[VOIPSEC] Interactive Connectivity Establishment (ICE)

Olivier GRALL olivier.grall at neotip.com
Mon Nov 14 03:40:51 CST 2005 

>>My biggest issue with ICE isn't security; it's the potential for
>>significant delays in establishing talk path.  You potentially have to
>>re-signal your SDP (SIP re-INVITE) several times as the endpoints try
>>different ICE methods to traverse NAT.
>>    
>>
>
>ICE-06 doesn't do that, although earlier versions of ICE, such as ICE-04,
>did encourage such behavior in an attempt to utilize more efficient
>media paths.  That has been dropped since ICE-05.
>
>  
>
Thanks a lot for this information. I think I saw this behaviour on 
ICE-05 at least on the first call flow. I had a quick look on the new 
version ICE-06, the call flow seems to be really better. A very bad 
thing was to send media packets before a new SDP negociation. This could 
involve in large cuts in the call establishment especially if there is 
video.

New call flow:

          Agent A          TURN,STUN Servers          Agent B
             |(1) Gather Addresses |                     |
             |-------------------->|                     |
             |(2) Offer            |                     |
             |------------------------------------------>|
             |                     |(3) Gather Addresses |
             |                     |<--------------------|
             |(4) Answer           |                     |
             |<------------------------------------------|
             |(5) STUN Check       |                     |
             |<------------------------------------------|
             |(6) STUN Check       |                     |
             |------------------------------------------>|
             |(7) Offer            |                     |
             |------------------------------------------>|
             |(8) Answer           |                     |
             |<------------------------------------------|
             |(9) Media            |                     |
             |<------------------------------------------|
             |(10) Media           |                     |
             |------------------------------------------>|


                                 Figure 1


The call establishment may be long if it's not the first address which 
is good but the third one.  There are timeouts on STUN checks I think.

>>Any solution to this problem is imperfect until we all migrate to IPv6
>>where NAT is no longer necessary.
>>    
>>
>
>ICE will remain useful during the IPv4->IPv6 transition to validate the
>IPv6 or IPv4 path is viable before commiting to it.
>
>-d
>
>  
>
I'm sure that NAT problems will still be alive with IPv6 because it 
permits masking of  network topology. It makes part of security 
requirements for a company.

Regards,


	
Olivier GRALL
R&D Engineer 	*NeoTIP** S.A.*
4, rue Louis de Broglie
22300 Lannion
France
olivier.grall at neotip.com <mailto:olivier.grall at neotip.com> 	+33 (0)2 96 
48 66 94

More information about the Voipsec mailing list