Transports for WebRTCGoogleharald@alvestrand.noThis document describes the data transport protocols used by Web
Real-Time Communication (WebRTC),
including the protocols used for interaction with intermediate boxes
such as firewalls, relays, and NAT boxes.Status of This Memo
This is an Internet Standards Track document.
This document is a product of the Internet Engineering Task Force
(IETF). It represents the consensus of the IETF community. It has
received public review and has been approved for publication by
the Internet Engineering Steering Group (IESG). Further
information on Internet Standards is available in Section 2 of
RFC 7841.
Information about the current status of this document, any
errata, and how to provide feedback on it may be obtained at
.
Copyright Notice
Copyright (c) 2021 IETF Trust and the persons identified as the
document authors. All rights reserved.
This document is subject to BCP 78 and the IETF Trust's Legal
Provisions Relating to IETF Documents
() in effect on the date of
publication of this document. Please review these documents
carefully, as they describe your rights and restrictions with
respect to this document. Code Components extracted from this
document must include Simplified BSD License text as described in
Section 4.e of the Trust Legal Provisions and are provided without
warranty as described in the Simplified BSD License.
Table of Contents
. Introduction
. Requirements Language
. Transport and Middlebox Specification
. System-Provided Interfaces
. Ability to Use IPv4 and IPv6
. Usage of Temporary IPv6 Addresses
. Middlebox-Related Functions
. Transport Protocols Implemented
. Media Prioritization
. Local Prioritization
. Usage of Quality of Service -- DSCP and Multiplexing
. IANA Considerations
. Security Considerations
. References
. Normative References
. Informative References
Acknowledgements
Author's Address
IntroductionWebRTC is a protocol suite aimed at real-time multimedia exchange
between browsers, and between browsers and other entities.WebRTC is described in the WebRTC overview document , which also defines terminology used
in this document, including the terms "WebRTC endpoint" and "WebRTC
browser".Terminology for RTP sources is taken from .This document focuses on the data transport protocols that are used
by conforming implementations, including the protocols used for
interaction with intermediate boxes such as firewalls, relays, and NAT
boxes.This protocol suite is intended to satisfy the security considerations
described in the WebRTC security documents, and .This document describes requirements that apply to all WebRTC
endpoints. When there are requirements that apply only to WebRTC
browsers, this is called out explicitly.Requirements Language
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED",
"MAY", and "OPTIONAL" in this document are to be interpreted as
described in BCP 14
when, and only when, they appear in all capitals, as shown here.
Transport and Middlebox SpecificationSystem-Provided InterfacesThe protocol specifications used here assume that the following
protocols are available to the implementations of the WebRTC
protocols:
UDP :
This is the protocol assumed by
most protocol elements described.
TCP :
This is used for HTTP/WebSockets,
as well as TURN/TLS and
ICE-TCP.
For both protocols, IPv4 and IPv6 support is assumed.For UDP, this specification assumes the ability to set the
Differentiated Services Code Point (DSCP) of the sockets opened on a per-packet basis, in order to
achieve the prioritizations described in (see of this document) when
multiple media types are multiplexed. It does not assume that the DSCPs
will be honored and does assume that they may be zeroed or
changed, since this is a local configuration issue.Platforms that do not give access to these interfaces will not be
able to support a conforming WebRTC endpoint.This specification does not assume that the implementation will
have access to ICMP or raw IP.The following protocols may be used, but they can be implemented by a
WebRTC endpoint and are therefore not defined as "system-provided
interfaces":
TURN:
Traversal Using Relays Around NAT
STUN:
Session Traversal Utilities for NAT
ICE:
Interactive Connectivity Establishment
TLS:
Transport Layer Security
DTLS:
Datagram Transport Layer Security
Ability to Use IPv4 and IPv6Web applications running in a WebRTC browser MUST be able to
utilize both IPv4 and IPv6 where available -- that is, when two peers
have only IPv4 connectivity to each other, or they have only IPv6
connectivity to each other, applications running in the WebRTC browser
MUST be able to communicate.When TURN is used, and the TURN server has IPv4 or IPv6
connectivity to the peer or the peer's TURN server, candidates of the
appropriate types MUST be supported. The "Happy Eyeballs"
specification for ICE SHOULD be
supported.Usage of Temporary IPv6 AddressesThe IPv6 default address selection specification specifies that temporary addresses
are to be preferred over
permanent addresses. This
is a change from the rules specified by . For
applications that select a single address, this is usually done by the
IPV6_PREFER_SRC_TMP preference flag specified in . However, this rule, which is intended to ensure
that privacy-enhanced addresses are used in preference to static
addresses, doesn't have the right effect in ICE, where all addresses
are gathered and therefore revealed to the application. Therefore, the
following rule is applied instead:When a WebRTC endpoint gathers all IPv6 addresses on its host, and
both nondeprecated temporary addresses and permanent addresses of the
same scope are present, the WebRTC endpoint SHOULD discard the
permanent addresses before exposing addresses to the application or
using them in ICE. This is consistent with the default policy
described in .If some, but not all, of the temporary IPv6 addresses are marked
deprecated, the WebRTC endpoint SHOULD discard the deprecated
addresses, unless they are used by an ongoing connection. In an ICE
restart, deprecated addresses that are currently in use MAY be
retained.Middlebox-Related FunctionsThe primary mechanism for dealing with middleboxes is ICE, which is an
appropriate way to deal with NAT boxes and firewalls that accept
traffic from the inside, but only from the outside if it is in
response to inside traffic (simple stateful firewalls).ICE MUST be supported. The
implementation MUST be a full ICE implementation, not ICE-Lite. A full
ICE implementation allows interworking with both ICE and ICE-Lite
implementations when they are deployed appropriately.In order to deal with situations where both parties are behind NATs
of the type that perform endpoint-dependent mapping (as defined in
), TURN MUST be supported.WebRTC browsers MUST support configuration of STUN and TURN
servers, from both browser configuration and an application.Note that other work exists around STUN and TURN server discovery
and management, including for server discovery,
as well as .In order to deal with firewalls that block all UDP traffic, the
mode of TURN that uses TCP between the WebRTC endpoint and the TURN
server MUST be supported, and the mode of TURN that uses TLS over TCP
between the WebRTC endpoint and the TURN server MUST be supported. See
, for details.In order to deal with situations where one party is on an IPv4
network and the other party is on an IPv6 network, TURN extensions for
IPv6 MUST be supported.TURN TCP candidates, where the connection from the WebRTC
endpoint's TURN server to the peer is a TCP connection, MAY be supported.However, such candidates are not seen as providing any significant
benefit, for the following reasons.First, use of TURN TCP candidates would only be relevant in cases
where both peers are required to use TCP to establish a
connection.Second, that use case is supported in a different way by both sides
establishing UDP relay candidates using TURN over TCP to connect to
their respective relay servers.Third, using TCP between the WebRTC endpoint's TURN server and the
peer may result in more performance problems than using UDP, e.g., due
to head of line blocking.ICE-TCP candidates MUST be supported; this
may allow applications to communicate to peers with public IP
addresses across UDP-blocking firewalls without using a TURN
server.If TCP connections are used, RTP framing according to MUST be used for all packets. This includes the RTP
packets, DTLS packets used to carry data channels, and STUN
connectivity check packets.The ALTERNATE-SERVER mechanism specified in (300 Try Alternate) MUST be
supported.The WebRTC endpoint MAY support accessing the Internet through an
HTTP proxy. If it does so, it MUST include the "ALPN" header as
specified in , and proxy authentication as
described in and MUST also be supported.Transport Protocols ImplementedFor transport of media, secure RTP is used. The details of the
RTP profile used are described in "Media Transport and Use of RTP in WebRTC" , which mandates the use of a
circuit breaker
and congestion control (see for further guidance).Key exchange MUST be done using DTLS-SRTP, as described in .For data transport over the WebRTC data channel , WebRTC endpoints MUST support
SCTP over DTLS over ICE. This encapsulation is specified in . Negotiation of this
transport in the Session Description Protocol (SDP) is defined in . The SCTP extension for I-DATA
MUST be supported.The setup protocol for WebRTC data channels described in MUST be supported.WebRTC endpoints MUST support multiplexing of DTLS and RTP over the
same port pair, as described in the DTLS-SRTP specification , with clarifications in . All application-layer
protocol payloads over this DTLS connection are SCTP packets.Protocol identification MUST be supplied as part of the DTLS
handshake, as specified in .Media PrioritizationIn the WebRTC prioritization model, the application tells the
WebRTC endpoint about the priority of media and data that is controlled
from the API.In this context, a "flow" is used for the units that are given a
specific priority through the WebRTC API.For media, a "media flow", which can be an "audio flow" or a "video
flow", is what calls a "media source", which
results in a "source RTP stream" and one or more "redundancy RTP
streams". This specification does not describe prioritization between
the RTP streams that come from a single media source.All media flows in WebRTC are assumed to be interactive, as defined
in ; there is no browser API support for
indicating whether media is interactive or noninteractive.A "data flow" is the outgoing data on a single WebRTC data
channel.The priority associated with a media flow or data flow is classified
as "very-low", "low", "medium", or "high". There are only four priority
levels in the API.The priority settings affect two pieces of behavior: packet send
sequence decisions and packet markings. Each is described in its own
section below.Local PrioritizationLocal prioritization is applied at the local node, before the
packet is sent. This means that the prioritization has full access to
the data about the individual packets and can choose differing
treatment based on the stream a packet belongs to.When a WebRTC endpoint has packets to send on multiple streams
that are congestion controlled under the same congestion control
regime, the WebRTC endpoint SHOULD cause data to be emitted in such a
way that each stream at each level of priority is being given
approximately twice the transmission capacity (measured in payload
bytes) of the level below.Thus, when congestion occurs, a high-priority flow will have the
ability to send 8 times as much data as a very-low-priority flow if
both have data to send. This prioritization is independent of the
media type. The details of which packet to send first are
implementation defined.For example, if there is a high-priority audio flow sending
100-byte packets and a low-priority video flow sending 1000-byte
packets, and outgoing capacity exists for sending > 5000 payload bytes, it
would be appropriate to send 4000 bytes (40 packets) of audio and 1000
bytes (one packet) of video as the result of a single pass of sending
decisions.Conversely, if the audio flow is marked low priority and the video
flow is marked high priority, the scheduler may decide to send 2 video
packets (2000 bytes) and 5 audio packets (500 bytes) when outgoing
capacity exists for sending > 2500 payload bytes.If there are two high-priority audio flows, each will be able to
send 4000 bytes in the same period where a low-priority video flow is
able to send 1000 bytes.Two example implementation strategies are:
When the available bandwidth is known from the congestion
control algorithm, configure each codec and each data channel with
a target send rate that is appropriate to its share of the
available bandwidth.
When congestion control indicates that a specified number of
packets can be sent, send packets that are available to send using
a weighted round-robin scheme across the connections.
Any combination of these, or other schemes that have the same
effect, is valid, as long as the distribution of transmission capacity
is approximately correct.For media, it is usually inappropriate to use deep queues for
sending; it is more useful to, for instance, skip intermediate frames
that have no dependencies on them in order to achieve a lower bitrate.
For reliable data, queues are useful.Note that this specification doesn't dictate when disparate streams
are to be "congestion controlled under the same congestion control
regime". The issue of coupling congestion controllers is explored
further in .Usage of Quality of Service -- DSCP and MultiplexingWhen the packet is sent, the network will make decisions about
queueing and/or discarding the packet that can affect the quality of
the communication. The sender can attempt to set the DSCP field of the
packet to influence these decisions.Implementations SHOULD attempt to set QoS on the packets sent,
according to the guidelines in . It is appropriate to depart from
this recommendation when running on platforms where QoS marking is not
implemented.The implementation MAY turn off use of DSCP markings if it detects
symptoms of unexpected behavior such as priority inversion or blocking
of packets with certain DSCP markings. Some examples of such behaviors
are described in . The detection of these
conditions is implementation dependent.A particularly hard problem is when one media transport uses
multiple DSCPs, where one may be blocked and another may be
allowed. This is allowed even within a single media flow for video in
. Implementations need to
diagnose this scenario; one possible implementation is to send initial
ICE probes with DSCP 0, and send ICE probes on all the DSCPs
that are intended to be used once a candidate pair has been
selected. If one or more of the DSCP-marked probes fail, the sender
will switch the media type to using DSCP 0. This can be carried out
simultaneously with the initial media traffic; on failure, the initial
data may need to be resent. This switch will, of course, invalidate any
congestion information gathered up to that point.Failures can also start happening during the lifetime of the call;
this case is expected to be rarer and can be handled by the normal
mechanisms for transport failure, which may involve an ICE
restart.Note that when a DSCP causes nondelivery, one has to
switch the whole media flow to DSCP 0, since all traffic for a single
media flow needs to be on the same queue for congestion control
purposes. Other flows on the same transport, using different DSCPs, don't need to change.All packets carrying data from the SCTP association supporting the
data channels MUST use a single DSCP. The code point used
SHOULD be that recommended by for the highest-priority data
channel carried. Note that this means that all data packets, no matter
what their relative priority is, will be treated the same by the
network.All packets on one TCP connection, no matter what it carries, MUST
use a single DSCP.More advice on the use of DSCPs with RTP, as well as the
relationship between DSCP and congestion control, is given in .There exist a number of schemes for achieving quality of service
that do not depend solely on DSCPs. Some of these schemes
depend on classifying the traffic into flows based on 5-tuple (source
address, source port, protocol, destination address, destination port)
or 6-tuple (5-tuple + DSCP). Under differing conditions, it
may therefore make sense for a sending application to choose any of
the following configurations:
Each media stream carried on its own 5-tuple
Media streams grouped by media type into 5-tuples (such as
carrying all audio on one 5-tuple)
All media sent over a single 5-tuple, with or without
differentiation into 6-tuples based on DSCPs
In each of the configurations mentioned, data channels may be
carried in their own 5-tuple or multiplexed together with one of the
media flows.More complex configurations, such as sending a high-priority video
stream on one 5-tuple and sending all other video streams multiplexed
together over another 5-tuple, can also be envisioned. More
information on mapping media flows to 5-tuples can be found in .A sending implementation MUST be able to support the following
configurations:
Multiplex all media and data on a single 5-tuple (fully
bundled)
Send each media stream on its own 5-tuple and data on its own
5-tuple (fully unbundled)
The sending implementation MAY choose to support other
configurations, such as
bundling each media type (audio, video, or data) into its own 5-tuple
(bundling by media type).Sending data channel data over multiple 5-tuples is not
supported.A receiving implementation MUST be able to receive media and data
in all these configurations.IANA ConsiderationsThis document has no IANA actions.Security ConsiderationsWebRTC security considerations are enumerated in .Security considerations pertaining to the use of DSCP are enumerated
in .ReferencesNormative ReferencesUser Datagram ProtocolTransmission Control ProtocolKey words for use in RFCs to Indicate Requirement LevelsIn many standards track documents several words are used to signify the requirements in the specification. These words are often capitalized. This document defines these words as they should be interpreted in IETF documents. This document specifies an Internet Best Current Practices for the Internet Community, and requests discussion and suggestions for improvements.Framing Real-time Transport Protocol (RTP) and RTP Control Protocol (RTCP) Packets over Connection-Oriented TransportThis memo defines a method for framing Real-time Transport Protocol (RTP) and RTP Control Protocol (RTCP) packets onto connection-oriented transport (such as TCP). The memo also defines how session descriptions may specify RTP streams that use the framing method. [STANDARDS-TRACK]Configuration Guidelines for DiffServ Service ClassesThis document describes service classes configured with Diffserv and recommends how they can be used and how to construct them using Differentiated Services Code Points (DSCPs), traffic conditioners, Per-Hop Behaviors (PHBs), and Active Queue Management (AQM) mechanisms. There is no intrinsic requirement that particular DSCPs, traffic conditioners, PHBs, and AQM be used for a certain service class, but as a policy and for interoperability it is useful to apply them consistently. This memo provides information for the Internet community.Privacy Extensions for Stateless Address Autoconfiguration in IPv6Nodes use IPv6 stateless address autoconfiguration to generate addresses using a combination of locally available information and information advertised by routers. Addresses are formed by combining network prefixes with an interface identifier. On an interface that contains an embedded IEEE Identifier, the interface identifier is typically derived from it. On other interface types, the interface identifier is generated through other means, for example, via random number generation. This document describes an extension to IPv6 stateless address autoconfiguration for interfaces whose interface identifier is derived from an IEEE identifier. Use of the extension causes nodes to generate global scope addresses from interface identifiers that change over time, even in cases where the interface contains an embedded IEEE identifier. Changing the interface identifier (and the global scope addresses generated from it) over time makes it more difficult for eavesdroppers and other information collectors to identify when different addresses used in different transactions actually correspond to the same node. [STANDARDS-TRACK]Session Traversal Utilities for NAT (STUN)Session Traversal Utilities for NAT (STUN) is a protocol that serves as a tool for other protocols in dealing with Network Address Translator (NAT) traversal. It can be used by an endpoint to determine the IP address and port allocated to it by a NAT. It can also be used to check connectivity between two endpoints, and as a keep-alive protocol to maintain NAT bindings. STUN works with many existing NATs, and does not require any special behavior from them.STUN is not a NAT traversal solution by itself. Rather, it is a tool to be used in the context of a NAT traversal solution. This is an important change from the previous version of this specification (RFC 3489), which presented STUN as a complete solution.This document obsoletes RFC 3489. [STANDARDS-TRACK]Datagram Transport Layer Security (DTLS) Extension to Establish Keys for the Secure Real-time Transport Protocol (SRTP)This document describes a Datagram Transport Layer Security (DTLS) extension to establish keys for Secure RTP (SRTP) and Secure RTP Control Protocol (SRTCP) flows. DTLS keying happens on the media path, independent of any out-of-band signalling channel present. [STANDARDS-TRACK]Traversal Using Relays around NAT (TURN) Extensions for TCP AllocationsThis specification defines an extension of Traversal Using Relays around NAT (TURN), a relay protocol for Network Address Translator (NAT) traversal. This extension allows a TURN client to request TCP allocations, and defines new requests and indications for the TURN server to open and accept TCP connections with the client\'s peers. TURN and this extension both purposefully restrict the ways in which the relayed address can be used. In particular, it prevents users from running general-purpose servers from ports obtained from the TURN server. [STANDARDS-TRACK]Datagram Transport Layer Security Version 1.2This document specifies version 1.2 of the Datagram Transport Layer Security (DTLS) protocol. The DTLS protocol provides communications privacy for datagram protocols. The protocol allows client/server applications to communicate in a way that is designed to prevent eavesdropping, tampering, or message forgery. The DTLS protocol is based on the Transport Layer Security (TLS) protocol and provides equivalent security guarantees. Datagram semantics of the underlying transport are preserved by the DTLS protocol. This document updates DTLS 1.0 to work with TLS version 1.2. [STANDARDS-TRACK]TCP Candidates with Interactive Connectivity Establishment (ICE)Interactive Connectivity Establishment (ICE) defines a mechanism for NAT traversal for multimedia communication protocols based on the offer/answer model of session negotiation. ICE works by providing a set of candidate transport addresses for each media stream, which are then validated with peer-to-peer connectivity checks based on Session Traversal Utilities for NAT (STUN). ICE provides a general framework for describing candidates but only defines UDP-based media streams. This specification extends ICE to TCP-based media, including the ability to offer a mix of TCP and UDP-based candidates for a single stream. [STANDARDS-TRACK]Default Address Selection for Internet Protocol Version 6 (IPv6)This document describes two algorithms, one for source address selection and one for destination address selection. The algorithms specify default behavior for all Internet Protocol version 6 (IPv6) implementations. They do not override choices made by applications or upper-layer protocols, nor do they preclude the development of more advanced mechanisms for address selection. The two algorithms share a common context, including an optional mechanism for allowing administrators to provide policy that can override the default behavior. In dual-stack implementations, the destination address selection algorithm can consider both IPv4 and IPv6 addresses -- depending on the available source addresses, the algorithm might prefer IPv6 addresses over IPv4 addresses, or vice versa.Default address selection as defined in this specification applies to all IPv6 nodes, including both hosts and routers. This document obsoletes RFC 3484. [STANDARDS-TRACK]Hypertext Transfer Protocol (HTTP/1.1): Semantics and ContentThe Hypertext Transfer Protocol (HTTP) is a stateless \%application- level protocol for distributed, collaborative, hypertext information systems. This document defines the semantics of HTTP/1.1 messages, as expressed by request methods, request header fields, response status codes, and response header fields, along with the payload of messages (metadata and body content) and mechanisms for content negotiation.Hypertext Transfer Protocol (HTTP/1.1): AuthenticationThe Hypertext Transfer Protocol (HTTP) is a stateless application- level protocol for distributed, collaborative, hypermedia information systems. This document defines the HTTP Authentication framework.The ALPN HTTP Header FieldThis specification allows HTTP CONNECT requests to indicate what protocol is intended to be used within the tunnel once established, using the ALPN header field.A Taxonomy of Semantics and Mechanisms for Real-Time Transport Protocol (RTP) SourcesThe terminology about, and associations among, Real-time Transport Protocol (RTP) sources can be complex and somewhat opaque. This document describes a number of existing and proposed properties and relationships among RTP sources and defines common terminology for discussing protocol entities and their relationships.Multiplexing Scheme Updates for Secure Real-time Transport Protocol (SRTP) Extension for Datagram Transport Layer Security (DTLS)This document defines how Datagram Transport Layer Security (DTLS), Real-time Transport Protocol (RTP), RTP Control Protocol (RTCP), Session Traversal Utilities for NAT (STUN), Traversal Using Relays around NAT (TURN), and ZRTP packets are multiplexed on a single receiving socket. It overrides the guidance from RFC 5764 ("SRTP Extension for DTLS"), which suffered from four issues described and fixed in this document.This document updates RFC 5764.Multimedia Congestion Control: Circuit Breakers for Unicast RTP SessionsThe Real-time Transport Protocol (RTP) is widely used in telephony, video conferencing, and telepresence applications. Such applications are often run on best-effort UDP/IP networks. If congestion control is not implemented in these applications, then network congestion can lead to uncontrolled packet loss and a resulting deterioration of the user's multimedia experience. The congestion control algorithm acts as a safety measure by stopping RTP flows from using excessive resources and protecting the network from overload. At the time of this writing, however, while there are several proprietary solutions, there is no standard algorithm for congestion control of interactive RTP flows.This document does not propose a congestion control algorithm. It instead defines a minimal set of RTP circuit breakers: conditions under which an RTP sender needs to stop transmitting media data to protect the network from excessive congestion. It is expected that, in the absence of long-lived excessive congestion, RTP applications running on best-effort IP networks will be able to operate without triggering these circuit breakers. To avoid triggering the RTP circuit breaker, any Standards Track congestion control algorithms defined for RTP will need to operate within the envelope set by these RTP circuit breaker algorithms.Ambiguity of Uppercase vs Lowercase in RFC 2119 Key WordsRFC 2119 specifies common key words that may be used in protocol specifications. This document aims to reduce the ambiguity by clarifying that only UPPERCASE usage of the key words have the defined special meanings.Stream Schedulers and User Message Interleaving for the Stream Control Transmission ProtocolThe Stream Control Transmission Protocol (SCTP) is a message-oriented transport protocol supporting arbitrarily large user messages. This document adds a new chunk to SCTP for carrying payload data. This allows a sender to interleave different user messages that would otherwise result in head-of-line blocking at the sender. The interleaving of user messages is required for WebRTC data channels.Whenever an SCTP sender is allowed to send user data, it may choose from multiple outgoing SCTP streams. Multiple ways for performing this selection, called stream schedulers, are defined in this document. A stream scheduler can choose to either implement, or not implement, user message interleaving.Datagram Transport Layer Security (DTLS) Encapsulation of SCTP PacketsThe Stream Control Transmission Protocol (SCTP) is a transport protocol originally defined to run on top of the network protocols IPv4 or IPv6. This document specifies how SCTP can be used on top of the Datagram Transport Layer Security (DTLS) protocol. Using the encapsulation method described in this document, SCTP is unaware of the protocols being used below DTLS; hence, explicit IP addresses cannot be used in the SCTP control chunks. As a consequence, the SCTP associations carried over DTLS can only be single-homed.Guidelines for Multihomed and IPv4/IPv6 Dual-Stack Interactive Connectivity Establishment (ICE)This document provides guidelines on how to make Interactive Connectivity Establishment (ICE) conclude faster in multihomed and IPv4/IPv6 dual-stack scenarios where broken paths exist. The provided guidelines are backward compatible with the original ICE specification (see RFC 5245).Interactive Connectivity Establishment (ICE): A Protocol for Network Address Translator (NAT) TraversalThis document describes a protocol for Network Address Translator (NAT) traversal for UDP-based communication. This protocol is called Interactive Connectivity Establishment (ICE). ICE makes use of the Session Traversal Utilities for NAT (STUN) protocol and its extension, Traversal Using Relay NAT (TURN).This document obsoletes RFC 5245.The Transport Layer Security (TLS) Protocol Version 1.3This document specifies version 1.3 of the Transport Layer Security (TLS) protocol. TLS allows client/server applications to communicate over the Internet in a way that is designed to prevent eavesdropping, tampering, and message forgery.This document updates RFCs 5705 and 6066, and obsoletes RFCs 5077, 5246, and 6961. This document also specifies new requirements for TLS 1.2 implementations.Traversal Using Relays around NAT (TURN): Relay Extensions to Session Traversal Utilities for NAT (STUN)If a host is located behind a NAT, it can be impossible for that host to communicate directly with other hosts (peers) in certain situations. In these situations, it is necessary for the host to use the services of an intermediate node that acts as a communication relay. This specification defines a protocol, called "Traversal Using Relays around NAT" (TURN), that allows the host to control the operation of the relay and to exchange packets with its peers using the relay. TURN differs from other relay control protocols in that it allows a client to communicate with multiple peers using a single relay address.The TURN protocol was designed to be used as part of the Interactive Connectivity Establishment (ICE) approach to NAT traversal, though it can also be used without ICE.This document obsoletes RFCs 5766 and 6156.Overview: Real-Time Protocols for Browser-Based ApplicationsSecurity Considerations for WebRTCWebRTC Security ArchitectureWebRTC Data ChannelsWebRTC Data Channel Establishment ProtocolApplication-Layer Protocol Negotiation (ALPN) for WebRTCMedia Transport and Use of RTP in WebRTCCongestion Control Requirements for Interactive Real-Time MediaDifferentiated Services Code Point (DSCP) Packet Markings for WebRTC QoSSession Description Protocol (SDP) Offer/Answer Procedures for Stream Control Transmission Protocol (SCTP) over Datagram Transport Layer Security (DTLS) TransportSession Description Protocol (SDP) Offer/Answer Considerations for Datagram Transport Layer Security (DTLS) and Transport Layer Security (TLS)Informative ReferencesHow to say that you're special: Can we use bits in the IPv4 header?ANRW '16: Proceedings of the 2016 Applied Networking
Research Workshop, pages 68-70Recursively Encapsulated TURN (RETURN) for Connectivity and Privacy in WebRTCIn the context of WebRTC, the concept of a local TURN proxy has been suggested, but not reviewed in detail. WebRTC applications are already using TURN to enhance connectivity and privacy. This document explains how local TURN proxies and WebRTC applications can work together.Work in ProgressDefault Address Selection for Internet Protocol version 6 (IPv6)This document describes two algorithms, for source address selection and for destination address selection. The algorithms specify default behavior for all Internet Protocol version 6 (IPv6) implementations. They do not override choices made by applications or upper-layer protocols, nor do they preclude the development of more advanced mechanisms for address selection. The two algorithms share a common context, including an optional mechanism for allowing administrators to provide policy that can override the default behavior. In dual stack implementations, the destination address selection algorithm can consider both IPv4 and IPv6 addresses - depending on the available source addresses, the algorithm might prefer IPv6 addresses over IPv4 addresses, or vice-versa. All IPv6 nodes, including both hosts and routers, must implement default address selection as defined in this specification. [STANDARDS-TRACK]IPv6 Socket API for Source Address SelectionThe IPv6 default address selection document (RFC 3484) describes the rules for selecting source and destination IPv6 addresses, and indicates that applications should be able to reverse the sense of some of the address selection rules through some unspecified API. However, no such socket API exists in the basic (RFC 3493) or advanced (RFC 3542) IPv6 socket API documents. This document fills that gap partially by specifying new socket-level options for source address selection and flags for the getaddrinfo() API to specify address selection based on the source address preference in accordance with the socket-level options that modify the default source address selection algorithm. The socket API described in this document will be particularly useful for IPv6 applications that want to choose between temporary and public addresses, and for Mobile IPv6 aware applications that want to use the care-of address for communication. It also specifies socket options and flags for selecting Cryptographically Generated Address (CGA) or non-CGA source addresses. This memo provides information for the Internet community.State of Peer-to-Peer (P2P) Communication across Network Address Translators (NATs)This memo documents the various methods known to be in use by applications to establish direct communication in the presence of Network Address Translators (NATs) at the current time. Although this memo is intended to be mainly descriptive, the Security Considerations section makes some purely advisory recommendations about how to deal with security vulnerabilities the applications could inadvertently create when using the methods described. This memo covers NAT traversal approaches used by both TCP- and UDP-based applications. This memo is not an endorsement of the methods described, but merely an attempt to capture them in a document. This memo provides information for the Internet community.Differentiated Services (Diffserv) and Real-Time CommunicationThis memo describes the interaction between Differentiated Services (Diffserv) network quality-of-service (QoS) functionality and real- time network communication, including communication based on the Real-time Transport Protocol (RTP). Diffserv is based on network nodes applying different forwarding treatments to packets whose IP headers are marked with different Diffserv Codepoints (DSCPs). WebRTC applications, as well as some conferencing applications, have begun using the Session Description Protocol (SDP) bundle negotiation mechanism to send multiple traffic streams with different QoS requirements using the same network 5-tuple. The results of using multiple DSCPs to obtain different QoS treatments within a single network 5-tuple have transport protocol interactions, particularly with congestion control functionality (e.g., reordering). In addition, DSCP markings may be changed or removed between the traffic source and destination. This memo covers the implications of these Diffserv aspects for real-time network communication, including WebRTC.Traversal Using Relays around NAT (TURN) Server Auto DiscoveryCurrent Traversal Using Relays around NAT (TURN) server discovery mechanisms are relatively static and limited to explicit configuration. These are usually under the administrative control of the application or TURN service provider, and not the enterprise, ISP, or the network in which the client is located. Enterprises and ISPs wishing to provide their own TURN servers need auto-discovery mechanisms that a TURN client could use with minimal or no configuration. This document describes three such mechanisms for TURN server discovery.This document updates RFC 5766 to relax the requirement for mutual authentication in certain cases.Coupled Congestion Control for RTP MediaWhen multiple congestion-controlled Real-time Transport Protocol (RTP) sessions traverse the same network bottleneck, combining their controls can improve the total on-the-wire behavior in terms of delay, loss, and fairness. This document describes such a method for flows that have the same sender, in a way that is as flexible and simple as possible while minimizing the number of changes needed to existing RTP applications. This document also specifies how to apply the method for the Network-Assisted Dynamic Adaptation (NADA) congestion control algorithm and provides suggestions on how to apply it to other congestion control algorithms.AcknowledgementsThis document is based on earlier draft versions embedded in , which were the result of contributions from many RTCWEB Working Group
members.Special thanks for reviews of earlier draft versions of this document go to
, , , and ; the
contributions from also deserve special mention.Author's AddressGoogleharald@alvestrand.no