[MMUSIC] Comments on ICE-TCP specification RFC 6544
Nigel Pattinson <nigel.pattinson@kaseya.com> Thu, 07 June 2012 21:37 UTC
Return-Path: <nigel.pattinson@kaseya.com>
X-Original-To: mmusic@ietfa.amsl.com
Delivered-To: mmusic@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 6AF5C21F8681 for <mmusic@ietfa.amsl.com>; Thu, 7 Jun 2012 14:37:53 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -5.976
X-Spam-Level:
X-Spam-Status: No, score=-5.976 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, FM_FORGED_GMAIL=0.622, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_MED=-4]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id QDV7iaPa+bCJ for <mmusic@ietfa.amsl.com>; Thu, 7 Jun 2012 14:37:52 -0700 (PDT)
Received: from na3sys010aog110.obsmtp.com (na3sys010aog110.obsmtp.com [74.125.245.88]) by ietfa.amsl.com (Postfix) with SMTP id 4A3CB21F8690 for <mmusic@ietf.org>; Thu, 7 Jun 2012 14:37:50 -0700 (PDT)
Received: from mail-ob0-f172.google.com ([209.85.214.172]) (using TLSv1) by na3sys010aob110.postini.com ([74.125.244.12]) with SMTP ID DSNKT9EfLoMgpZZsROpLWVsL+uSnMtB8oZKB@postini.com; Thu, 07 Jun 2012 14:37:51 PDT
Received: by obbeh20 with SMTP id eh20so2081295obb.17 for <mmusic@ietf.org>; Thu, 07 Jun 2012 14:37:50 -0700 (PDT)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20120113; h=mime-version:date:message-id:subject:from:to:content-type :x-gm-message-state; bh=EUw8ymnAOkGznf0/r/Vk9/xm7dsg88lGZqXOeu9XV3c=; b=W8hTdyAEOfcUGFI455r8nwy3g6QIE9zDWmzLDA8mED1Hpz4TXu8AOjM92cfU75FMZC cgeHIxwOzNXavaK/+B6bpDNcZlI0pBfMMi73jBcSPQ3gc0lcHOdISRkH8CRYCt20T3id KCyNSeSwXu2E+jG5DBlf+XR6/ET4gPdCp4mNpaHZyvqmKvVrqZIteugWeGAY7nzeEkrF M15WifAycVAW7kZGmGbdjHz9MEn1jy+fl1d5EOSWsXMveX85TzLXa2k9812lcFOkGFyd h/f4hLk2QRN6QvilfssqAIAzPbobKr02fIFVRQxo2qPq7hq99WwK6AskjTG88cq4sAHL 0Skw==
MIME-Version: 1.0
Received: by 10.60.29.169 with SMTP id l9mr3836081oeh.14.1339105069830; Thu, 07 Jun 2012 14:37:49 -0700 (PDT)
Received: by 10.182.17.69 with HTTP; Thu, 7 Jun 2012 14:37:49 -0700 (PDT)
Date: Fri, 08 Jun 2012 09:37:49 +1200
Message-ID: <CANE3Kwy-pOcdYfpFnTKKBpvMLHoV1XV3VME6tU7+BtMdCTcNfg@mail.gmail.com>
From: Nigel Pattinson <nigel.pattinson@kaseya.com>
To: mmusic@ietf.org
Content-Type: multipart/alternative; boundary="e89a8ff2566601134d04c1e8b211"
X-Gm-Message-State: ALoCoQl7i9jdv2S0/VtOnuHAObyrxGwqXfly2B+Rtg4isF/Mld6OWqzr0orKAoppgiyyo8Y/d8xd
Subject: [MMUSIC] Comments on ICE-TCP specification RFC 6544
X-BeenThere: mmusic@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Multiparty Multimedia Session Control Working Group <mmusic.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/mmusic>, <mailto:mmusic-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/mmusic>
List-Post: <mailto:mmusic@ietf.org>
List-Help: <mailto:mmusic-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/mmusic>, <mailto:mmusic-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 07 Jun 2012 21:40:29 -0000
Hello all In our company we have just implemented support for ICE-TCP, and in our opinion there are some areas of the specification which could use some clarification. Note that our implementation is designed to be used in an XMPP/Jingle context rather than with SIP, which potentially makes a difference in some of the areas mentioned below. The specification makes no mention of foundations for TCP candidates. 4.1.1.3 in [RFC5245] specifies that TCP foundations must be different from UDP foundations, but it is unclear whether or not passive, active, and simultaneous open candidates should have distinct foundations. The same is true for NAT-assisted and tunneled candidate types - should these have distinct foundations from server-reflexive/relayed candidates ? We have guessed that in all cases they should be distinct. 4.1.1.4 in [RFC5245] states that server reflexive candidates should be kept alive until ICE processing completes. 11.2 in RFC 6544 does not contradict this, but does not clarify it either. This implies that TCP connections to a STUN server should be kept open for this duration, with STUN binding requests being sent at intervals. It is not clear to us that doing so would have any benefit, but we are not NAT experts. Either way it would be good if the ICE-TCP specification made it clear whether or not this was necessary or desirable. When the offerer has relayed candidates obtained from a TURN server, it may not be possible to ensure that permissions are created for those passive candidates prior to the peer attempting to connect. This may result in failure of the peer's active check, and hence possibly in failure of ICE as a whole. The same basic problem can happen in ICE-UDP, but the UDP check would almost certainly be retried at a time when the permissions are in place, and so should succeed eventually. The situation could be exacerbated by the Jingle recommendation that candidates are sent to the peer as soon as they are discovered - in this case even the answerer's relayed candidates may not have the permissions in place when they are needed. We're not sure if there is a foolproof solution to these problems, but we do feel that the potential for failures should at least be mentioned. 6.2 states that candidate pairs with a tcp passive local candidate should be pruned from the checklist. This clearly makes sense, but has some undesirable consequences in the following situation. Imagine that both agents are on the same network, so all connectivity checks will succeed. The top priority candidate pair in each agent's check list will most likely have a local host active candidate and a remote host passive candidate, since all pairs with a local passive candidate have been pruned. It is quite likely that the controlled agents first check request will be received by the controlling agent before the latter has had a chance to initiate its first check. If this is the case, the controlling agent will reply to the check, add a candidate pair with a local passive candidate and a remote active candidate to its check list, and trigger a check for that candidate pair. Meanwhile the controlled agent will initiate further lower-priority checks, all of which will succed and cause the controlling agent to trigger matching checks. Unless the controlling agent has a shorter _Ta than the offerer, the result can be that the controlling agent spends all its time sending triggered checks, and only gets a chance to initiate checks once the controlled agent has exhausted its check list. The downside to this is that candidate pairs with a controlling active candidate and a controlled passive candidate exist only in the controlling agent's check list, so these will not be checked at all until all pairs in the controlled agent's check list have been checked. What is worse, with the suggested priority calculcations, the highest priority pair will be just such a pair, and since aggressive nomination is not being used, it is likely that the highest priority check needs to be completed before the ICE session can be regarded as successful. We do not have an ideal solution for this, but switching the recommended active and passive direction pref values would make it unlikely that the highest priority check would have a controlling active candidate and a controlled passive candidate. 7.1 states that for tcp-active candidates, unallocated ports should be used. This may result in many port allocations, so we wonder whether it would be preferable to reuse the same port for all connections made from a specific tcp-active candidate (where supported by the host OS, of course). Sections 7.1 and 7.2 both note that a peer-reflexive candidate will 'typically' be produced. In 7.1 this is in reference to a STUN response received on an active TCP candidate, whereas in 7.2 it is in reference to a STUN request received on a passive TCP candidate. It is unclear to us whether the wording is intended to mean that this is different to the equivalent case in UDP, where a peer-reflexive candidate might, but would not 'typically', be produced. The only difference between TCP and UDP that we can see in this area is that the port actually used for active TCP candidates differs from that advertised, since all active TCP candidates are offered with 9 as the port number. We assume that this is the core reason behind the wording used, but think that it would be better if the specification explicitly stated this. We also believe that it is possible to correctly identify the correct active TCP candidate despite the lack of explicit port number information, simply by treating 9 as a wildcard that matches any port. Doing so has the benefit that all the information held against the candidate (especially priority and foundation) can be used as intended, whereas if a new peer-reflexive candidate is created this information will always be ignored for active TCP candidates. Currently our implementation does this wildcard matching, so will only produce peer-reflexive candidates in the same situations it would do if using UDP. 11.1 states that connections should be reopened if they have dropped or been closed for some reason, and have media that needs to be sent. This might make sense in an RTP context, but seems very dubious to us in the more general TCP case as it violates the normal reliability guarantees that TCP supplies. We think this requires further thought and at the very least should be configurable. Thanks for your time Nigel Pattinson
- [MMUSIC] Comments on ICE-TCP specification RFC 65… Nigel Pattinson
- Re: [MMUSIC] Comments on ICE-TCP specification RF… jakubadamek
- Re: [MMUSIC] Comments on ICE-TCP specification RF… Nigel Pattinson
- Re: [MMUSIC] Comments on ICE-TCP specification RF… Adam Roach
- Re: [MMUSIC] Comments on ICE-TCP specification RF… Nigel Pattinson
- Re: [MMUSIC] Comments on ICE-TCP specification RF… Adam Roach