
candidate is shown in <xref target="fig-address-types"/>. In this
figure, both types of candidates are discovered using TURN. In the
figure, the notation X:x means IP address X and UDP port x.
</t>
<figure title="Candidate Relationships" anchor="fig-address-types">
<artwork>
<![CDATA[
To Internet
|
|
| /------------ Relayed
Y:y | / Address
+--------+
| |
| TURN |
| Server |
| |
+--------+
|
|
| /------------ Server
X1':x1'|/ Reflexive
+------------+ Address
| NAT |
+------------+
|
| /------------ Local
X:x |/ Address
+--------+
| |
| Agent |
| |
+--------+
]]></artwork></figure>
<t> When the agent sends a TURN Allocate request from IP address and
port X:x, the NAT (assuming there is one) will create a binding
X1':x1', mapping this server reflexive candidate to the host candidate
X:x. Outgoing packets sent from the host candidate will be translated
by the NAT to the server reflexive candidate. Incoming packets sent
to the server reflexive candidate will be translated by the NAT to the
host candidate and forwarded to the agent. The host candidate
associated with a given server reflexive candidate is the BASE.
</t>
<t><list style="empty">
<t>Note: "Base" refers to the address an agent sends from for a particular
candidate. Thus, as a degenerate case, host candidates also have a base,
but it's the same as the host candidate.
</t></list></t>
<t>
When there are multiple NATs between the agent and the TURN server,
the TURN request will create a binding on each NAT, but only the
outermost server reflexive candidate (the one nearest the TURN server)
will be discovered by the agent. If the agent is not behind a NAT,
then the base candidate will be the same as the server reflexive
candidate and the server reflexive candidate is redundant and will be
eliminated.
</t>
<t>
The Allocate request then arrives at the TURN server. The TURN server
allocates a port y from its local IP address Y, and generates an
Allocate response, informing the agent of this relayed candidate. The
TURN server also informs the agent of the server reflexive candidate,
X1':x1' by copying the source transport address of the Allocate
request into the Allocate response. The TURN server acts as a packet
relay, forwarding traffic between L and R. In order to send traffic to
L, R sends traffic to the TURN server at Y:y, and the TURN server
forwards that to X1':x1', which passes through the NAT where it is
mapped to X:x and delivered to L.
</t>
<t>
When only STUN servers are utilized, the agent sends a STUN Binding
request <xref target="RFC5389"/> to its STUN server. The STUN server
will inform the agent of the server reflexive candidate X1':x1' by
copying the source transport address of the Binding request into the
Binding response.
</t>
</section>
<section title="Connectivity Checks">
<t>
Once L has gathered all of its candidates, it orders them in highest
to lowest-priority and sends them to R over the signaling
channel. When R receives the candidates from L, it performs the same
gathering process and responds with its own list of candidates. At the
end of this process, each ICE agent has a complete list of both its
candidates and its peer's candidates. It pairs them up, resulting in
candidate pairs. To see which pairs work, each agent schedules a
series of connectivity checks. Each check is a STUN request/response transaction
that the client will perform on a particular candidate pair by sending
a STUN request from the local candidate to the remote candidate.
</t>
<t>
The basic principle of the connectivity checks is simple:
<list style="numbers">
<t>Sort the candidate pairs in priority order.</t>
<t>Send checks on each candidate pair in priority order.</t>
<t>Acknowledge checks received from the other agent.</t>
</list>
With both agents performing a check on a candidate pair, the result is
a 4-way handshake:
</t>
<figure title="Basic Connectivity Check"
anchor="fig:connectivity-checks" align="center"><artwork>
<![CDATA[
L R
- -
STUN request -> \ L's
<- STUN response / check
<- STUN request \ R's
STUN response -> / check
]]></artwork></figure>
<t>
It is important to note that the STUN requests are sent to and from
the exact same IP addresses and ports that will be used for data
(e.g., RTP, RTCP, or other protocols). Consequently, agents
demultiplex STUN and data using the contents of the packets, rather
than the port on which they are received.
</t>
<t>
Because a STUN Binding request is used for the connectivity check, the
STUN Binding response will contain the agent's translated transport
address on the public side of any NATs between the agent and its
peer. If this transport address is different from that of other candidates the
agent already learned, it represents a new candidate (peer reflexive candidate),
which then gets tested by ICE just the same as any other candidate.
</t>
<t>
Because the algorithm above searches all candidate pairs, if a working
pair exists it will eventually find it no matter what order the
candidates are tried in. In order to produce faster (and better)
results, the candidates are sorted in a specified order. The resulting
list of sorted candidate pairs is called the check list.
</t>
<t>
The agent works through the check list by sending a STUN request for
the next candidate pair on the list periodically. These are called
"ordinary checks". When a STUN transaction succeeds, one or more
candidate pairs will become so called valid pairs, and will be added
to a candidate pair list called the valid list.
</t>
<t>
As an optimization, as soon as R gets L's check message, R schedules
a connectivity check message to be sent to L on the same candidate
pair. This is called a "triggered check", and accelerates the process
of finding valid pairs.
</t>
<t>
At the end of this handshake, both L and R know that they can
send (and receive) messages end-to-end in both directions.
</t>
<t>
In general, the priority algorithm is designed so that candidates of
similar type get similar priorities and so that more direct routes
(that is, routes without data relays or NATs) are preferred over
indirect routes (routes with data relays or NATs).
Within those guidelines, however, agents have a fair amount of
discretion about how to tune their algorithms.
</t>
<t>
A data stream might consist of multiple components (pieces of a data
stream that require their own set of candidates, e.g., RTP and RTCP).
</t>
</section>
<section title="Nominating Candidate Pairs And Concluding ICE">
<t>
ICE assigns one of the ICE agents in the role of the
controlling agent, and the other of the controlled agent. For each
component of a data stream, the controlling agent nominates
a valid pair (from the valid list) to be used for data.
The exact timing of the nomination is based on local policy.
</t>
<t>
When nominating, the controlling agent lets the checks continue
until at least one valid pair for each component of a
data stream is found and then picks a valid pair and sends a
STUN request on the valid pair, using an attribute
to indicate to the controlled peer that it has nominated the pair.
This is shown in <xref target="fig-regular-select"/>.
</t>
<figure title="Nomination"
anchor="fig-regular-select" align="center"><artwork>
<![CDATA[
L R
- -
STUN request -> \ L's
<- STUN response / check
<- STUN request \ R's
STUN response -> / check
STUN request + attribute -> \ L's
<- STUN response / check
]]></artwork></figure>
<t>
Once the controlled agent receives the STUN request with the attribute, it
will check (unless the check has already been done) the same pair.
If the transactions above succeed, the agents will set the nominated flag
for the pairs, and will cancel any future checks for that component
of the data stream. Once an agent has set the nominated flag for each component
of a data stream, the pairs become the selected pairs. After that, only the selected
pairs will be used for sending and receiving data associated with that data stream.
</t>
</section>
<section title="ICE Restart">
<t>
Once ICE is concluded, it can be restarted at any time for one or all
of the data streams by either ICE agent. This is done by sending updated
candidate information indicating a restart.
</t>
</section>
<section title="Lite Implementations">
<t>
Certain ICE agents will always be connected to the public
Internet and have a public IP address at which it can receive packets
from any correspondent. To make it easier for these devices to support
ICE, ICE defines a special type of implementation called lite (in
contrast to the normal full implementation). Lite agents only use
host candidates and do not generate connectivity checks or run
the state machines, though they need to be able to respond to
connectivity checks.
</t>
</section>
</section>
<section title="ICE Usage">
<t>This document specifies generic use of ICE with protocols that
provide means to exchange candidate information between the ICE agents.
The specific details (i.e., how to encode candidate information and
the actual candidate exchange process) for different protocols
using ICE (referred to as "using protocol") are described in separate
usage documents.
</t>
<t>
One mechanism for agents to exchange the candidate information by using
<xref target="RFC3264"/> based Offer/Answer semantics as part of the SIP
<xref target="RFC3261"/> protocol <xref target="I-D.ietf-mmusic-ice-sip-sdp"/>.
</t>
<t>
<xref target="RFC7825"/> defines an ICE usage for the Real-Time Streaming
Protocol (RTSP). Note, however, that the ICE usage is based on RFC 5245.
</t>
</section>
<section title="Terminology">
<t> The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL
NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY",
and "OPTIONAL" in this document are to be interpreted as described in
<xref target="RFC2119">RFC 2119</xref>. </t>
<t>
Readers need to be familiar with the terminology defined in
<xref target="RFC5389"/>, and NAT Behavioral requirements
for UDP <xref target="RFC4787"/>.
</t>
<t>
This specification makes use of the following additional terminology:
</t>
<t><list style="hanging">
<t hangText="ICE Session:">
An ICE session consists of all ICE-related actions starting with the
candidate gathering, followed by the interactions (candidate exchange,
connectivity checks, nominations and keepalives) between the ICE agents
until all the candidates are released or ICE restart is triggered.</t>
<t hangText="ICE Agent, Agent:">
An ICE agent (sometimes simply referred to as an agent) is the protocol
implementation involved in the ICE candidate exchange. There are two agents
involved in a typical candidate exchange. </t>
<t hangText= "Initiating Peer, Initiating Agent, Initiator:">
An initiating agent is an ICE agent that initiates the ICE candidate exchange
process. </t>
<t hangText="Responding Peer, Responding Agent, Responder:">
A responding agent is an ICE agent that receives
and responds to the candidate exchange process initiated by the
initiating agent. </t>
<t hangText="ICE Candidate Exchange, Candidate Exchange:">
The process where the ICE agents exchange information (e.g.,
candidates and passwords) that is needed to perform ICE. <xref
target="RFC3264"/> Offer/Answer with SDP encoding is one example of a
protocol that can be used for exchanging the candidate
information. </t>
<t hangText="Peer:">
From the perspective of one of the ICE agents in a session, its peer is
the other agent. Specifically, from the perspective of the initiating
agent, the peer is the responding agent. From the perspective of the
responding agent, the peer is the initiating agent. </t>
<t hangText="Transport Address:"> The combination of an IP address and
transport protocol (such as UDP or TCP) port.</t>
<t hangText="Data, Data Stream, Data Session:"> When ICE is used to
setup data sessions, the data is transported using some protocol.
Media is usually transported over RTP,
composed of a stream of RTP packets. Data session refers to data packets
that are exchanged between the peer on the path created and tested with ICE.</t>
<t hangText="Candidate, Candidate Information:"> A transport address
that is a potential point of contact for receipt of data. Candidates
also have properties -- their type (server reflexive, relayed, or
host), priority, foundation, and base.
</t>
<t hangText="Component:"> A component is a piece of a data stream.
A data stream may require multiple components, each of which has to
work in order for the data stream as a whole to work. For RTP/RTCP data streams,
unless RTP and RTCP are multiplexed in the same port, there
are two components per data stream -- one for RTP, and one for RTCP.
A component has a candidate pair, which cannot be used by other components.</t>
<t hangText="Host Candidate:"> A candidate obtained by binding to a
specific port from an IP address on the host. This includes IP
addresses on physical interfaces and logical ones, such as ones
obtained through Virtual Private Networks (VPNs).
</t>
<t hangText="Server Reflexive Candidate:"> A candidate whose IP
address and port are a binding allocated by a NAT for an ICE agent when it
sent a packet through the NAT to a server, such as a STUN server.
</t>
<t hangText="Peer Reflexive Candidate:"> A candidate whose IP
address and port are a binding allocated by a NAT for an ICE agent when it
sent a packet through the NAT to its peer.
</t>
<t hangText="Relayed Candidate:"> A candidate obtained from a relay
server, such as a TURN server.
</t>
<t hangText="Base:"> The transport address that an ICE agent sends from
for a particular candidate. For host, server reflexive and peer reflexive
candidates the base is the same as the host candidate. For relayed
candidates the base is the same as the relayed candidate (i.e.,
the transport address used by the TURN server to send from).
</t>
<t hangText="Related Address and Port:">
A transport address related to a candidate, useful for diagnostics and other purposes.
If a candidate is server or peer reflexive, the related address and port is equal to the base
for that server or peer reflexive candidate. If the candidate is relayed, the related address
and port is equal to the mapped address in the Allocate response that provided the client
with that relayed candidate. If the candidate is a host candidate, the related address and port
is identical to the host candidate.
</t>
<t hangText="Foundation:"> An arbitrary string used in the freezing
algorithm to group similar candidates. Is the same for two candidates
that have the same type, base IP address, protocol (UDP, TCP, etc.),
and STUN or TURN server. If any of these are different, then the
foundation will be different.
</t>
<t hangText="Local Candidate:">A candidate that an ICE agent has obtained
and may send to its peer.
</t>
<t hangText="Remote Candidate:">A candidate that an ICE agent received
from its peer.
</t>
<t hangText="Default Destination/Candidate:"> The default destination
for a component of a data stream is the transport address that would
be used by an ICE agent that is not ICE-aware. A default candidate for a
component is one whose transport address matches the default
destination for that component.
</t>
<t hangText="Candidate Pair:"> A pair of a local candidate
and a remote candidate.
</t>
<t hangText="Check, Connectivity Check, STUN Check:"> A STUN Binding
request for the purposes of verifying connectivity. A
check is sent from the base of the local candidate
to the remote candidate of a candidate pair.
</t>
<t hangText="Check List:"> An ordered set of candidate pairs that an
ICE agent will use to generate checks.
</t>
<t hangText="Ordinary Check:"> A connectivity check generated by an
ICE agent as a consequence of a timer that fires periodically, instructing
it to send a check.
</t>
<t hangText="Triggered Check:"> A connectivity check generated as a
consequence of the receipt of a connectivity check from the peer.
</t>
<t hangText="Valid Pair:"> A candidate pair whose
local candidate equals the mapped address of a successful connectivity
check response, and whose remote candidate equals the destination address to
which the connectivity check request was sent.
</t>
<t hangText="Valid List:"> An ordered set of candidate pairs for a
data stream that have been validated by a successful STUN
transaction.
</t>
<t hangText="Check List Set:"> The ordered list of all check lists.
The order is determined by each ICE usage.
</t>
<t hangText="Full Implementation:"> An ICE implementation that
performs the complete set of functionality defined by this
specification.
</t>
<t hangText="Lite Implementation:"> An ICE implementation that omits certain
functions, implementing only as much as is necessary for a peer
implementation that is full to gain the benefits of ICE. Lite
implementations do not maintain any of the state machines and do not
generate connectivity checks.
</t>
<t hangText="Controlling Agent:"> The ICE agent that nominates a
candidate pair. In any session, one agent is always controlling. The
other is the controlled agent.
</t>
<t hangText="Controlled Agent:"> The ICE agent that waits for the
controlling agent to nominate a candidate pair.
</t>
<t hangText="Nomination:"> The process of the controlling agent
indicating to the controlled agent which candidate pair the ICE
agents will use for sending and receiving data. The nomination
process defined in this specification was referred to "regular nomination"
in RFC 5245. The nomination process that was referred
to "aggressive nomination" in RFC 5245 has been deprecated in
this specification.
</t>
<t hangText="Nominated, Nominated Flag:"> Once the nomination of a
candidate pair has succeeded, the candidate pair has become nominated,
and the value of its nominated flag is set to true.
</t>
<t hangText="Selected Pair, Selected Candidate Pair:"> The candidate
pair used for sending and receiving data for a component of a data stream is
referred to as the selected pair. Before selected pairs have been produced for a data stream,
any valid pair associated with a component of a data stream
can be used for sending and receiving data for the component.
Once there are nominated pairs for each component of a data
stream, the nominated pairs become the selected pairs for the data stream.
The candidates associated with the selected pairs are referred to as selected candidates.
</t>
<t hangText="Using Protocol, ICE Usage:"> The protocol that uses ICE
for NAT traversal. A usage specification defines the protocol-specific
details on how the procedures defined here are applied to that
protocol. </t>
<t hangText="Timer Ta:"> The timer for generating new STUN or TURN transactions.</t>
<t hangText="Timer RTO (Retransmission Timout):"> The retransmission timer for a given STUN or TURN transaction.</t>
</list></t>
</section>
<section anchor="sec-gathering_exchange" title="ICE Candidate Gathering and Exchange">
<t>
As part of ICE processing, both the initiating and responding agents
gather candidates, prioritize and eliminate redundant candidates,
and exchange candidate information with the peer as defined by the
Usage Protocol (ICE Usage). Specifics of the candidate encoding
mechanism and the semantics of candidate information exchange is out
of scope of this specification.
</t>
<section anchor="sec-full-impl-reqs" title="Full Implementation">
<section anchor="sec-gathering" title="Gathering Candidates">
<t>
An ICE agent gathers candidates when it believes that communication is
imminent. An initiating agent can do this based on a user interface
cue, or based on an explicit request to initiate a session. Every
candidate has a transport address. It also has a type and a base.
Four types are defined and gathered by this specification -- host
candidates, server reflexive candidates, peer reflexive candidates,
and relayed candidates. The server reflexive candidates are gathered
using STUN or TURN, and relayed candidates are obtained through TURN.
Peer reflexive candidates are obtained in later phases of ICE, as a
consequence of connectivity checks.
</t>
<t>
The process for gathering candidates at the responding agent is
identical to the process for the initiating agent. It is RECOMMENDED
that the responding agent begins this process immediately on receipt
of the candidate information, prior to alerting the user of the
application associated with the ICE session.
</t>
<section title="Host Candidates">
<t> Host candidates are obtained by binding to ports on an IP address
attached to an interface (physical or virtual, including VPN
interfaces) on the host.
</t>
<t>For each component of each data stream the ICE agent wishes to use,
the agent SHOULD obtain a candidate on each IP address that the host
has, with the exceptions listed below. The agent
obtains each candidate by binding to a UDP port on the specific IP
address. A host candidate (and indeed every candidate) is always
associated with a specific component for which it is a candidate. </t>
<t> Each component has an ID assigned to it, called the component ID.
For RTP/RTCP data streams, unless both RTP and RTCP are multiplexed
in the same UDP port (RTP/RTCP multiplexing), the RTP itself has a
component ID of 1, and RTCP a component ID of 2. In case of RTP/RTCP
multiplexing, a component ID of 1 is used for both RTP and RTCP.</t>
<t>When candidates are obtained, unless the agent knows for sure that
RTP/RTCP multiplexing will be used (i.e., the agent knows that the
other agent also supports, and is willing to use, RTP/RTCP
multiplexing), or unless the agent only supports RTP/RTCP
multiplexing, the agent MUST obtain a separate candidate for RTCP. If
an agent has obtained a candidate for RTCP, and ends up using RTP/RTCP
multiplexing, the agent does not need to perform connectivity checks
on the RTCP candidate. Absence of a component ID 2 as such does not
imply use of RTCP/RTP multiplexing, as it could also mean that RTCP is
not used. </t>
<t>If an agent is using separate candidates for RTP and RTCP, it will
end up with 2*K host candidates if an agent has K IP addresses.</t>
<t>Note that the responding agent, when obtaining its candidates, will
typically know if the other agent supports RTP/RTCP multiplexing, in
which case it will not need to obtain a separate candidate for
RTCP. However, absence of a component ID 2 as such does not imply use
of RTCP/RTP multiplexing, as it could also mean that RTCP is not
used. </t>
<t> For uses other than RTP/RTCP streams, use of multiple components is
discouraged, since using them increases the complexity of ICE
processing. If multiple components are needed, the component IDs
SHOULD start with 1 and increase by 1 for each component.
</t>
<t>
The base for each host candidate is set to the candidate itself.
</t>
<t> The host candidates are gathered from all IP addresses with the
following exceptions:
<list style="symbols">
<t> Addresses from a loopback interface MUST NOT be included in
the candidate addresses. </t>
<t> Deprecated IPv4-compatible IPv6 addresses <xref
target="RFC4291"/> and IPv6 site-local unicast addresses <xref
target="RFC3879"/> MUST NOT be included in the address
candidates. </t>
<t> IPv4-mapped IPv6 addresses SHOULD NOT be included in the
address candidates unless the application using ICE does not
support IPv4 (i.e., is an IPv6-only application <xref
target="RFC4038"/>). </t>
<t>
If one or more host candidates corresponding to an IPv6 address
generated using a mechanism that prevents location tracking
<xref target="RFC7721"/> are gathered, host candidates corresponding to IPv6
addresses that do allow location tracking that are configured on
the same interface and are part of the same network prefix MUST
NOT be gathered. Similarly, when host candidates corresponding
to an IPv6 address generated using a mechanism that prevents
location tracking are gathered, then host candidates corresponding
to IPv6 link-local addresses <xref target="RFC4291"/> MUST NOT be gathered.
</t>
</list>
</t>
<t>The IPv6 default address selection specification <xref target="RFC6724"/>
specifies that temporary addresses <xref target="RFC4941"/> are to be
preferred over permanent addresses.</t>
</section>
<section title="Server Reflexive and Relayed Candidates">
<t>
An ICE agent SHOULD gather server reflexive and relayed candidates.
However, use of STUN and TURN servers may be unnecessary in certain networks
and use of TURN servers may be expensive, so some deployments may
elect not to use them. If an agent does not gather server reflexive
or relayed candidates, it is RECOMMENDED that the functionality be
implemented and just disabled through configuration, so that it can be
re-enabled through configuration if conditions change in the future.
</t>
<t>
The agent pairs each host candidate with the STUN or TURN servers
with which it is configured or has discovered by some means.
It is RECOMMENDED that a domain name be
configured, and the DNS procedures in <xref target="RFC5389"/> (using
SRV records with the "stun" service) be used to discover the STUN
server, and the DNS procedures in <xref target="RFC5766"/> (using SRV
records with the "turn" service) be used to discover the TURN server.
</t>
<t>
When multiple STUN or TURN servers are available (or when they are
learned through DNS records and multiple results are returned), the
agent MAY gather candidates for all of them and SHOULD gather
candidates for at least one of them (one STUN server and one TURN
server). It does so by pairing host candidates with STUN or TURN
servers and, for each pair, the agent sends a Binding or Allocate
request to the server from the host candidate. Binding requests to a
STUN server are not authenticated, and any ALTERNATE-SERVER attribute
in a response is ignored. Agents MUST support the backwards
compatibility mode for the Binding request defined in <xref
target="RFC5389"/>. Allocate requests SHOULD be authenticated using a
long-term credential obtained by the client through some other means.
</t>
<t>
The gathering process is controlled using a timer, Ta.
Every time Ta expires the agent can generate another new
STUN or TURN transaction. This transaction can either be a retry of a
previous transaction that failed with a recoverable error (such as
authentication failure), or a transaction for a new host candidate and
STUN or TURN server pair. The agent SHOULD NOT generate transactions
more frequently than one every time Ta expires. See <xref
target="sec-ta"/> for guidance on how to set Ta and the STUN
retransmit timer, RTO.
</t>
<t>The agent will receive a Binding or Allocate response. A successful
Allocate response will provide the agent with a server reflexive
candidate (obtained from the mapped address) and a relayed candidate
in the XOR-RELAYED-ADDRESS attribute. If the Allocate request is
rejected because the server lacks resources to fulfill it, the agent
SHOULD instead send a Binding request to obtain a server reflexive
candidate. A Binding response will provide the agent with only a
server reflexive candidate (also obtained from the mapped
address). The base of the server reflexive candidate is the host
candidate from which the Allocate or Binding request was sent. The
base of a relayed candidate is that candidate itself. If a relayed
candidate is identical to a host candidate (which can happen in rare
cases), the relayed candidate MUST be discarded.
</t>
<t>
If an IPv6-only agent is in a network that utilizes NAT64 <xref
target="RFC6146"/> and DNS64 <xref target="RFC6147"/> technologies, it
may also gather IPv4 server reflexive and/or relayed candidates from
IPv4-only STUN or TURN servers. IPv6-only agents SHOULD also utilize
IPv6 prefix discovery <xref target="RFC7050"/> to discover the IPv6
prefix used by NAT64 (if any) and generate server reflexive candidates
for each IPv6-only interface accordingly. The NAT64 server reflexive
candidates are prioritized like IPv4 server reflexive candidates.
</t>
</section>
<section anchor="sec-computing-foundations" title="Computing Foundations">
<t>
The ICE agent assigns each candidate a foundation. Two candidates
have the same foundation when all of the following are true:
</t>
<t><list style="symbols">
<t>They have the same type (host, relayed,
server reflexive, or peer reflexive).</t>
<t>Their bases have the
same IP address (the ports can be different).</t>
<t>For reflexive and relayed candidates, the STUN or TURN servers used
to obtain them have the same IP address (the IP address used by the
agent to contact the STUN or TURN server).
</t>
<t>They were obtained using the same transport protocol (TCP, UDP).
</t>
</list></t>
<t> Similarly, two candidates have different foundations if their
types are different, their bases have different IP addresses, the STUN
or TURN servers used to obtain them have different IP addresses
(the IP addresses used by the agent to contact the STUN or TURN server),
or their transport protocols are different.
</t>
</section>
<section title="Keeping Candidates Alive">
<t>
Once server reflexive and relayed candidates are allocated, they MUST
be kept alive until ICE processing has completed, as described in
<xref target="sec-freeing"/>. For server reflexive candidates learned
through a Binding request, the bindings MUST be kept alive by
additional Binding requests to the server. Refreshes for allocations
are done using the Refresh transaction, as described in <xref
target="RFC5766"/>. The Refresh requests will also refresh the server
reflexive candidate.
</t>
<t>
Host candidates do not time out, but the candidate addresses may
change or disappear for a number of reasons. An ICE agent SHOULD
monitor the interfaces it uses, invalidate candidates whose base has
gone away, and acquire new candidates as appropriate when new
IP addresses (on new or currently used interfaces) appear.
</t>
</section>
<!-- end gathering -->
</section>
<section anchor="sec-prioritizing" title="Prioritizing Candidates">
<t>
The prioritization process results in the assignment of a priority to