Re: [MMUSIC] FQDN support in ice-sip-sdp

Christer Holmberg <> Mon, 15 April 2019 08:13 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id 4B3E3120140 for <>; Mon, 15 Apr 2019 01:13:28 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -2.002
X-Spam-Status: No, score=-2.002 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: (amavisd-new); dkim=pass (1024-bit key)
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id 6-mO1ymyFb6l for <>; Mon, 15 Apr 2019 01:13:26 -0700 (PDT)
Received: from ( []) (using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA384 (256/256 bits)) (No client certificate requested) by (Postfix) with ESMTPS id A8AEE1200C3 for <>; Mon, 15 Apr 2019 01:13:25 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=selector1; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=MQ11ZvPtAf3R17AbWlSgrk2qu2szac3SsDHYIz5NuP4=; b=cLwiUhArHq0fb1HLrtvskhndeUSXUmlSczviMd+sDQUNprRsmM7HFoHzsB/zTqBChWaJdFz7xamplhJs4P3r6byjz+8vGZWVsvWiRe/MNJITYegsuUl6O25N7l0s/Ezkdil2o7fUysIxh7k6zSYE4x4silcEuKhgXXexk5lUieo=
Received: from ( by ( with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.1813.9; Mon, 15 Apr 2019 08:13:22 +0000
Received: from ([fe80::747a:900a:3053:2184]) by ([fe80::747a:900a:3053:2184%2]) with mapi id 15.20.1813.009; Mon, 15 Apr 2019 08:13:22 +0000
From: Christer Holmberg <>
To: Roman Shpount <>
CC: Flemming Andreasen <>, mmusic WG <>
Thread-Topic: [MMUSIC] FQDN support in ice-sip-sdp
Date: Mon, 15 Apr 2019 08:13:22 +0000
Message-ID: <>
References: <> <> <> <> <> <> <> <> <> <> <> <>
In-Reply-To: <>
Accept-Language: en-US
Content-Language: en-US
user-agent: Microsoft-MacOutlook/
authentication-results: spf=none (sender IP is );
x-originating-ip: []
x-ms-publictraffictype: Email
x-ms-office365-filtering-correlation-id: 6424e401-9163-4b10-7d3e-08d6c17a3a2b
x-microsoft-antispam: BCL:0; PCL:0; RULEID:(2390118)(7020095)(4652040)(8989299)(5600140)(711020)(4605104)(4534185)(4627221)(201703031133081)(201702281549075)(8990200)(2017052603328)(7193020); SRVR:HE1PR07MB3178;
x-ms-traffictypediagnostic: HE1PR07MB3178:
x-microsoft-antispam-prvs: <>
x-forefront-prvs: 000800954F
x-forefront-antispam-report: SFV:NSPM; SFS:(10009020)(346002)(376002)(396003)(136003)(366004)(39860400002)(199004)(189003)(99286004)(478600001)(5660300002)(14454004)(14444005)(256004)(83716004)(25786009)(71200400001)(44832011)(476003)(7736002)(93886005)(82746002)(6512007)(305945005)(186003)(2906002)(102836004)(71190400001)(53936002)(26005)(33656002)(2616005)(486006)(54906003)(58126008)(316002)(66066001)(11346002)(446003)(8936002)(106356001)(86362001)(76176011)(6506007)(6246003)(97736004)(6486002)(36756003)(6436002)(105586002)(81156014)(81166006)(6916009)(4326008)(229853002)(68736007)(3846002)(8676002)(6116002); DIR:OUT; SFP:1101; SCL:1; SRVR:HE1PR07MB3178;; FPR:; SPF:None; LANG:en; PTR:InfoNoRecords; A:1; MX:1;
received-spf: None ( does not designate permitted sender hosts)
x-ms-exchange-senderadcheck: 1
x-microsoft-antispam-message-info: frF9avUqzg07JJXIwAjtcb8KeoZk3YqDDvMnQBWlP3c2/ym8QthYS38KNC8wB6YVh8Aow3UNuRhmLCT+o+oNEj/dziaxj4tMDOQC+bqcYrkPJU2wtltZTf6wrGXuxfZA8YVKc1gth1tF3p+OIwKn38eTxnSjQbYddTmzAorYFiZq4vnPArS4u1tPeCWlJcM1fRIUUe++IEdnsQj5IZqaF+VIXLUDS6/OrYWZq9i1LEuiWH+FVbAg1l9W0gy7I8dYVo7AK+X1znIYzx9C8A5NUrPMtbfDaOEUi/7mfRo1CiCMKTLVcL6yGjqbpalX/mKN1hxLhxBzuTn9rL5l4RoNqHXhGkorqEuSp/cym/gjuHPbY9b+TwXMJkzePh2uIHVeO46krJY3Us4Vsb6o1w6DDHsTRfz6l5Tt+wIM9ta5S7E=
Content-Type: text/plain; charset="utf-8"
Content-ID: <>
Content-Transfer-Encoding: base64
MIME-Version: 1.0
X-MS-Exchange-CrossTenant-Network-Message-Id: 6424e401-9163-4b10-7d3e-08d6c17a3a2b
X-MS-Exchange-CrossTenant-originalarrivaltime: 15 Apr 2019 08:13:22.2080 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 92e84ceb-fbfd-47ab-be52-080c6b87953f
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-Transport-CrossTenantHeadersStamped: HE1PR07MB3178
Archived-At: <>
Subject: Re: [MMUSIC] FQDN support in ice-sip-sdp
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Multiparty Multimedia Session Control Working Group <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Mon, 15 Apr 2019 08:13:28 -0000


>>> But, the other reason was to correct issues and unspecified cases found in RFC 5245, and FQDN seems to be one such issue. 
>>> Unfortunately we didn't detect it before publishing RFC 8445, so any generic ICE FQDN procedures would have to be in a separate draft.
>> Again, I don't have a strong opinion on whether the SDP specific parts of FQDN are in ice-sip-sdp or in a separate draft.
> I think the question is if FQDN is just another way to encode a single IP address or if FQDN resolution affects ICE nomination process. 
> If we decide that demarcation point between ICE candidate signaling (ice-sip-sdp) and ICE nomination i(RFC 8445) s the list of candidates 
> with IP addresses, then handling FQDN falls under signaling (ice-sip-sdp). If you think DNS resolution affects ICE nomination process, then we will 
> need a separate draft for handling candidates with FQDN. I think former is the case and we can put FQDN handling in ice-sip-sdp.

Assuming the FQDN is split into separate candidates, and each candidate is processed just like any other candidate, I don't think the nomination process is affected. It also means that if I nominate the IPv6 "version" of a candidate, I am not allowed to switch to the IPv4 "version" - even if the connectivity checks have been successful. I am only allowed to use the transport associated with the nominated candidate.

>> Keep in mind that we also need to decide on whether ice-pac should be an ice-sip-sdp dependency, in which case the 
>> publication may get delayed anyway (eventhough we hope to finalize ice-pac pretty fast).
> I do not think ice-sip-sdp needs to have ice-pac as dependency, but I am going to bring this up in another thread. 
> I wanted to concentrate on FQDN first and then address other ice-sip-sdp issues, such as the fact that SDP offer can contain an empty candidate list.

Yes. I did not want to discuss ice-pac in this thread, but simply point out that because of it we MAY have a dependency already.

>>> Figuring out how to handle multiple results per DNS query certainly warrants a separate draft and should be out of scope. 
>> We also need to keep in mind that, even though a single DNS request only returns a single address, if some kind of load balancing is used 
>> different DNS requests may return a different address. Perhaps we need to cover that by saying that an ICE agent must not change the 
>> IP address:port associated with a candidate.
> This is part of the problem with DNS. One agent can publish FQDN that points to a single IP, but when another agent runs the DNS query, 
> it can return more then one result (such as DNS64), different result (some sort of NAT or proxy) or no results.. DNS network can be adversarial 
> and deliberately send traffic through a proxy for man-on-the-middle attack. I would prefer to limit what we require to each of the agents and 
> then allow connectivity checks to sort this out. So far the requirements are that agent that creates the candidate list should only use FQDN that 
> points to single address of given type and agent receiving the candidate list should only use candidate lines that produce a single address.


>>> a. Define how to specify address type in candidate line. This is certainly an SDP problem and I think is a pre-requisite to using any addresses, such as 
>>> FQDN, where address type is non-obvious
>> HOW to define the address type in a candidate lite is for sure an SDP problem. But, the fact that the address type needs to be 
>> provided for a candidate is an ICE problem. 
> As I have mentioned earlier, this is the question of defining responsibilities of signaling vs actual ICE processing. DNS resolution does not have to be part of ICE processing and can be part of signaling. ICE processing can always start with the list of candidates with addresses already resolved.


>> b. Specify that if agent compliant with ice-sip-sdp uses FQDN contact-address, it MUST specify addrtype for the candidate.
> Do we know how an existing implementation would process the addrtype? Are there any procedures regarding unsupported candidate properties?
> Since I just invented addrtype, I do not think anything would process it.

I was thinking about unsupported properties in general.

>>> Unsupported candidate properties are supposed to be ignored. We see a lot of unsupported properties in the wild, such as "generation" and "network-id". 
>>> These extra candidate attributes do not seem to cause any interop issues, so I do not think adding a new candidate type attribute would be a problem
>>> c. Specify that if FQDN resolves to a single address for the specified family then that this address is used for this candidate. Candidate lines with 
>>> FQDN returning multiple results per query MUST be ignored until their handling is defined in a future draft
>>> d. Specify what to do with FQDN without address type specified such as SDP from legacy RFC 5245 implementations. We can go with try AAAA resolution 
>>> first and use if single address is returned. If nothing is returned from AAAA query, try A query. If single address is returned, used that address, ignore 
>>> the candidate line otherwise. This matches RFC 5245 language and should work in all the same situations where RFC 5245 implementations were working.
>> d) works assuming both ICE agents get the same IP address:port from DNS.
> Option d  is best effort for interop with current RFC 5245 implementations. It would work in the same cases when RFC 5245 implementation would. I am not sure any current RFC 5245 implementations actually use FQDN, but if such implementations do exist, this is what RFC 5245 specified.
>>> What do you think?
>> I think you suggestion is good. But, as I have indicated, I would like to have a generic ICE FQDN draft that ice-sip-sdp (or a separate MMUSIC draft) references.
>> Similarly to ice-pac, I think such draft could be produced relatively fast. It more or less only needs to say that:
>> 1) An ICE agent that uses FQDN needs to provide one candidate per address family, and indicate the addrtype for each of those candidates.
>> 2) Some text regarding backward compatibility. Do we assume some default behavior by existing implementations, or do we require an ICE option?
> I do not think we need an ICE option. I think presence of addrtype can be sufficient.

But if the peer ICE agent does not support it, and the FQDN resolves into both IPv4 and IPv6, we don't know what version it will use.

> This being said we need to decide two things:
> 1. Does FQDN resolution belongs to ICE processing? In this case candidate list includes FQDN with address type and ICE processing describes how FQDN are resolved and converted to addresses. 
> Or, alternatively, does FQDN resolution belongs to ICE signaling? In this case candidate list includes resolved address and ICE agent deals with addresses only.

That would not work with mDNS, right?

> 2. Do we specify how to deal with FQDN in ice-sip-sdp or do we specify in ice-sip-sdp that FQDN must be ignored and their handling is defined in some other draft?

Perhaps the best thing would simply to produce a separate draft, to get some text. We can then decide whether to merge it into ice-sip-sdp.