Re: [Wish] Genart last call review of draft-ietf-wish-whip-09

[Sean Turner <sean@sn3rd.com>]

Dale,

Hi! Just a heads up that Sergio is out on PTO until early September.

spt

> On Aug 8, 2023, at 11:45, Dale Worley via Datatracker <noreply@ietf.org> wrote:
> 
> Reviewer: Dale Worley
> Review result: Ready with Issues
> 
> I am the assigned Gen-ART reviewer for this draft. The General Area
> Review Team (Gen-ART) reviews all IETF documents being processed
> by the IESG for the IETF Chair.  Please treat these comments just
> like any other last call comments.
> 
> For more information, please see the FAQ at
> 
> <https://trac.ietf.org/trac/gen/wiki/GenArtfaq>.
> 
> Document:  draft-ietf-wish-whip-09
> Reviewer:  Dale R. Worley
> Review Date:  2023-08-08
> IETF LC End Date:  2023-08-08
> IESG Telechat date:  [not known]
> 
> Summary:
> 
>    This draft is on the right track but has open issues, described in
>    the review.
> 
> The exposition could be clarified in several places.  A few of the
> clarifications could be considered technical issues.  I list the
> issues in textual order, with an initial summary of the most important
> issues.
> 
> * Summary of the major issue:
> 
> A very important aspect of this document is that it defines the usage
> of "ICE via SDP via HTTP", equivalently, "supporting ICE offer/answer
> over HTTP" (as opposed to the original "ICE via SDP via SIP").  That
> definition likely will have broader usage than just WHIP.  But the
> document suffers from the "expert's disease", in that the authors
> clearly have deep knowledge of ICE and consequently only document the
> details of the ICE processing without providing any of the framework.
> This leaves naive readers to reconstruct the big picture.  I was going
> to add "As far as I can tell, all of the needed details are listed
> somewhere in section 4", but as you can see below, once I wrote an
> outline of what is needed, there are a few points that don't seem to
> be specified, at least not to the point that I recognized it.)
> 
> I suggest that section 4 be organized by:
> 
> - stating that it is defining "supporting ICE offer/answer
>  over HTTP" (so that it can be clearly referenced by later
>  specifications)
> 
> - specifying the abstract operations involved (with the mapping to
>  specific operations listed either in this list or a later list):
> 
> - - starting the ICE negotiation (via POST carrying
>    application/sdp)
> 
> - - updating the ICE when trickling (via PATCH carrying
>    application/trickle-ice-sdpfrag)
> 
> - - restarting ICE (via PATCH carrying (via PATCH carrying
>    application/trickle-ice-sdpfrag, but it's not clear how this is
>    distinguished, RFC 8840 does not specify it; perhaps because it
>    carries ice-ufrag/ice-pwd attributes (see section 4.1)?)
> 
> - - termination (via DELETE from the client; not clear how from the
>    server)
> 
> - specifying how WHIP constrains the ICE abstraction (Media server
>  MUST not do trickle ICE updates, not clear if Media server MAY do
>  ICE restarts, Media server MAY not support trickle ICE or ICE
>  restart, etc.)
> 
> - discussion of how out-of-order requests may arise (which isn't at
>  all clear to me, as requests seem to be generated only by the
>  server, and carried by TCP, so they seem to be inherently
>  serialized)
> 
> - discussion of how ETags MAY/MUST be handled, as that is
>  comprehensible only when one looks at the serialization needs of all
>  of the operations together
> 
> - specifying the particular features of each of the operations,
>  including any particulars of request and response fields and what
>  response codes are to be used for what error situations
> 
> * Summary of minor issues that might have technical content:
> 
> At various points in section 4 the text refers to a device sending a
> request or generating a response but in many of them, the text doesn't
> state whether the device is on the client or server end, or might be
> both.  I assume that the nature of the operation implies what devices
> might perform it based on text elsewhere, but it's hard to fully
> understand on the first reading pass.  If possible, each sentence
> should make this clear. -- Then again, if section 4 is reorganized to
> describe generic ICE/SDP/HTTP usage, attention should be paid that the
> generic usage may define how e.g. the server does an operation, even
> if WHIP servers may not do that operation.
> 
> Section 4 lists a collection of 4xx and 5xx response codes to be used
> in certain situations.  Are these set due to the specific semantics of
> the codes or just to ensure that the recipient can tell what the cause
> of the error was?  (HTTP suffers from having a large number of error
> responses but all of them have vague semantics.  Unfortunately, there
> doesn't seem to be an HTTP response header that can carry codes
> defined for ICE usage specifically.)
> 
> Section 4 requires the WHIP server to reject certain specific request
> methods, but no others.  Verify that you intend this specific
> limitation.
> 
> Section 4.1 references sections 6.6.2, 2.3, and 3.1 of RFC 9110.  All
> of these references appear to be incorrect, in that those sections do
> not discuss the topics at hand.  Section 4.3 references section 6.4.7
> of RFC 9110, which does not exist.  Some of these appear to be
> referencing sections in RFC 7231, which is obsoleted by RFC 9110.
> 
> Section 4.1 talks about out-of-order PATCH requests but is unclear
> about what may cause them, as the immediate implication is that
> somehow the client is sending overlapping PATCH requests.  Probably
> the authors fully understand the allowed sequences of operations that
> cause this but the text needs to clarify what is being described.
> 
> Section 4.1 has inconsistent statements about a WHIP resource's
> response code if the client requests an ICE restart but the resource
> does not support ICE restart.
> 
> Section 4.2 extends RFC 8842, and this document should be marked as
> doing so.
> 
> In Section 4.4, I notice that there's no explicit differentiation
> between the STUN and the TURN server information in returned Link
> header fields.  Please verify that either (1) the presence of username
> and credential-type differentiates the two cases, or (2) the Media
> client/server do not need to differentiate the two cases.
> 
> Section 4.7 requires POST responses to include Link headers for any
> WHIP extensions supported by the server.  Perhaps OPTIONS responses
> should be required to do so also.
> 
> The designators of WHIP extensions are described as URIs.  In fact,
> they are URNs, and it would be more precise to refer to them as URNs
> in the text.
> 
> * All issues (most of them exposition/editorial), in text order:
> 
> 1.  Introduction
> 
>   It also describes how to negotiate media flows
>   using the Offer/Answer Model with the Session Description Protocol
>   (SDP) [RFC3264] as well as the formats for data sent over the wire
>   (e.g., media types, codec parameters, and encryption).
> 
> I think "as well as" should be "including".
> 
>   RTSP [RFC7826], which is based on RTP, is
>   not compatible with the SDP offer/answer model [RFC3264].
> 
> This statement might be clarified, as the naive reader (me) considers
> offer/answer to also be based on RTP.  I suspect that the critical
> meaning is "RTSP, unlike SDP offer/answer, has no provisions for
> negotiating the characteristics of the media session."
> 
>   This document proposes a simple protocol for supporting WebRTC as
>   media ingestion method which:
> 
> I would amend to "... a simple protocol, WHIP, for ..." to have a
> clear assertion in the introduction of what WHIP is.  I would also add
> "HTTP", as the preceding text describes what WHIP *isn't* based on:
> 
>   This document proposes a simple protocol, WHIP, based on HTTP, for
>   supporting WebRTC as media ingestion method which:
> 
> --
>   *  Allows for ingest both in traditional media platforms and in
>      WebRTC end-to-end platforms with the lowest possible latency.
> 
> Verify that "ingest" is used in the field as shorthand for "ingestion"
> (rather than being a typo).  The text seems to use both words with the
> same meaning; it should probably use only one.
> 
>   *  Is usable both in web browsers and in native encoders.
> 
> I would say "standalone encoders", but perhaps this is the industry
> terminology.
> 
> 2.  Terminology
> 
> For clarity, I would move Figure 1 to after paragraph 1 of section 2
> and amend it to something like this.  Or perhaps better, relocate the
> current section 3 before section 2, so it can provide the context for
> the glossary.
> 
> +--------------+  +-------------+    +---------------+            +--------------+
> | Media client |  | WHIP client |    | WHIP server   |            | Media server |
> +------+-------+  +--+----------+    +---------+---+-+            +------+-------+
>        |             |                         |   |                     |
>        |             |                         | +-+-------------+       |
>        |             |                         | | WHIP resource |       |
>        |             |                         | +--------|------+       |
>        |             |                         |          |              |
>        |             |HTTP POST (SDP Offer)    |          |              |
>        |             +------------------------>+          |              |
>        |             |201 Created (SDP answer) |          |              |
>        |             +<------------------------+          |              |
>        |             |          ICE REQUEST               |              |
>        +---------------------------------------------------------------->+
>        |             |          ICE RESPONSE              |              |
>        |<----------------------------------------------------------------+
>        |             |          DTLS SETUP                |              |
>        |<===============================================================>|
>        |             |          RTP/RTCP FLOW             |              |
>        +<--------------------------------------------------------------->+
>                      | HTTP DELETE                        |
>                      +----------------------------------->|
>                      | 200 OK                             |
>                      <------------------------------------+
> 
> The reason to move it before the definitions is that definitions would
> be a lot clearer with the diagram already in mind.
> 
> The "WHIP client" is separated into two components, one dealing with
> HTTP and SDP and one dealing with RTP, with both being involved in
> ICE, in the same way that the server is divided into two components
> with the same division of responsibilities.
> 
> I suspect that historically, the server-side is conceptualized that
> the "Media Server" exists a priori with the "WHIP endpoint" being
> added to it as an extra unit, but the client-side is conceptualized as
> being a unitary system.  That structure makes the specification harder
> to understand, though, and I think showing the client and server with
> more parallel structures would clarify the specification.
> 
> The "WHIP resource" is shown as being a dependent of the "WHIP
> server".
> 
> The "WHIP endpoint" is renamed "WHIP server".  At least in the SIP
> world, "endpoint" is used to refer to *both* ends of one connection,
> and so the term "WHIP endpoint" would be expected to include the WHIP
> client as well.
> 
> The capitalization of "Media server" is made consistent with the other
> terms.  (See also the entry in the glossary.)
> 
> Although conceptually the left two items (Media client and WHIP
> client) and the right three items (WHIP server, WHIP resource, and
> Media server) collectively form the two end-systems of the
> client/server relationship, I have not tried to invent names for the
> two collections because there doesn't seem to be a need to reference
> them as wholes.
> 
> These changes do require adjusting the terminology in the rest of the
> document.
> 
> 3.  Overview
> 
> See comments on section 2.
> 
> 4.  Protocol Operation
> 
>   The SDP offer SHOULD use the "sendonly" attribute and the SDP answer
>   MUST use the "recvonly" attribute in any case.
> 
> You may want to extend this to "SHOULD use the "sendonly" attribute
> but MAY use the "sendrecv" attribute", since the other possible values
> are useless.
> 
> "in any case" seems redundant given the presence of "MUST".
> 
> POST /whip/endpoint HTTP/1.1
> 
> I recommend preceding each of the HTTP messages with a description of
> what the endpoints are.  E.g. "POST request from WHIP client to WHIP
> server" and "201 Created response from WHIP server to WHIP client".
> 
>              Figure 2: HTTP POST doing SDP O/A example
> 
> Perhaps more informative as "Example WHIP POST executing SDP
> offer/answer".
> 
>   Once a session is setup, ICE consent freshness [RFC7675] SHALL be
>   used to detect non graceful disconnection and DTLS teardown for
>   session termination by either side.
> 
> I think the meaning is "Once a session is set up, ICE consent
> freshness [RFC7675] MUST be maintained.  Both endpoints MUST monitor
> freshness and MUST tear down the connection if freshness is lost."
> (Note I don't know how ICE consent freshness is done, so I am assuming
> that no further details need be specified to ensure interoperability.)
> Probably the 2nd following paragraph ("A Media Server terminating...")
> can be combined with this paragraph.  Also, expand it to place the
> same requirement on the Media client.
> 
>   The WHIP endpoints MUST return an "405 Method Not Allowed" response
>   for any HTTP GET, HEAD or PUT requests on the endpoint URL in order
>   to reserve its usage for future versions of this protocol
>   specification.
> 
> This and the 2nd following paragraph only forbid a few methods, and
> allow an implementation to implement any others as extensions.  Please
> verify that these are exactly what you need.  Also, the wording should
> be "reserve their usage" because the referent is "any ... requests".
> 
>   The WHIP endpoints MUST support OPTIONS requests for Cross-Origin
>   Resource Sharing (CORS) as defined in [FETCH] and it SHOULD include
>   an "Accept-Post" header with a mime type value of "application/sdp"
>   on the "200 OK" response to any OPTIONS request received as per
>   [W3C.REC-ldp-20150226].
> 
> I think this would be less awkward as
> 
>   The WHIP endpoints MUST support OPTIONS requests for Cross-Origin
>   Resource Sharing (CORS) as defined in [FETCH].  The "200 OK"
>   response to any OPTIONS request SHOULD include an "Accept-Post"
>   header with a mime type value of "application/sdp" as per
>   [W3C.REC-ldp-20150226].
> 
> 4.1.  ICE and NAT support
> 
> Text might be added to the beginning of this section similar to the
> text at the beginning of section 4.2, as WHIP puts specific
> restrictions on ICE usage for simplicity's sake.  It seems like "NAT"
> should be replaced by something else, as "NAT" is not mentioned
> elsewhere in the document.  "STUN/TURN" seems to be natural, but there
> is a section for that (4.4).  Perhaps this section should be titled
> "ICE usage".
> 
> Also, several subsections of section 4 seem to be about usage and
> restrictions of various protocols; perhaps they should have parallel
> names e.g. "ICE usage", "WebRTC usage", "STUN/TURN usage".
> 
>   In order to simplify the protocol, there is no support for exchanging
>   gathered trickle candidates from Media Server ICE candidates once the
>   SDP answer is sent.
> 
> I think this would be clearer as follows, since that moves the fact we
> are talking about the Media server earlier in the sentence:
> 
>   In order to simplify the protocol, there is no support for the
>   Media server sending further trickle candidates once the SDP answer
>   is sent.
> 
> --
> 
>   The WHIP client MAY perform trickle ICE or ICE restarts as per
>   [RFC8838] by sending an HTTP PATCH request ...
> 
> PATCH is an unusual method, defined in RFC 5789, and it seems like
> there should be a reference for it here.
> 
> Also, you probably want to insert here a statement whether the WHIP
> resource MAY *initiate* ICE restarts; as far as I can tell, the text
> does not address this.
> 
> Also, you want to directly state that the semantics (meaning) of an
> ICE update/restart request and thus how it is to be processed, is
> determined by the body, as specified in RFC 8840.  The current text
> leaves that silently implied.
> 
>   If the WHIP resource supports either Trickle ICE or ICE restarts, but
>   not both, it MUST return a "405 Not Implemented" response for the
>   HTTP PATCH requests that are not supported.
> 
>   If the WHIP resource does not support the PATCH method for any
>   purpose, it MUST return a "501 Not Implemented" response, as
>   described in [RFC9110] Section 6.6.2.
> 
> The canonical description for "405" is "Method not allowed".  But I
> would reorganize and combine these paragraphs along these lines:
> 
>   If the WHIP resource supports either Trickle ICE or ICE restarts,
>   but not both, it MUST return a "405 Method not allowed" response
>   for HTTP PATCH requests for the feature that is not supported.  If
>   neither feature is supported, it MUST return a "501 Not
>   Implemented" response for such HTTP PATCH requests.
> 
> This allows PATCH requests for other purposes, if any of those are
> ever defined.
> 
> BTW, the reference "[RFC9110] Section 6.6.2" ("Trailer") seems to be
> unrelated to the text; please verify it.
> 
>   As the HTTP PATCH request sent by a WHIP client may be received out-
>   of-order by the WHIP resource, ...
> 
> To clarify this, I would expand it to:
> 
>   The WHIP client MAY send overlapping HTTP PATCH requests to one
>   WHIP resource.  As the HTTP PATCH request sent by a WHIP client may
>   be received out-of-order by the WHIP resource, ...
> 
> However it is unclear to me why the client would want to do this.
> Perhaps the concept is that the server may also be sending PATCH
> requests for trickle ICE etc.?  In that case, you would want to phrase
> it more like:
> 
>   As the WHIP client and the WHIP resource may be both be sending
>   HTTP PATCH requests without coordination, an HTTP PATCH request
>   sent by a WHIP client may be received out-of-order by the WHIP
>   resource, ...
> 
> In any case, you should ensure you understand the possible
> complications and explain them here to the reader.  Also, the final
> sentence of the paragraph is:
> 
>   Note that including the ETag
>   in the original "201 Created" response is only REQUIRED if the WHIP
>   resource supports ICE restarts and OPTIONAL otherwise.
> 
> I *think* this means that the entirety of the preceding paragraph is
> conditional "If the WHIP resource supports ICE restarts, the following
> complications are possible ... and so the WHIP resource must return
> ETag header fields ...".  Whatever the causation/conditions are, they
> should be put at the start of the paragraph.
> 
>   A WHIP client sending a PATCH request for performing trickle ICE MUST
>   include an "If-Match" header field with the latest known entity-tag
>   as per [RFC9110] Section 3.1.  When the PATCH request is received by
>   the WHIP resource, it MUST compare the indicated entity-tag value
>   with the current entity-tag of the resource as per [RFC9110]
>   Section 3.1 and return a "412 Precondition Failed" response if they
>   do not match.
> 
> Beware that this paragraph appears to be a continuation of the
> preceding paragraph, in that the sentence "Note ..." appears to be a
> condition on it also.  If that is true, when you relocate the
> condition to before the first paragraph, the condition should itself
> be paragraph-level, so it is clear that its scope is not ended by the
> end of the first paragraph.
> 
>   A WHIP resource receiving a PATCH request with new ICE candidates,
>   but which does not perform an ICE restart, MUST return a "204 No
>   Content" response without body.
> 
> According to the previous text, if a WHIP resource receives a PATCH
> requesting an ICE restart but it does not implement ICE restart, it
> MUST return either 405 or 501.  This needs to be clarified; perhaps
> there is a difference between "does not support" and "does not
> perform"?
> 
>   If the Media Server does not support
>   a candidate transport or is not able to resolve the connection
>   address, it MUST accept the HTTP request with the "204 No Content"
>   response and silently discard the candidate.
> 
> Note that the Media server does not generate HTTP responses in any
> case.  I assume the meaning is "the WHIP resource must accept ...".  I
> think the intended meaning is
> 
>   If a WHIP resource receives a PATCH request containing a new ICE
>   candidate with a transport that the Media Server does not support
>   or is unable to resolve the address, the resource must MUST
>   silently discard the candidate and process the remainder of the
>   request.  Typically, it will accept the HTTP request with the "204
>   No Content" response.
> 
> The last sentence is written as it is because the resource may have
> some other reason for rejecting the PATCH.
> 
>   A WHIP client sending a PATCH request for performing ICE restart MUST
>   contain an "If-Match" header field with a field-value "*" as per
>   [RFC9110] Section 3.1.
> 
> Naively, this seems questionable, as presumably all ICE operations
> need to be serialized.  Or is it that ICE restart causes all preceding
> ICE updates to become irrelevant?  Again, some explanation of the
> allowed sequencing of ICE operations and the necessary
> serialization/dependencies would be good introduction.
> 
>   Also, the "200 OK" response for a successful ICE restart MUST contain
>   the new entity-tag corresponding to the new ICE session in an ETag
>   response header field and MAY contain a new set of ICE candidates for
>   the Media Server.
> 
> This reads oddly because it combines "new ICE session" with the
> possibility that the triggering PATCH request may not include new ICE
> candidates.  What is the implied processing if there are no
> candidates?  There are two possibilities, one that the new ICE session
> starts with no candidates (in that direction), the other is that the
> previously specified set of candidates is retained.  The latter
> possibility implies that the new session depends on the previous
> session and introduces serialization requirements.
> 
>   If the ICE request cannot be satisfied by the WHIP resource, the
>   resource MUST return an appropriate HTTP error code and MUST NOT
>   terminate the session immediately.
> 
> You probably mean "If the ICE update or restart request ...".  Also,
> you probably mean "... and MUST continue the previous ICE session."
> 
>   In either case, the session MUST be
>   terminated if the ICE consent expires as a consequence of the failed
>   ICE restart as per [RFC7675] Section 5.1.
> 
> Probably intensify to "In any case, ...".
> 
>   Because the WHIP client needs to know the entity-tag associated with
>   the ICE session in order to send new ICE candidates, it MUST buffer
>   any gathered candidates before it receives the HTTP response to the
>   initial POST request or the PATCH request with the new entity-tag
>   value.
> 
> I think this could be clarified by putting more of the sentence in
> time order:
> 
>   Because the WHIP client needs to know the entity-tag associated
>   with the ICE session in order to send a PATCH containing new ICE
>   candidates, it MUST wait until it receives the HTTP response to the
>   initial POST request or the previous PATCH request before it can
>   send any candidates that were gathered after the previous request
>   was sent.
> 
> --
> 
>   ... the STUN requests will contain invalid ICE information and will
>   be rejected by the server.  When this situation is detected by the
>   WHIP Client, it MUST ...
> 
> Given that this is a MUST, we need a more rigid specification of the
> specific responses that compel this behavior in the client.  Also,
> "the server" is used, but apparently in the sense "the STUN server",
> not "the Media server" as elsewhere in the text.  Also, it seems to be
> implied that the Media server will not do ICE restart if it receives
> these errors from the STUN server.  Is that true?
> 
> 4.2.  WebRTC constraints
> 
>   In the specific case of media ingestion into a streaming service,
> 
> Given that the abstract says "ingestion of content into streaming
> services and/or CDNs", this appears to confine the paragraph to
> discussing a subset of WHIP implementations.  This clause should
> probably be revised to clarify that it covers all WHIP usages.
> 
>   Both the WHIP client and the WHIP endpoint SHALL use SDP bundle
>   [RFC9143].  ...
> 
> Please verify that all proper specifications are both "MUST support"
> and "MUST use".  E.g., there is "... will use RTP/RTCP multiplexing
> ..." which should say "SHALL"/"MUST".
> 
>   ... bundled "m=" sections as per [RFC8858] i.
> 
> The ending "i" seems like a typo, but please verify it isn't the
> truncation of intended text.
> 
>   ... in a single MediaStream as defined in [[!RFC8830]] ...
> 
> It appears that RFC 8830 is an intended reference but it is not listed
> in section 8.
> 
>   When a WHIP client sends an SDP offer, it SHOULD insert an SDP
>   "setup" attribute with an "actpass" attribute value, as defined in
>   [RFC8842].  However, if the WHIP client only implements the DTLS
>   client role, it MAY use an SDP "setup" attribute with an "active"
>   attribute value.  If the WHIP endpoint does not support an SDP offer
>   with an SDP "setup" attribute with an "active" attribute value, it
>   SHOULD reject the request with a "422 Unprocessable Entity" response.
> 
>   NOTE: [RFC8842] defines that the offerer must insert an SDP "setup"
>   attribute with an "actpass" attribute value.  However, the WHIP
>   client will always communicate with a Media Server that is expected
>   to support the DTLS server role, in which case the client might
>   choose to only implement support for the DTLS client role.
> 
> Note this means that this document updates RFC 8842, and should be
> marked as such.
> 
> This part seems to be incomplete or inconsistent.  Clearly, a WHIP
> server MUST support the DTLS server role, and so it MUST be able to
> accept "a=setup:active".  This means that the described 422 error
> response should never occur.
> 
> 4.3.  Load balancing and redirections
> 
>   WHIP endpoints and Media Servers might not be colocated on the same
>   server, so it is possible to load balance incoming requests to
>   different Media Servers.
> 
> In stead of the passive "it is possible ...", it would be clearer to
> say "the WHIP server may load balance incoming requests to multiple
> Media servers."
> 
>   WHIP clients SHALL support HTTP redirection
>   via the "307 Temporary Redirect" response as described in [RFC9110]
>   Section 6.4.7.
> 
> RFC 9110 does not contain a section 6.4.7.
> 
> 4.4.  STUN/TURN server configuration
> 
>   A reference to each STUN/TURN server will be returned using the
>   "Link" header field [RFC8288] with a "rel" attribute value of "ice-
>   server".
> 
> I notice that there's no explicit differentiation between the STUN and
> the TURN server information.  Please verify that either (1) the
> presence of username and credential-type differentiates the two cases,
> or (2) the Media client/server do not need to differentiate the two
> cases.
> 
>              Figure 5: Example ICE server configuration
> 
> It seems the caption should be "Example STUN/TURN server
> configuration".
> 
>   The generation of the TURN server credentials may require performing
>   a request to an external provider, which can both add latency to the
>   OPTIONS request processing and increase the processing required to
>   handle that request.  In order to prevent this, the WHIP Endpoint
>   SHOULD NOT return the STUN/TURN server configuration if the OPTIONS
>   request is a preflight request for CORS, that is, if The OPTIONS
>   request does not contain an Access-Control-Request-Method with "POST"
>   value and the the Access-Control-Request-Headers HTTP header does not
>   contain the "Link" value.
> 
> I think the normative structure can be made clearer as:
> 
>   In order to avoid adding latency and processing to an OPTIONS
>   request, the WHIP server SHOULD NOT return return the STUN/TURN
>   server configuration in OPTIONS responses unless either (1) the
>   configuration can be determined without extra processing or latency
>   (e.g. by performing a request to an external provider), or (2) if
>   the OPTIONS request is an XXX, and contains an
>   Access-Control-Request-Method with "POST" value and the the
>   Access-Control-Request-Headers HTTP header contains the "Link"
>   value.
> 
> "is an XXX" optional and is to clarify the situation that exception
> (2) supports.  From the current text, I think it should be "is not a
> preflight request for CORS".  If "preflight request for CORS" is
> retained, please add a reference to "[FETCH]" here, as the only other
> mention of CORS in the document which has the reference to "[FETCH]"
> is a long way away.
> 
>   It might be also possible to configure the STUN/TURN server URIs with
>   long term credentials provided by either the broadcasting service or
>   an external TURN provider on the WHIP client, overriding the values
>   provided by the WHIP endpoint.
> 
> This should start with that it is the WHIP client that is being
> configured:
> 
>   The WHIP client MAY be configured with the STUN/TURN server URIs
>   and long term credentials provided by either the broadcasting
>   service or an external TURN provider, overriding the values
>   provided by the WHIP endpoint.
> 
> 4.7.  Protocol extensions
> 
>   The WHIP endpoint MUST
>   return one "Link" header field for each extension, with the extension
>   "rel" type attribute and the URI for the HTTP resource that will be
>   available for receiving requests related to that extension.
> 
> This seems awkward to me.  Perhaps
> 
>   The WHIP endpoint MUST return one "Link" header field for each
>   extension that it supports, with the "rel" attribute having the
>   extension URN as its value and the URI being suitable for that
>   extension.
> 
> The part "the URI being suitable for that extension" recognizes that
> we can't predict what the semantics of the URI will be for a future
> extension, but the extension will define the semantics.
> 
>   Protocol extensions supported by the WHIP server MUST be advertised
>   to the WHIP client in the "201 Created" response to the initial HTTP
>   POST request sent to the WHIP endpoint.
> 
> It seems like a good idea to require protocol extension support
> declaration in OPTIONS responses as well.
> 
> 5.  Security Considerations
> 
> The writers should do a spelling-check pass over section 5, as there
> are enough misspellings to inconvenience the Editor.
> 
>   On top of that, the WHIP protocol exposes a thin new attack surface
>   expecific [sic] of the REST API methods used within it:
> 
> It seems like the following three items could be condensed, as most of
> the text enumerates problems that are well-known or clear from the
> context.  Perhaps something like:
> 
>   * HTTP flooding and resource exhaustion:  Both the WHIP server and
>     the WHIP resources SHOULD implement a rate limit and avalanche
>     control mechanism for incoming requests.
> 					      
>   * Security of WHIP resource URLs:  Servers for WHIP resource URLs
>     SHOULD either implement authentication and authorization
>     similarly to WHIP servers (see section 4.5) or use URLs that are
>     capabilities, in that they are unguessable and the possession of
>     the URL shows the client has the right to access the resource.
> 
> 6.1.  Link Relation Type: ice-server
> 
>   The link relation type below has been registered by IANA per
>   Section 4.2 of [RFC8288].
> 
> I do not see "ice-server" in
> https://www.iana.org/assignments/link-relations/link-relations.xhtml,
> so it appears the wording should be "IANA is asked to register ...".
> 
> 6.3.1.  Specification Template
> 
>   *  The designated contact shall be responsible for reviewing and
>      enforcing uniqueness.
> 
> Should this be "designated expert"?  Compare with sections 6.4.1 and
> 6.4.2.
> 
> 6.4.1.  Registration Procedure
> 
>   The RFC SHOULD include any attributes defined.
> 
> If this means what I think it does, it should be expanded to something
> like
> 
>   The RFC MUST include the syntax and semantics of any
>   extension-specific attributes that may be provided in a Link header
>   field advertising the extension.
> 
> [END]
> 
> 
>