[VOIPSEC] Interactive Connectivity Establishment (ICE)

Dan Wing dwing at cisco.com
Mon Nov 14 12:34:39 CST 2005 

> Thanks a lot for this information. I think I saw this 
> behaviour on ICE-05 at least on the first call flow. I had a 
> quick look on the new version ICE-06, the call flow seems to 
> be really better. A very bad thing was to send media packets 
> before a new SDP negociation.

I don't understand your last sentence.  Are you saying it is undesirable to
send early media, or are you saying ICE doesn't allow you to send early
media, or are you saying it's undesirable to send a new offer (re-Invite in
SIP)?

> This could involve in large 
> cuts in the call establishment especially if there is video.
> 
> New call flow:
> 
>           Agent A          TURN,STUN Servers          Agent B
>              |(1) Gather Addresses |                     |
>              |-------------------->|                     |
>              |(2) Offer            |                     |
>              |------------------------------------------>|
>              |                     |(3) Gather Addresses |
>              |                     |<--------------------|
>              |(4) Answer           |                     |
>              |<------------------------------------------|
>              |(5) STUN Check       |                     |
>              |<------------------------------------------|
>              |(6) STUN Check       |                     |
>              |------------------------------------------>|
>              |(7) Offer            |                     |
>              |------------------------------------------>|
>              |(8) Answer           |                     |
>              |<------------------------------------------|
>              |(9) Media            |                     |
>              |<------------------------------------------|
>              |(10) Media           |                     |
>              |------------------------------------------>|
> 
> 
>                                  Figure 1
> 
> The call establishment may be long if it's not the first 
> address which is good but the third one.  There are timeouts 
> on STUN checks I think. 

If the answerer ("Agent B" in the above flow) wants to send media before the
ICE state machine completes, it can send media.  Of course, if the ICE state
machine hasn't completed the answerer might not pick a viable path to send
media until the ICE state machine completes.  But if it selects any path
that received a STUN Response (message 6 in the above flow), the answerer
will at least know that path works, even if it might not happen to be the
best path or the path that is selected in the re-Invite.

...
> I'm sure that NAT problems will still be alive with IPv6 
> because it permits masking of  network topology. It makes 
> part of security requirements for a company.

draft-ietf-v6ops-nap-02.txt might be the ticket.

-d

More information about the Voipsec mailing list