Skip to main content

3. Transport and Middlebox Specification

This section defines the transport protocols and middlebox handling functions that WebRTC endpoints must support.

3.1. System-Provided Interfaces

The protocol specifications used here assume that the following protocols are available to the implementations of the WebRTC protocols:

UDP [RFC0768]: This is the protocol assumed by most protocol elements described.

TCP [RFC0793]: This is used for HTTP/WebSockets, as well as TURN/TLS and ICE-TCP.

For both protocols, IPv4 and IPv6 support is assumed.

For UDP, this specification assumes the ability to set the Differentiated Services Code Point (DSCP) of the sockets opened on a per-packet basis, in order to achieve the prioritizations described in [RFC8837] (see Section 4.2 of this document) when multiple media types are multiplexed. It does not assume that the DSCPs will be honored and does assume that they may be zeroed or changed, since this is a local configuration issue.

Platforms that do not give access to these interfaces will not be able to support a conforming WebRTC endpoint.

This specification does not assume that the implementation will have access to ICMP or raw IP.

The following protocols may be used, but they can be implemented by a WebRTC endpoint and are therefore not defined as "system-provided interfaces":

  • TURN: Traversal Using Relays Around NAT [RFC8656]
  • STUN: Session Traversal Utilities for NAT [RFC5389]
  • ICE: Interactive Connectivity Establishment [RFC8445]
  • TLS: Transport Layer Security [RFC8446]
  • DTLS: Datagram Transport Layer Security [RFC6347]

3.2. Ability to Use IPv4 and IPv6

Web applications running in a WebRTC browser MUST be able to utilize both IPv4 and IPv6 where available -- that is, when two peers have only IPv4 connectivity to each other, or they have only IPv6 connectivity to each other, applications running in the WebRTC browser MUST be able to communicate.

When TURN is used, and the TURN server has IPv4 or IPv6 connectivity to the peer or the peer's TURN server, candidates of the appropriate types MUST be supported. The "Happy Eyeballs" specification for ICE [RFC8421] SHOULD be supported.

3.3. Usage of Temporary IPv6 Addresses

The IPv6 default address selection specification [RFC6724] specifies that temporary addresses [RFC4941] are to be preferred over permanent addresses. This is a change from the rules specified by [RFC3484]. For applications that select a single address, this is usually done by the IPV6_PREFER_SRC_TMP preference flag specified in [RFC5014]. However, this rule, which is intended to ensure that privacy-enhanced addresses are used in preference to static addresses, doesn't have the right effect in ICE, where all addresses are gathered and therefore revealed to the application. Therefore, the following rule is applied instead:

When a WebRTC endpoint gathers all IPv6 addresses on its host, and both nondeprecated temporary addresses and permanent addresses of the same scope are present, the WebRTC endpoint SHOULD discard the permanent addresses before exposing addresses to the application or using them in ICE. This is consistent with the default policy described in [RFC6724].

If some, but not all, of the temporary IPv6 addresses are marked deprecated, the WebRTC endpoint SHOULD discard the deprecated addresses, unless they are used by an ongoing connection. In an ICE restart, deprecated addresses that are currently in use MAY be retained.

The primary mechanism for dealing with middleboxes is ICE, which is an appropriate way to deal with NAT boxes and firewalls that accept traffic from the inside, but only from the outside if it is in response to inside traffic (simple stateful firewalls).

ICE [RFC8445] MUST be supported. The implementation MUST be a full ICE implementation, not ICE-Lite. A full ICE implementation allows interworking with both ICE and ICE-Lite implementations when they are deployed appropriately.

In order to deal with situations where both parties are behind NATs of the type that perform endpoint-dependent mapping (as defined in [RFC5128], Section 2.4), TURN [RFC8656] MUST be supported.

WebRTC browsers MUST support configuration of STUN and TURN servers, from both browser configuration and an application.

Note that other work exists around STUN and TURN server discovery and management, including [RFC8155] for server discovery, as well as [RETURN].

In order to deal with firewalls that block all UDP traffic, the mode of TURN that uses TCP between the WebRTC endpoint and the TURN server MUST be supported, and the mode of TURN that uses TLS over TCP between the WebRTC endpoint and the TURN server MUST be supported. See Section 3.1 of [RFC8656], for details.

In order to deal with situations where one party is on an IPv4 network and the other party is on an IPv6 network, TURN extensions for IPv6 MUST be supported.

TURN TCP candidates, where the connection from the WebRTC endpoint's TURN server to the peer is a TCP connection, [RFC6062] MAY be supported.

However, such candidates are not seen as providing any significant benefit, for the following reasons.

First, use of TURN TCP candidates would only be relevant in cases where both peers are required to use TCP to establish a connection.

Second, that use case is supported in a different way by both sides establishing UDP relay candidates using TURN over TCP to connect to their respective relay servers.

Third, using TCP between the WebRTC endpoint's TURN server and the peer may result in more performance problems than using UDP, e.g., due to head of line blocking.

ICE-TCP candidates [RFC6544] MUST be supported; this may allow applications to communicate to peers with public IP addresses across UDP-blocking firewalls without using a TURN server.

If TCP connections are used, RTP framing according to [RFC4571] MUST be used for all packets. This includes the RTP packets, DTLS packets used to carry data channels, and STUN connectivity check packets.

The ALTERNATE-SERVER mechanism specified in Section 11 of [RFC5389] (300 Try Alternate) MUST be supported.

The WebRTC endpoint MAY support accessing the Internet through an HTTP proxy. If it does so, it MUST include the "ALPN" header as specified in [RFC7639], and proxy authentication as described in Section 4.3.6 of [RFC7231] and [RFC7235] MUST also be supported.

3.5. Transport Protocols Implemented

For transport of media, secure RTP is used. The details of the RTP profile used are described in "Media Transport and Use of RTP in WebRTC" [RFC8834], which mandates the use of a circuit breaker [RFC8083] and congestion control (see [RFC8836] for further guidance).

Key exchange MUST be done using DTLS-SRTP, as described in [RFC8827].

For data transport over the WebRTC data channel [RFC8831], WebRTC endpoints MUST support SCTP over DTLS over ICE. This encapsulation is specified in [RFC8261]. Negotiation of this transport in the Session Description Protocol (SDP) is defined in [RFC8841]. The SCTP extension for I-DATA [RFC8260] MUST be supported.

The setup protocol for WebRTC data channels described in [RFC8832] MUST be supported.

Note: The interaction between DTLS-SRTP as defined in [RFC5764] and ICE as defined in [RFC8445] is described in Section 6 of [RFC8842]. The effect of this specification is that all ICE candidate pairs associated with a single component are part of the same DTLS association. Thus, there will only be one DTLS handshake, even if there are multiple valid candidate pairs.

WebRTC endpoints MUST support multiplexing of DTLS and RTP over the same port pair, as described in the DTLS-SRTP specification [RFC5764], Section 5.1.2, with clarifications in [RFC7983]. All application-layer protocol payloads over this DTLS connection are SCTP packets.

Protocol identification MUST be supplied as part of the DTLS handshake, as specified in [RFC8833].

Last updated on