IETF Logo Mail Archive

Re: [MMUSIC] Updating the pacing of ICE connectivity checks

Ari Keränen <ari.keranen@ericsson.com> Thu, 14 February 2013 16:12 UTC

Return-Path: <ari.keranen@ericsson.com>
X-Original-To: mmusic@ietfa.amsl.com
Delivered-To: mmusic@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 66C8E21F882E for <mmusic@ietfa.amsl.com>; Thu, 14 Feb 2013 08:12:40 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -5.799
X-Spam-Level:
X-Spam-Status: No, score=-5.799 tagged_above=-999 required=5 tests=[AWL=0.150, BAYES_00=-2.599, HELO_EQ_SE=0.35, MIME_8BIT_HEADER=0.3, RCVD_IN_DNSWL_MED=-4]
Received: from mail.ietf.org ([64.170.98.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id SY7EJN9fen1k for <mmusic@ietfa.amsl.com>; Thu, 14 Feb 2013 08:12:39 -0800 (PST)
Received: from mailgw2.ericsson.se (mailgw2.ericsson.se [193.180.251.37]) by ietfa.amsl.com (Postfix) with ESMTP id AC0EF21F882A for <mmusic@ietf.org>; Thu, 14 Feb 2013 08:12:38 -0800 (PST)
X-AuditID: c1b4fb25-b7f366d000004d10-49-511d0cf557a8
Received: from esessmw0184.eemea.ericsson.se (Unknown_Domain [153.88.253.124]) by mailgw2.ericsson.se (Symantec Mail Security) with SMTP id F9.C1.19728.5FC0D115; Thu, 14 Feb 2013 17:12:37 +0100 (CET)
Received: from mail.lmf.ericsson.se (153.88.115.8) by esessmw0184.eemea.ericsson.se (153.88.115.82) with Microsoft SMTP Server id 8.3.279.1; Thu, 14 Feb 2013 17:12:37 +0100
Received: from tri62.nomadiclab.com (nomadiclab.lmf.ericsson.se [131.160.33.3]) by mail.lmf.ericsson.se (Postfix) with ESMTP id F192A233F; Thu, 14 Feb 2013 18:12:36 +0200 (EET)
Message-ID: <511D0CF4.4010001@ericsson.com>
Date: Thu, 14 Feb 2013 18:12:36 +0200
From: Ari Keränen <ari.keranen@ericsson.com>
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.6; rv:17.0) Gecko/20130107 Thunderbird/17.0.2
MIME-Version: 1.0
To: Magnus Westerlund <magnus.westerlund@ericsson.com>
References: <511CEB64.6070306@ericsson.com> <05a401ce0ac6$db547230$91fd5690$@cisco.com> <511D03A7.1060008@ericsson.com> <511D0498.3030909@jitsi.org> <511D07F1.3070808@ericsson.com>
In-Reply-To: <511D07F1.3070808@ericsson.com>
Content-Type: text/plain; charset="ISO-8859-1"; format="flowed"
Content-Transfer-Encoding: 8bit
X-Brightmail-Tracker: H4sIAAAAAAAAA+NgFprNLMWRmVeSWpSXmKPExsUyM+Jvje5XHtlAg1XztCwuXnvIZLFm5wQW i6nLH7M4MHtM+b2R1WPJkp9MHv/fBAYwR3HZpKTmZJalFunbJXBlfP6+jbHgonbFt3/7mBoY 1yl3MXJySAiYSByZdJ8NwhaTuHBvPZDNxSEkcJJR4s/lp4wQzgZGidnrFrBDOFsYJZ4cfgfW wiugLbF4zlwmEJtFQFXi3qk7YHE2AXuJmxOus4PYogLJEh/vXGOFqBeUODnzCQuILSJgJvFw wn6wemaBKIlvL+8yg9jCAi4Sr5u+scEtu9N1E2gBBwengI7EozOFEPW2EhfmXGeBsOUlmrfO BusVArrh6r9XjBMYhWYhWTcLScssJC0LGJlXMbLnJmbmpJcbbWIEBvDBLb9VdzDeOSdyiFGa g0VJnDfc9UKAkEB6YklqdmpqQWpRfFFpTmrxIUYmDk6pBkaGeevvzX5wgp2pyfGbU1qrgGrW Y0bJT+fmCYt7ce7oacoUZrGy+TOj+FetzOSzJwxe+miL1779qrvmzaGYBVf/HDq/Str5pMI/ UWt/2X/PXHac2lN45PodPs89vpev8mnlmWg2xJc+ith7mmVZ3VS5oM8akhVq3xZwztjGvpiD 9+CxIKfvvEuUWIozEg21mIuKEwH+j4APLgIAAA==
Cc: 'mmusic' <mmusic@ietf.org>, Dan Wing <dwing@cisco.com>
Subject: Re: [MMUSIC] Updating the pacing of ICE connectivity checks
X-BeenThere: mmusic@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Multiparty Multimedia Session Control Working Group <mmusic.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/mmusic>, <mailto:mmusic-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/mmusic>
List-Post: <mailto:mmusic@ietf.org>
List-Help: <mailto:mmusic-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/mmusic>, <mailto:mmusic-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 14 Feb 2013 16:12:40 -0000

Hi Magnus,

Thanks for clarifying the background on this! Some comments and 
questions inline.

On 2/14/13 5:51 PM, Magnus Westerlund wrote:
> On 2013-02-14 16:36, Emil Ivov wrote:
>> Any idea why there had to be different pacing for RTP and non-RTP flows
>> in the first place?
>
> I think our arguments where that in the context of a non-congestion
> controlled voice application it would send with 20 ms interval anyway.
> For other transports and protocols it was not obvious for what intended
> environment it would be used. For example a low power network
> application that sends beyond 30 kbps could be problematic. Thus we took
> one of our conservative values from the transport books, i.e. 500 ms.
>
> I would point out that this is a difficult transport issue. Compared to
> TCP IW10, that burst occurs first after the initial handshake when one
> has actually established that there is a responder.
>
> With ICE there is a clear issue with an attacker bloating a offer/answer
> with candidates that recreates the voice hammer attack using ICE's STUN
> checks towards a target address or domain.
>
> Also the STUN checks will have different source address pairs which in
> it self could be an issue for attack prevention firewalls etc.
>
> Thus I would be careful with speeding up Ta for RTP to much, and I think
> someone needs to fine empiric data that it would work.

I'd guess the 20 ms interval is quite OK for the RTP since, as Dan 
noted, you can't go much faster without overwhelming the NATs.

> For the the 500 ms that can likely be significantly lowered without any
> issues. But some considerations around the wider usage needs to be taken
> into account.

Would you have any recommendation for a good, less conservative value? 
If the bandwidth of the non-RTP stream is known, I guess that could be 
used in a similar way as with RTP to calculate Ta (with lower bound of 
20ms). For cases where the bw is not known, we could perhaps 
RFC2119-recommend some fairly-conservative value (say, around 100ms?) 
and "MUST NOT" for below 20ms?


Cheers,
Ari
(as individual)

> Cheers
>
> Magnus
> One of the ADs responsible for the pacing in ICE.
>
>>
>> Emil
>>
>> On 14.02.13, 16:32, Ari Keränen wrote:
>>> On 2/14/13 5:20 PM, Dan Wing wrote:
>>>>> -----Original Message-----
>>>>> From: mmusic-bounces@ietf.org [mailto:mmusic-bounces@ietf.org] On Behalf
>>>>> Of Ari Keränen
>>>>> Sent: Thursday, February 14, 2013 5:49 AM
>>>>> To: mmusic
>>>>> Subject: [MMUSIC] Updating the pacing of ICE connectivity checks
>>>>>
>>>>> Hi all,
>>>>>
>>>>> Updating the pacing parameter, Ta, of ICE for non-RTP traffic (for
>>>>> background, see [1] and [2]), as discussed at the Atlanta meeting, will
>>>>> be one of the important changes in the new version of ICE.
>>>>>
>>>>> Currently the RFC5245 says (for non-RTP traffic) "Ta SHOULD be
>>>>> configurable, SHOULD have a default of 500 ms, and MUST NOT be
>>>>> configurable to be less than 500 ms."
>>>>>
>>>>> This results in very slow pace of starting connectivity checks if ICE is
>>>>> used with non-RTP traffic. With RTP, the Ta is calculated based on the
>>>>> expected bandwidth used by the RTP stream and can be down to 20 ms.
>>>>> Therefore, many current implementations apparently ignore the "MUST NOT"
>>>>> above and set Ta to something lower.
>>>>
>>>> That would explain failures claimed to justify the desire for running
>>>> over one port.
>>>
>>> Interesting point. Does anyone know what kind of pacing was actually
>>> used when these failures were observed?
>>>
>>>> The 20ms threshold for the initial connectivity checks is because some
>>>> NATs could not create new mappings quickly.  This problems appears to
>>>> persist today, considering that both Chrome and Windows 8 limit their
>>>> number of outstanding DNS queries in an apparent attempt to work around
>>>> that very same NAT UDP mapping behavior.
>>>>
>>>> If trying to create NAT mappings with 0ms pacing, it will certainly
>>>> cause NAT mapping failures and force retries.
>>>
>>> Yes, definitely. So we shouldn't go below 20ms with non-RTP either.
>>> Perhaps need to add some more justification/warning text about this too.
>>>
>>>>> The quite conservative value of 500 ms was originally chosen because of
>>>>> the fear of congesting the links with the connectivity check messages.
>>>>> This is obviously still a valid concern, but would suggesting something
>>>>> lower still make sense? How low would it be reasonably safe to go? What
>>>>> is currently used in practice? Can we come up with a formula similar to
>>>>> RTP (perhaps based on expected bandwidth usage)?
>>>>
>>>> A good question for the transport area, which is the origination of the
>>>> suggestion to send ICE connectivity checks paced to not exceed the
>>>> bandwidth of the subsequent media.  Perhaps the arguments that TCP
>>>> IW=10 is not harmful could be brought to the party.
>>>
>>> FYI, I forwarded the original mail to the Transport ADs too.
>>>
>>>
>>> Cheers,
>>> Ari
>>>
>>>>>
>>>>> [1] http://tools.ietf.org/html/rfc5245#appendix-B.1
>>>>> [2] http://tools.ietf.org/html/rfc5245#section-16.2
>>>>> _______________________________________________
>>>>> mmusic mailing list
>>>>> mmusic@ietf.org
>>>>> https://www.ietf.org/mailman/listinfo/mmusic
>>>>
>>>
>>> _______________________________________________
>>> mmusic mailing list
>>> mmusic@ietf.org
>>> https://www.ietf.org/mailman/listinfo/mmusic
>>>
>>
>
>

v2.23.0 | Report a Bug | By Email