IETF Logo Mail Archive

[AVTCORE] STUN SHA-256 usage in WebRTC (ICE and TURN)

Philipp Hancke <philipp.hancke@googlemail.com> Wed, 29 April 2026 07:02 UTC

Return-Path: <philipp.hancke@googlemail.com>
X-Original-To: avt@mail2.ietf.org
Delivered-To: avt@mail2.ietf.org
Received: from localhost (localhost [127.0.0.1]) by mail2.ietf.org (Postfix) with ESMTP id B91E3E573EE1 for <avt@mail2.ietf.org>; Wed, 29 Apr 2026 00:02:12 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=ietf.org; s=ietf1; t=1777446132; bh=gOexdpVgHfYn1P8ZffacEUb8RtotzovTrBR9RYZHOXA=; h=From:Date:Subject:To; b=UVC1PM1qQLi7jV/snp/nwoqOaYYh2j/AzCs4byK9Sma9U0dv3+1gvLjVxM/GU05Ub 0V7obZadjBBaBXmM5F/DZmXtdd42vT9SDJg5Pl59K8Wp4XtP5LhT651cuHqOW+X7LK hDLS8J1chXAztZWF3Ka3A7jLcPC90CsQDUNX86d4=
X-Virus-Scanned: amavisd-new at ietf.org
X-Spam-Flag: NO
X-Spam-Score: -2.098
X-Spam-Level:
X-Spam-Status: No, score=-2.098 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: mail2.ietf.org (amavisd-new); dkim=pass (2048-bit key) header.d=googlemail.com
Received: from mail2.ietf.org ([166.84.6.31]) by localhost (mail2.ietf.org [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 2dvOMg_GAJIL for <avt@mail2.ietf.org>; Wed, 29 Apr 2026 00:02:09 -0700 (PDT)
Received: from mail-qt1-x834.google.com (mail-qt1-x834.google.com [IPv6:2607:f8b0:4864:20::834]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature ECDSA (P-256) server-digest SHA256) (No client certificate requested) by mail2.ietf.org (Postfix) with ESMTPS id 9C371E573DF0 for <avt@ietf.org>; Wed, 29 Apr 2026 00:02:00 -0700 (PDT)
Received: by mail-qt1-x834.google.com with SMTP id d75a77b69052e-50e63771eb0so110769791cf.3 for <avt@ietf.org>; Wed, 29 Apr 2026 00:02:00 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1777446120; cv=none; d=google.com; s=arc-20240605; b=Z4eHulb0EjskdtZIdgs4zZH848lR38MxkQTdttQmmPnPdJYzgx0eU8iN65YZcmBQEa XbjogpH9wqwApeQRDIrUHvT1zw8Efuw3UPN6agRVA+DGtAvzkTsd9q6xMygkUfdwwq74 18zsBOO7Fr1uEe+/nKwYmmSl+ioAC9LRJAmMoPjEk0crASS47963DZ9aZ+m17eExgakA Z+wjVsvUkrjUfVkbz1M41QoWHW88UaGB3XAWKge5xtSL10+i3a1Dy/7TMy0D2laFN/Zy kmuMCUEz5UuW7nBdDrhJEitVcrBAZQNFH7kS1x0ydGdtHkMBtAdNnLPz+jKliCqYpAcp LPog==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20240605; h=to:subject:message-id:date:from:mime-version:dkim-signature; bh=p+OYN1D7spovuyvPUDDULIDEuz6u5qes+/cTFBRT5fY=; fh=I2jbMIGFLr1tJ4WIBS45H5pwHU/nRIhCQbHKtzd/NiY=; b=kiFIdik/6jzWz2z1KVjG3UK6zfW6XyTZOZJ8GHz00Sg0gWvw5wgdu4dlARDgKS/c3j UXdkN8HOZxhFdM4yoZ72d3tnLfSvcqeIb0y4iGMbr0XUZjpZuIEvO2YQL9NlMfGuJx0z QVyXGqQKJiVYg6g26oLo+WbIfawV/yvyLOqQbWhfoK1P9yCtFPA+MqjZoFo8uNtH/xnX CQ9oJtzXCRpmvmGsHk5IHTwyoSTL3pM8tEvrwpBu13jl0Ay1q/QKU8Odz3NsKStzLI4p UK1MJcJZfolSegCVLhe3+zYDEojXmwNiiodYZPKk9OIfeAVUKWozSxwbUELgWz1hX4iI 9jog==; darn=ietf.org
ARC-Authentication-Results: i=1; mx.google.com; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=googlemail.com; s=20251104; t=1777446120; x=1778050920; darn=ietf.org; h=to:subject:message-id:date:from:mime-version:from:to:cc:subject :date:message-id:reply-to; bh=p+OYN1D7spovuyvPUDDULIDEuz6u5qes+/cTFBRT5fY=; b=SGOBX/cImaPSJood5zWZNSMoJqpsArA8nQrKN3P5Jm6tasUk18dgCJlca9DFjE5NDY kYN7iBQbW7XUSXVdpTEk/PIPPkTkpcv5BhmOfU9PRYdgyXxnDuBYe4Ydj4VdXNpIrHcs Y1PIUDNloSx+Iub/ZIhtVUhxnkUq/LAujCOIWR3rDUueGT4XFP++N3ysp7TPaT3UPVQ6 adS+UMWjNWaMCmQ/6+ASlOgOTZgma67IcRlWUKlfLpULe3/LG0hHOLN4DRYLnj6MNHZZ tSxVcneOWIrXM0Pp4UheV6+XhqPFA3SEorzds/v1AxZAvbDGMecD3P6swW/dhCv807+u W4cg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20251104; t=1777446120; x=1778050920; h=to:subject:message-id:date:from:mime-version:x-gm-gg :x-gm-message-state:from:to:cc:subject:date:message-id:reply-to; bh=p+OYN1D7spovuyvPUDDULIDEuz6u5qes+/cTFBRT5fY=; b=owrQzwNlTMl9IbJ3DjVa2q+hEeaCPTqcpHN4wsjKtlOrLoldPV7rpmaTa2M5CcmPEm BhQ3xa54MmlhNQoxwQyh//IPVu8Wj9MUazuV4YQLVEtHpZlBh1+dvLwwR1NtYCtlO+jZ LIQbASVa4LBCKsu7C0tLqrNYBI1zVPVWapNH9Z2I8+EqgQfjHVNOKFy9QUSGP+DVrOZN MdDOMQREr4GodVQZplNpi84YbIh3R23fqjefiRv9KCQXd47H81hkH4V5aIhQx1CDn7jA jDaGAJg9MI2HfkAnSBKS6ljTtCwQyEKzCmRAK6wlJvTFZA9Y4fs00kNbtPPH/V9M6PWH mxtQ==
X-Gm-Message-State: AOJu0YwaYldwR2oAjjC/z5s7pdc8olgcJOTxNcUVdwsHiht2+6w5iW1R hvpAV7QEZOYqg5ptCn34TgPMw2ftUy3yWLHYI5DSqJPnGocMGRCKdsQPeliVz64VJfhdoRW5gpU U6lvTU7oybabemgWm4aH3JHP/35lrPH6KXhQ/
X-Gm-Gg: AeBDieugA9vSQ87lt5Q+4m7jioLDgVJ2+AjtHxdBSG0tY5wRCJf23ju2p3R3nCRtmd1 h4awXXVNVHBi7z7ya1PcZJ/ve+XBKQVS15osZnzavOpyxjn9L1y2mUcwtS/4P5TXjyN+BjqG8Cu k16PbseTEM0x+wq6fthIiRPLTfXW4b/eTl6zZ2Sxsxtqp+DnGo6zcrKcm46u3JiV0IVmxhFwk/q Dmj7tafhDCns3YlhCazDdMDVXfJzVNfafONQ5cl7S3B1Sv7TwHK57u9+cnrzLOrvDl+9ibSNd00 z40B/AUzhxWnGszAQ9ErmPh4tTZx2VTCTlb1L6uH3NtiWImkkPXwHqmcYQXtjHlzyk3Hy2XrcRJ 8dMkFbT21H+c3gHcOYVFlHdds+qiEU0iWIQLi0dYqU5ljPUYYGafrrnav/1hGHw==
X-Received: by 2002:ac8:7c4e:0:b0:50f:c920:a907 with SMTP id d75a77b69052e-5101893789amr40022411cf.9.1777446120065; Wed, 29 Apr 2026 00:02:00 -0700 (PDT)
MIME-Version: 1.0
From: Philipp Hancke <philipp.hancke@googlemail.com>
Date: Wed, 29 Apr 2026 09:01:51 +0200
X-Gm-Features: AVHnY4K1yS4npNtNfaLeKOC8pEmsfkswhdWpfCSNZLJIWpMnGhW_iwMbK4W-Xb8
Message-ID: <CADxkKiLYgvD55xnBQCXMVqrzSepkA5VjLshAheCXtg7+G9BHpg@mail.gmail.com>
To: IETF AVTCore WG <avt@ietf.org>, tsvwg@ietf.org
Content-Type: multipart/alternative; boundary="000000000000980e1d065093ecc3"
Message-ID-Hash: F3PFJ6YDLFAN5YEALUCDJVVREKTHBDH3
X-Message-ID-Hash: F3PFJ6YDLFAN5YEALUCDJVVREKTHBDH3
X-MailFrom: philipp.hancke@googlemail.com
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; header-match-avt.ietf.org-0; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header
X-Mailman-Version: 3.3.9rc6
Precedence: list
Subject: [AVTCORE] STUN SHA-256 usage in WebRTC (ICE and TURN)
List-Id: Audio/Video Transport Core Maintenance <avt.ietf.org>
Archived-At: <https://mailarchive.ietf.org/arch/msg/avt/xDvTCFWECi364DWeGF2aMLMvdwc>
List-Archive: <https://mailarchive.ietf.org/arch/browse/avt>
List-Help: <mailto:avt-request@ietf.org?subject=help>
List-Owner: <mailto:avt-owner@ietf.org>
List-Post: <mailto:avt@ietf.org>
List-Subscribe: <mailto:avt-join@ietf.org>
List-Unsubscribe: <mailto:avt-leave@ietf.org>

(cross-posting between tsvwg and avtcore, we need to decide where it fits)

I recently looked into making WebRTC support sha256 message integrity for
STUN/ICE
My assumption was that this would be fairly trivial, send both sha-1 and
sha-256 MI attributes, pick the stronger one after initial responses.
Which is what
  https://www.rfc-editor.org/rfc/rfc5389.html#section-16.3
describes.

However, RFC 8489 which specifies MI-256
  https://www.rfc-editor.org/rfc/rfc8489#section-14.6
uses an attribute type 0x1c in the comprehension-required range
  https://www.rfc-editor.org/rfc/rfc8489#section-18.3.2
which means the sender can not send the attribute to "discover" (without
risking a rejection and another round trip; nobdy likes round trips)

Specifying an ice-option for this seems like a possible solution but I did
not see any attempt of describing one in the IANA registry:
  https://www.iana.org/assignments/ice/ice.xhtml

I think the same problem applies to TURN. For WebRTC the solution might be
to add a parameter to the TURN url

Thoughts?

Philipp

v2.46.0 | Report a Bug | By Email | System Status