Presentation is loading. Please wait.

Presentation is loading. Please wait.

ICE Jonathan Rosenberg Cisco Systems. Changes Removed abstract protocol concept Relaxed requirements for ICE on servers and gateways – no address gathering.

Published byEmmanuel Winder Modified over 9 years ago

Similar presentations

Presentation on theme: "ICE Jonathan Rosenberg Cisco Systems. Changes Removed abstract protocol concept Relaxed requirements for ICE on servers and gateways – no address gathering."— Presentation transcript:

1 ICE Jonathan Rosenberg Cisco Systems

2 Changes Removed abstract protocol concept Relaxed requirements for ICE on servers and gateways – no address gathering needed Uses mechanism discussed at last IETF – reINVITE to select validated pairing TCP alternatives to UDP – extensive changes Removed user-frag and password – just ID Added grouping construct to candidates (RTP/CP) STUN for mid-session keepalives if ICE is supported, else no-op Always do symmetric RTP Allow hostnames in candidates (split-DNS) If RTCP not used, bandwidth modifiers need to be there

3 ICE Issue 1: STUN Floods Current algorithm does all connectivity checks in parallel –Number of checks = 2*interfaces*IP-versions*(STUN-servers + TURN servers) –Can be really big Consequences –Network bandwidth –NAT overload – reverting to symmetric behavior or refusing to create bindings Needs to be fixed

4 Proposed Fix Each side computes an absolute ordering of pairings STUN checks are rate limited like RTCP Each side does checks starting with highest priority, at maximum rate Once a check succeeds, stop and do an updated offer after Tb seconds –Eliminates un-needed checks –Tb deals with packet losses on higher priority checks – maybe 1 second or so Proposal: adopt? –What should rate limits be?

5 Issue 2: TCP or not TCP Lots of text added to deal with TCP –Significantly different than UDP – connections are not the same as pairings since you can’t do simultaneous open successfully in TCP RTP over TCP is of questionable value But, ICE really needs to make VoIP “just work” and thus should be aggressive with traversal Proposal: –Move it to separate document, progressed pretty much in parallel –Interoperability is easy

6 Issue 3: Default Timers Current timers –Tu: time to wait for active address to validate before an update (3s) –Tg: time to final updated offer (50s) Tg seems too large – set based on SIP default timers Intimately related to issue 1

7 Issue 4: STUN authentication and SIPS Current usage of STUN authentication and sips is vague Doing it is better than not But how likely are the attacks if its not there? –DoS attacks not possible as in regular STUN, even without crypto –Stealing media streams possible, but hard to coordinate (prevented with crypto) What happens if one side challenges but other side doesn’t respond? BAD Proposal: –Discuss threats (obviously) –STUN auth is MUST implement, SHOULD use –sips is SHOULD use

8 Issue 5: Normative Dependencies (again) Question from Francois around STUN – RFC 3489 or RFC 3489bis? –Timeframe on bis is questionable –Can specify behaviors using 3489 as basis –Propose: 3489

Download ppt "ICE Jonathan Rosenberg Cisco Systems. Changes Removed abstract protocol concept Relaxed requirements for ICE on servers and gateways – no address gathering."

Similar presentations

Presence, Security and Privacy. www.dynamicsoft.com VON 3.20. 01 The Current Environment Many Faces of Security Authentication Verify someone is who they.

Presence, Security and Privacy. VON The Current Environment Many Faces of Security Authentication Verify someone is who they.
Jonathan Rosenberg Cisco Systems

Jonathan Rosenberg Cisco Systems
Interactive Connectivity Establishment: ICE

Interactive Connectivity Establishment: ICE
Open Issues in bis 12/6/2001 5:28 PM Jonathan Rosenberg dynamicsoft.

Open Issues in bis 12/6/2001 5:28 PM Jonathan Rosenberg dynamicsoft.
Negotiation and Extensibility Cullen Jennings IETF 80.

Negotiation and Extensibility Cullen Jennings IETF 80.
Running SIP behind NAT Dr. Christian Stredicke, snom technology AG Tokyo, Japan, Oct 22 th 2002.

Running SIP behind NAT Dr. Christian Stredicke, snom technology AG Tokyo, Japan, Oct 22 th 2002.
UC403: Lync & Network Interaction

UC403: Lync & Network Interaction
RFC 3489bis Jonathan Rosenberg Cisco Systems. Technical Changes Needed Allow STUN over TCP –Driver: draft-ietf-sip-outbound Allow response to omit CHANGED-

RFC 3489bis Jonathan Rosenberg Cisco Systems. Technical Changes Needed Allow STUN over TCP –Driver: draft-ietf-sip-outbound Allow response to omit CHANGED-
Security in VoIP Networks Juan C Pelaez Florida Atlantic University Security in VoIP Networks Juan C Pelaez Florida Atlantic University.

Security in VoIP Networks Juan C Pelaez Florida Atlantic University Security in VoIP Networks Juan C Pelaez Florida Atlantic University.
1 Controlling NAT Bindings using STUN draft-wing-behave-nat-control-stun-usage-00 Dan Wing Jonathan Rosenberg.

1 Controlling NAT Bindings using STUN draft-wing-behave-nat-control-stun-usage-00 Dan Wing Jonathan Rosenberg.
Address Settlement by Peer to Peer (ASP) Jonathan Rosenberg Cullen Jennings Eric Rescorla.

Address Settlement by Peer to Peer (ASP) Jonathan Rosenberg Cullen Jennings Eric Rescorla.
1 © 2004 Cisco Systems, Inc. All rights reserved. Making NATs work for Online Gaming and VoIP Dr. Cullen Jennings

1 © 2004 Cisco Systems, Inc. All rights reserved. Making NATs work for Online Gaming and VoIP Dr. Cullen Jennings
Copyright 2005 – 2009 © by Elliot Eichen. All rights reserved. NAT (NAPT/PAT), STUN, and ICE `Structure of ice II, viewed along the hexagonal c-axis. Hydrogen.

Copyright 2005 – 2009 © by Elliot Eichen. All rights reserved. NAT (NAPT/PAT), STUN, and ICE `Structure of ice II, viewed along the hexagonal c-axis. Hydrogen.
NAT Traversal for P2PSIP Philip Matthews Avaya. Peer X Peer Y Peer W 2. P2PSIP Network Establishing new Peer Protocol connection Peer Protocol messages.

NAT Traversal for P2PSIP Philip Matthews Avaya. Peer X Peer Y Peer W 2. P2PSIP Network Establishing new Peer Protocol connection Peer Protocol messages.
SIP Security & the Future of VoIP Nate Klingenstein APAN 26 Queenstown August 5, 2008 ~ndk/apanSIP.pdf.

SIP Security & the Future of VoIP Nate Klingenstein APAN 26 Queenstown August 5, ~ndk/apanSIP.pdf.
1 © 2005 Cisco Systems, Inc. All rights reserved. Cisco Confidential Session Number Presentation_ID STUN, TURN and ICE Cary Fitzgerald.

1 © 2005 Cisco Systems, Inc. All rights reserved. Cisco Confidential Session Number Presentation_ID STUN, TURN and ICE Cary Fitzgerald.
STUN Tutorial Jonathan Rosenberg Chief Technology Officer.

STUN Tutorial Jonathan Rosenberg Chief Technology Officer.
August 2, 2005EAP WG, IETF 631 EAP-IKEv2 review Pasi Eronen.

August 2, 2005EAP WG, IETF 631 EAP-IKEv2 review Pasi Eronen.
STUN bis draft-ietf-behave-rfc3489bis Jonathan Rosenberg Cisco Systems.

STUN bis draft-ietf-behave-rfc3489bis Jonathan Rosenberg Cisco Systems.
SIP Security Matt Hsu.

SIP Security Matt Hsu.

Similar presentations

Ads by Google