Network Working Group
Internet Engineering Task Force (IETF) H. Alvestrand
Request for Comments: 8835 Google
Category: Standards Track October 26, 2016
Expires: April 29, 2017 June 2020
Transports for WebRTC
This document describes the data transport protocols used by WebRTC, Web
Real-Time Communication (WebRTC), including the protocols used for
interaction with intermediate boxes such as firewalls, relays relays, and
Status of This Memo
This Internet-Draft is submitted in full conformance with the
provisions of BCP 78 and BCP 79.
Internet-Drafts are working documents an Internet Standards Track document.
This document is a product of the Internet Engineering Task Force
(IETF). Note that other groups may also distribute
working documents as Internet-Drafts. The list It represents the consensus of current Internet-
Drafts is at http://datatracker.ietf.org/drafts/current/.
Internet-Drafts are draft documents valid the IETF community. It has
received public review and has been approved for a maximum publication by the
Internet Engineering Steering Group (IESG). Further information on
Internet Standards is available in Section 2 of RFC 7841.
Information about the current status of six months this document, any errata,
and how to provide feedback on it may be updated, replaced, or obsoleted by other documents obtained at any
time. It is inappropriate to use Internet-Drafts as reference
material or to cite them other than as "work in progress."
This Internet-Draft will expire on April 29, 2017.
Copyright (c) 2016 2020 IETF Trust and the persons identified as the
document authors. All rights reserved.
This document is subject to BCP 78 and the IETF Trust's Legal
Provisions Relating to IETF Documents
(https://trustee.ietf.org/license-info) in effect on the date of
publication of this document. Please review these documents
carefully, as they describe your rights and restrictions with respect
to this document. Code Components extracted from this document must
include Simplified BSD License text as described in Section 4.e of
the Trust Legal Provisions and are provided without warranty as
described in the Simplified BSD License.
Table of Contents
1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 2
2. Requirements language . . . . . . . . . . . . . . . . . . . . 3 Language
3. Transport and Middlebox specification . . . . . . . . . . . . 3 Specification
3.1. System-provided interfaces . . . . . . . . . . . . . . . 3 System-Provided Interfaces
3.2. Ability to use Use IPv4 and IPv6 . . . . . . . . . . . . . . 4
3.3. Usage of temporary Temporary IPv6 addresses . . . . . . . . . . . . 4 Addresses
3.4. Middle box related functions . . . . . . . . . . . . . . 5 Middlebox-Related Functions
3.5. Transport protocols implemented . . . . . . . . . . . . . 6 Protocols Implemented
4. Media Prioritization . . . . . . . . . . . . . . . . . . . . 7
4.1. Local prioritization . . . . . . . . . . . . . . . . . . 8 Prioritization
4.2. Usage of Quality of Service - -- DSCP and Multiplexing . . . 9
5. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 11
6. Security Considerations . . . . . . . . . . . . . . . . . . . 11
7. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . 11
8. References . . . . . . . . . . . . . . . . . . . . . . . . . 11
7.1. Normative References . . . . . . . . . . . . . . . . . . 11
7.2. Informative References . . . . . . . . . . . . . . . . . 15
Appendix A. Change log . . . . . . . . . . . . . . . . . . . . . 16
A.1. Changes from -00 to -01 . . . . . . . . . . . . . . . . . 16
A.2. Changes from -01 to -02 . . . . . . . . . . . . . . . . . 16
A.3. Changes from -02 to -03 . . . . . . . . . . . . . . . . . 17
A.4. Changes from -03 to -04 . . . . . . . . . . . . . . . . . 17
A.5. Changes from -04 to -05 . . . . . . . . . . . . . . . . . 17
A.6. Changes from -05 to -06 . . . . . . . . . . . . . . . . . 17
A.7. Changes from -06 to -07 . . . . . . . . . . . . . . . . . 18
A.8. Changes from -07 to -08 . . . . . . . . . . . . . . . . . 18
A.9. Changes from -08 to -09 . . . . . . . . . . . . . . . . . 18
A.10. Changes from -09 to -10 . . . . . . . . . . . . . . . . . 18
A.11. Changes from -10 to -11 . . . . . . . . . . . . . . . . . 18
A.12. Changes from -11 to -12 . . . . . . . . . . . . . . . . . 19
A.13. Changes from -12 to -13 . . . . . . . . . . . . . . . . . 19
A.14. Changes from -13 to -14 . . . . . . . . . . . . . . . . . 19
A.15. Changes from -14 to -15 . . . . . . . . . . . . . . . . . 19
A.16. Changes from -15 to -16 . . . . . . . . . . . . . . . . . 19
A.17. Changes from -16 to -17 . . . . . . . . . . . . . . . . . 20
Author's Address . . . . . . . . . . . . . . . . . . . . . . . . 20
WebRTC is a protocol suite aimed at real time real-time multimedia exchange
between browsers, and between browsers and other entities.
WebRTC is described in the WebRTC overview document,
[I-D.ietf-rtcweb-overview], document [RFC8825], which
also defines terminology used in this document, including the terms
"WebRTC endpoint" and "WebRTC browser".
Terminology for RTP sources is taken from[RFC7656] . from [RFC7656].
This document focuses on the data transport protocols that are used
by conforming implementations, including the protocols used for
interaction with intermediate boxes such as firewalls, relays relays, and
This protocol suite intends is intended to satisfy the security
considerations described in the WebRTC security documents,
and [I-D.ietf-rtcweb-security-arch]. [RFC8827].
This document describes requirements that apply to all WebRTC
endpoints. When there are requirements that apply only to WebRTC
browsers, this is called out explicitly.
2. Requirements language Language
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
"SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and
"OPTIONAL" in this document are to be interpreted as described in RFC 2119 [RFC2119]. BCP
14 [RFC2119] [RFC8174] when, and only when, they appear in all
capitals, as shown here.
3. Transport and Middlebox specification Specification
3.1. System-provided interfaces System-Provided Interfaces
The protocol specifications used here assume that the following
protocols are available to the implementations of the WebRTC
UDP [RFC0768]. [RFC0768]: This is the protocol assumed by most protocol
TCP [RFC0793]. [RFC0793]: This is used for HTTP/WebSockets, as well as for TURN/TLS
For both protocols, IPv4 and IPv6 support is assumed.
For UDP, this specification assumes the ability to set the DSCP code
Differentiated Services Code Point (DSCP) of the sockets opened on a
per-packet basis, in order to achieve the prioritizations described
in [I-D.ietf-tsvwg-rtcweb-qos] [RFC8837] (see Section 4.2) 4.2 of this document) when multiple media
types are multiplexed. It does not assume that the DSCP codepoints DSCPs will be honored,
honored and does assume that they may be zeroed or changed, since
this is a local configuration issue.
Platforms that do not give access to these interfaces will not be
able to support a conforming WebRTC endpoint.
This specification does not assume that the implementation will have
access to ICMP or raw IP.
The following protocols may be used, but they can be implemented by a
WebRTC endpoint, endpoint and are therefore not defined as "system-provided
o TURN -
TURN: Traversal Using Relays Around NAT, NAT [RFC5766]
o STUN -
STUN: Session Traversal Utilities for NAT, NAT [RFC5389]
o ICE -
ICE: Interactive Connectivity Establishment,
o TLS - Establishment [RFC8445]
TLS: Transport Layer Security, [RFC5246]
o DTLS - Security [RFC8446]
DTLS: Datagram Transport Layer Security, [RFC6347]. Security [RFC6347]
3.2. Ability to use Use IPv4 and IPv6
Web applications running in a WebRTC browser MUST be able to utilize
both IPv4 and IPv6 where available - -- that is, when two peers have
only IPv4 connectivity to each other, or they have only IPv6
connectivity to each other, applications running in the WebRTC
browser MUST be able to communicate.
When TURN is used, and the TURN server has IPv4 or IPv6 connectivity
to the peer or the peer's TURN server, candidates of the appropriate
types MUST be supported. The "Happy Eyeballs" specification for ICE
[RFC8421] SHOULD be supported.
3.3. Usage of temporary Temporary IPv6 addresses Addresses
The IPv6 default address selection specification [RFC6724] specifies
that temporary addresses [RFC4941] are to be preferred over permanent
addresses. This is a change from the rules specified by [RFC3484].
For applications that select a single address, this is usually done
by the IPV6_PREFER_SRC_TMP preference flag specified in [RFC5014].
However, this rule, which is intended to ensure that privacy-enhanced
addresses are used in preference to static addresses, doesn't have
the right effect in ICE, where all addresses are gathered and
therefore revealed to the application. Therefore, the following rule
is applied instead:
When a WebRTC endpoint gathers all IPv6 addresses on its host, and
both non-deprecated nondeprecated temporary addresses and permanent addresses of
the same scope are present, the WebRTC endpoint SHOULD discard the
permanent addresses before exposing addresses to the application
or using them in ICE. This is consistent with the default policy
described in [RFC6724].
If some some, but not all, of the temporary IPv6 addresses, but not all, addresses are marked
deprecated, the WebRTC endpoint SHOULD discard the deprecated
addresses, unless they are used by an ongoing connection. In an
ICE restart, deprecated addresses that are currently in use MAY be
3.4. Middle box related functions Middlebox-Related Functions
The primary mechanism to deal for dealing with middle boxes middleboxes is ICE, which is
an appropriate way to deal with NAT boxes and firewalls that accept
traffic from the inside, but only from the outside if it is in
response to inside traffic (simple stateful firewalls).
ICE [I-D.ietf-ice-rfc5245bis] [RFC8445] MUST be supported. The implementation MUST be a full
ICE implementation, not ICE-Lite. A full ICE implementation allows
interworking with both ICE and ICE-Lite implementations when they are
In order to deal with situations where both parties are behind NATs
of the type that perform endpoint-dependent mapping (as defined in
[RFC5128], Section 2.4), TURN [RFC5766] MUST be supported.
WebRTC browsers MUST support configuration of STUN and TURN servers,
from both browser configuration and from an application.
Note that there is other work exists around STUN and TURN sever server discovery and
management, including [I-D.ietf-tram-turn-server-discovery] [RFC8155] for server discovery, as well as [I-D.ietf-rtcweb-return].
In order to deal with firewalls that block all UDP traffic, the mode
of TURN that uses TCP between the WebRTC endpoint and the TURN server
MUST be supported, and the mode of TURN that uses TLS over TCP
between the WebRTC endpoint and the TURN server MUST be supported.
See [RFC5766] section Section 2.1 of [RFC5766], for details.
In order to deal with situations where one party is on an IPv4
network and the other party is on an IPv6 network, TURN extensions
for IPv6 [RFC6156] MUST be supported.
TURN TCP candidates, where the connection from the WebRTC endpoint's
TURN server to the peer is a TCP connection, [RFC6062] MAY be
However, such candidates are not seen as providing any significant
benefit, for the following reasons.
First, use of TURN TCP candidates would only be relevant in cases
where both peers are required to use TCP to establish a
Second, that use case is supported in a different way by both sides
establishing UDP relay candidates using TURN over TCP to connect to
their respective relay servers.
Third, using TCP between the WebRTC endpoint's TURN server and the
peer may result in more performance problems than using UDP, e.g. e.g.,
due to head of line blocking.
ICE-TCP candidates [RFC6544] MUST be supported; this may allow
applications to communicate to peers with public IP addresses across
UDP-blocking firewalls without using a TURN server.
If TCP connections are used, RTP framing according to [RFC4571] MUST
be used for all packets. This includes the RTP packets, DTLS packets
used to carry data channels, and STUN connectivity check packets.
The ALTERNATE-SERVER mechanism specified in [RFC5389] (STUN) section Section 11 of [RFC5389]
(300 Try Alternate) MUST be supported.
The WebRTC endpoint MAY support accessing the Internet through an
HTTP proxy. If it does so, it MUST include the "ALPN" header as
specified in [RFC7639], and proxy authentication as described in
Section 4.3.6 of [RFC7231] and [RFC7235] MUST also be supported.
3.5. Transport protocols implemented Protocols Implemented
For transport of media, secure RTP is used. The details of the
profile of RTP
profile used are described in "RTP Usage"
[I-D.ietf-rtcweb-rtp-usage], which mandates the use of "Media Transport and Use of RTP in
WebRTC" [RFC8834], which mandates the use of a circuit breaker [I-D.ietf-avtcore-rtp-circuit-breakers]
[RFC8083] and congstion congestion control (see [I-D.ietf-rmcat-cc-requirements] [RFC8836] for further
Key exchange MUST be done using DTLS-SRTP, as described in
For data transport over the WebRTC data channel
[I-D.ietf-rtcweb-data-channel], [RFC8831], WebRTC
endpoints MUST support SCTP over DTLS over ICE. This encapsulation
is specified in
[I-D.ietf-tsvwg-sctp-dtls-encaps]. [RFC8261]. Negotiation of this transport in
Session Description Protocol (SDP) is defined in [I-D.ietf-mmusic-sctp-sdp]. [RFC8841]. The SCTP
NDATA, [I-D.ietf-tsvwg-sctp-ndata], I-DATA [RFC8260] MUST be supported.
The setup protocol for WebRTC data channels described in
MUST be supported.
| Note: The interaction between DTLS-SRTP as defined in [RFC5764] section 6.7.1 defines the
interaction between DTLS
| and ICE ( [I-D.ietf-ice-rfc5245bis]). as defined in [RFC8445] is described in Section 6 of
| [RFC8842]. The effect of this specification is that all ICE
| candidate pairs associated with a single component are part of
| the same DTLS association. Thus, there will only be one DTLS handshake
| handshake, even if there are multiple valid candidate pairs.
WebRTC endpoints MUST support multiplexing of DTLS and RTP over the
same port pair, as described in the DTLS-SRTP specification
[RFC5764], section Section 5.1.2, with clarifications in
[I-D.ietf-avtcore-rfc5764-mux-fixes]. [RFC7983]. All application layer
application-layer protocol payloads over this DTLS connection are
Protocol identification MUST be supplied as part of the DTLS
handshake, as specified in [I-D.ietf-rtcweb-alpn]. [RFC8833].
4. Media Prioritization
In the WebRTC prioritization model is that model, the application tells the WebRTC
endpoint about the priority of media and data that is controlled from
In this context, a "flow" is used for the units that are given a
specific priority through the WebRTC API.
For media, a "media flow", which can be an "audio flow" or a "video
flow", is what [RFC7656] calls a "media source", which results in a
"source RTP stream" and one or more "redundancy RTP streams". This
specification does not describe prioritization between the RTP
streams that come from a single "media source". media source.
All media flows in WebRTC are assumed to be interactive, as defined
in [RFC4594]; there is no browser API support for indicating whether
media is interactive or non-interactive. noninteractive.
A "data flow" is the outgoing data on a single WebRTC data channel.
The priority associated with a media flow or data flow is classified
as "very-low", "low", "medium "medium", or "high". There are only four
priority levels at in the API.
The priority settings affect two pieces of behavior: Packet packet send
sequence decisions and packet markings. Each is described in its own
4.1. Local prioritization Prioritization
Local prioritization is applied at the local node, before the packet
is sent. This means that the prioritization has full access to the
data about the individual packets, packets and can choose differing treatment
based on the stream a packet belongs to.
When an a WebRTC endpoint has packets to send on multiple streams that
are congestion-controlled congestion controlled under the same congestion control regime,
the WebRTC endpoint SHOULD cause data to be emitted in such a way
that each stream at each level of priority is being given
approximately twice the transmission capacity (measured in payload
bytes) of the level below.
Thus, when congestion occurs, a "high" priority high-priority flow will have the
ability to send 8 times as much data as a "very-low" priority very-low-priority flow if
both have data to send. This prioritization is independent of the
media type. The details of which packet to send first are
For example: If example, if there is a high priority high-priority audio flow sending 100 byte
packets and a low priority low-priority video flow sending 1000 byte 1000-byte packets, and
outgoing capacity exists for sending >5000 > 5000 payload bytes, it would
be appropriate to send 4000 bytes (40 packets) of audio and 1000
bytes (one packet) of video as the result of a single pass of sending
Conversely, if the audio flow is marked low priority and the video
flow is marked high priority, the scheduler may decide to send 2
video packets (2000 bytes) and 5 audio packets (500 bytes) when
outgoing capacity exists for sending > 2500 payload bytes.
If there are two high priority high-priority audio flows, each will be able to send
4000 bytes in the same period where a low priority low-priority video flow is able
to send 1000 bytes.
Two example implementation strategies are:
* When the available bandwidth is known from the congestion control
algorithm, configure each codec and each data channel with a
target send rate that is appropriate to its share of the available
* When congestion control indicates that a specified number of
packets can be sent, send packets that are available to send using
a weighted round robin round-robin scheme across the connections.
Any combination of these, or other schemes that have the same effect,
is valid, as long as the distribution of transmission capacity is
For media, it is usually inappropriate to use deep queues for
sending; it is more useful to, for instance, skip intermediate frames
that have no dependencies on them in order to achieve a lower
bitrate. For reliable data, queues are useful.
Note that this specification doesn't dictate when disparate streams
are to be "congestion controlled under the same congestion control
regime". The issue of coupling congestion controllers is explored
further in [I-D.ietf-rmcat-coupled-cc]. [RFC8699].
4.2. Usage of Quality of Service - -- DSCP and Multiplexing
When the packet is sent, the network will make decisions about
queueing and/or discarding the packet that can affect the quality of
the communication. The sender can attempt to set the DSCP field of
the packet to influence these decisions.
Implementations SHOULD attempt to set QoS on the packets sent,
according to the guidelines in [I-D.ietf-tsvwg-rtcweb-qos]. [RFC8837]. It is appropriate to
depart from this recommendation when running on platforms where QoS
marking is not implemented.
The implementation MAY turn off use of DSCP markings if it detects
symptoms of unexpected behaviour like behavior such as priority inversion or
blocking of packets with certain DSCP markings. Some examples of
such behaviors are described in [ANRW16]. The detection of these
conditions is implementation dependent.
A particularly hard problem is when one media transport uses multiple
DSCP code points,
DSCPs, where one may be blocked and another may be allowed. This is
allowed even within a single media flow for video in [I-D.ietf-tsvwg-rtcweb-qos]. [RFC8837].
Implementations need to diagnose this scenario; one possible
implementation is to send initial ICE probes with DSCP 0, and send
ICE probes on all the DSCP code points DSCPs that are intended to be used once a
candidate pair has been selected. If one or more of the DSCP-marked
probes fail, the sender will switch the media type to using DSCP 0.
This can be carried out simultaneously with the initial media
traffic; on failure, the initial data may need to be resent. This
switch will will, of course course, invalidate any congestion information
gathered up to that point.
Failures can also start happening during the lifetime of the call;
this case is expected to be rarer, rarer and can be handled by the normal
mechanisms for transport failure, which may involve an ICE restart.
Note that when a DSCP code point causes non-delivery, nondelivery, one has to switch the whole
media flow to DSCP 0, since all traffic for a single media flow needs
to be on the same queue for congestion control purposes. Other flows
on the same transport, using different DSCP
code points, DSCPs, don't need to change.
All packets carrying data from the SCTP association supporting the
data channels MUST use a single DSCP code point. DSCP. The code point used SHOULD be
that recommended by [I-D.ietf-tsvwg-rtcweb-qos] [RFC8837] for the
highest priority highest-priority data channel
carried. Note that this means that all data packets, no matter what
their relative priority is, will be treated the same by the network.
All packets on one TCP connection, no matter what it carries, MUST
use a single DSCP code point. DSCP.
More advice on the use of DSCP code points DSCPs with RTP and on RTP, as well as the relationship
between DSCP and congestion control control, is given in [RFC7657].
There exist a number of schemes for achieving quality of service that
do not depend solely on DSCP code points. DSCPs. Some of these schemes depend on
classifying the traffic into flows based on 5-tuple (source address,
source port, protocol, destination address, destination port) or
6-tuple (5-tuple + DSCP code point). DSCP). Under differing conditions, it may
therefore make sense for a sending application to choose any of the
* Each media stream carried on its own 5-tuple
* Media streams grouped by media type into 5-tuples (such as
carrying all audio on one 5-tuple)
* All media sent over a single 5-tuple, with or without
differentiation into 6-tuples based on DSCP code points DSCPs
In each of the configurations mentioned, data channels may be carried
in its their own 5-tuple, 5-tuple or multiplexed together with one of the media
More complex configurations, such as sending a high priority high-priority video
stream on one 5-tuple and sending all other video streams multiplexed
together over another 5-tuple, can also be envisioned. More
information on mapping media flows to 5-tuples can be found in
A sending implementation MUST be able to support the following
* Multiplex all media and data on a single 5-tuple (fully bundled)
* Send each media stream on its own 5-tuple and data on its own
5-tuple (fully unbundled)
The sending implementation MAY choose to support other
configurations, such as bundling each media type (audio, video video, or
data) into its own 5-tuple (bundling by media type).
Sending data channel data over multiple 5-tuples is not supported.
A receiving implementation MUST be able to receive media and data in
all these configurations.
5. IANA Considerations
This document makes has no request of IANA.
Note to RFC Editor: this section may be removed on publication as an
RFC. IANA actions.
6. Security Considerations
WebRTC security considerations are enumerated in
Security considerations pertaining to the use of DSCP are enumerated
in [I-D.ietf-tsvwg-rtcweb-qos]. [RFC8837].
This document is based on earlier versions embedded in
[I-D.ietf-rtcweb-overview], which were the results of contributions
from many RTCWEB WG members.
Special thanks for reviews of earlier versions of this draft go to
Eduardo Gueiros, Magnus Westerlund, Markus Isomaki and Dan Wing; the
contributions from Andrew Hutton also deserve special mention.
7.1. Normative References
Petit-Huguenin, M. and G. Salgueiro, "Multiplexing Scheme
[RFC0768] Postel, J., "User Datagram Protocol", STD 6, RFC 768,
DOI 10.17487/RFC0768, August 1980,
[RFC0793] Postel, J., "Transmission Control Protocol", STD 7,
RFC 793, DOI 10.17487/RFC0793, September 1981,
[RFC2119] Bradner, S., "Key words for Secure use in RFCs to Indicate
Requirement Levels", BCP 14, RFC 2119,
DOI 10.17487/RFC2119, March 1997,
[RFC4571] Lazzaro, J., "Framing Real-time Transport Protocol (SRTP)
Extension for Datagram Transport Layer Security (DTLS)",
draft-ietf-avtcore-rfc5764-mux-fixes-11 (work in
progress), September 2016.
Perkins, C. and V. Singh, "Multimedia Congestion Control:
Circuit Breakers for Unicast RTP Sessions", draft-ietf-
avtcore-rtp-circuit-breakers-06 (work in progress), July
Keranen, A., Holmberg, C., and J. Rosenberg, "Interactive
Connectivity Establishment (ICE): A Protocol for Network
Address Translator (NAT) Traversal", draft-ietf-ice-
rfc5245bis-04 (work in progress), June 2016.
Martinsen, P., Reddy, T., and P. Patil, "ICE Multihomed
and IPv4/IPv6 Dual Stack Fairness", draft-ietf-mmusic-ice-
dualstack-fairness-02 (work in progress), September 2015.
Loreto, S. and G. Camarillo, "Stream Control Transmission
Protocol (SCTP)-Based Media Transport in the Session
Description Protocol (SDP)", draft-ietf-mmusic-sctp-sdp-07
(work in progress), July 2014.
Jesup, R., "Congestion Control Requirements For RMCAT",
draft-ietf-rmcat-cc-requirements-06 (work in progress),
Thomson, M., "Application Layer Protocol Negotiation for
Web Real-Time Communications (WebRTC)", draft-ietf-rtcweb-
alpn-00 (work in progress), July 2014.
Jesup, R., Loreto, S., and M. Tuexen, "WebRTC Data
Channels", draft-ietf-rtcweb-data-channel-12 (work in
progress), September 2014.
Jesup, R., Loreto, S., and M. Tuexen, "WebRTC Data Channel
Establishment Protocol", draft-ietf-rtcweb-data-
protocol-08 (work in progress), September 2014.
Alvestrand, H., "Overview: Real Time Protocols for
Browser-based Applications", draft-ietf-rtcweb-overview-11
(work in progress), August 2014.
Perkins, C., Westerlund, M., and J. Ott, "Web Real-Time
Communication (WebRTC): Media Transport and Use of RTP",
draft-ietf-rtcweb-rtp-usage-17 (work in progress), August
Rescorla, E., "Security Considerations for WebRTC", draft-
ietf-rtcweb-security-07 (work in progress), July 2014.
Rescorla, E., "WebRTC Security Architecture", draft-ietf-
rtcweb-security-arch-10 (work in progress), July 2014.
Dhesikan, S., Jennings, C., Druta, D., Jones, P., and J.
Polk, "DSCP and other packet markings for RTCWeb QoS",
draft-ietf-tsvwg-rtcweb-qos-02 (work in progress), June
Tuexen, M., Stewart, R., Jesup, R., and S. Loreto, "DTLS
Encapsulation of SCTP Packets", draft-ietf-tsvwg-sctp-
dtls-encaps-05 (work in progress), July 2014.
Stewart, R., Tuexen, M., Loreto, S., and R. Seggelmann,
"Stream Schedulers and a New Data Chunk for the Stream
Control Transmission Protocol", draft-ietf-tsvwg-sctp-
ndata-01 (work in progress), July 2014.
[RFC0768] Postel, J., "User Datagram Protocol", STD 6, RFC 768,
[RFC0793] Postel, J., "Transmission Control Protocol", STD 7, RFC
793, September 1981.
[RFC2119] Bradner, S., "Key words for use in RFCs to Indicate
Requirement Levels", BCP 14, RFC 2119, March 1997.
[RFC4571] Lazzaro, J., "Framing Real-time Transport Protocol (RTP) (RTP)
and RTP Control Protocol (RTCP) Packets over Connection-
Oriented Transport", RFC 4571, DOI 10.17487/RFC4571, July 2006.
[RFC4594] Babiarz, J., Chan, K., and F. Baker, "Configuration
Guidelines for DiffServ Service Classes", RFC 4594,
DOI 10.17487/RFC4594, August
[RFC4941] Narten, T., Draves, R., and S. Krishnan, "Privacy
Extensions for Stateless Address Autoconfiguration in
IPv6", RFC 4941, DOI 10.17487/RFC4941, September 2007.
[RFC5246] Dierks, T. and E. Rescorla, "The Transport Layer Security
(TLS) Protocol Version 1.2", RFC 5246, August 2008. 2007,
[RFC5389] Rosenberg, J., Mahy, R., Matthews, P., and D. Wing,
"Session Traversal Utilities for NAT (STUN)", RFC 5389,
DOI 10.17487/RFC5389, October 2008. 2008,
[RFC5764] McGrew, D. and E. Rescorla, "Datagram Transport Layer
Security (DTLS) Extension to Establish Keys for the Secure
Real-time Transport Protocol (SRTP)", RFC 5764,
DOI 10.17487/RFC5764, May 2010. 2010,
[RFC5766] Mahy, R., Matthews, P., and J. Rosenberg, "Traversal Using
Relays around NAT (TURN): Relay Extensions to Session
Traversal Utilities for NAT (STUN)", RFC 5766,
DOI 10.17487/RFC5766, April 2010. 2010,
[RFC6062] Perreault, S. S., Ed. and J. Rosenberg, "Traversal Using
Relays around NAT (TURN) Extensions for TCP Allocations",
RFC 6062, DOI 10.17487/RFC6062, November 2010. 2010,
[RFC6156] Camarillo, G., Novo, O., and S. Perreault, Ed., "Traversal
Using Relays around NAT (TURN) Extension for IPv6",
RFC 6156, DOI 10.17487/RFC6156, April 2011. 2011,
[RFC6347] Rescorla, E. and N. Modadugu, "Datagram Transport Layer
Security Version 1.2", RFC 6347, DOI 10.17487/RFC6347,
January 2012. 2012, <https://www.rfc-editor.org/info/rfc6347>.
[RFC6544] Rosenberg, J., Keranen, A., Lowekamp, B. B., and A. B.
Roach, "TCP Candidates with Interactive Connectivity
Establishment (ICE)", RFC 6544, DOI 10.17487/RFC6544,
March 2012. 2012, <https://www.rfc-editor.org/info/rfc6544>.
[RFC6724] Thaler, D., Ed., Draves, R., Matsumoto, A., and T. Chown,
"Default Address Selection for Internet Protocol Version 6
(IPv6)", RFC 6724, DOI 10.17487/RFC6724, September 2012. 2012,
[RFC7231] Fielding, R. R., Ed. and J. Reschke, Ed., "Hypertext Transfer
Protocol (HTTP/1.1): Semantics and Content", RFC 7231,
DOI 10.17487/RFC7231, June 2014. 2014,
[RFC7235] Fielding, R. R., Ed. and J. Reschke, Ed., "Hypertext Transfer
Protocol (HTTP/1.1): Authentication", RFC 7235,
DOI 10.17487/RFC7235, June 2014. 2014,
[RFC7639] Hutton, A., Uberti, J., and M. Thomson, "The ALPN HTTP
Header Field", RFC 7639, DOI 10.17487/RFC7639, August
2015, <http://www.rfc-editor.org/info/rfc7639>. <https://www.rfc-editor.org/info/rfc7639>.
[RFC7656] Lennox, J., Gross, K., Nandakumar, S., Salgueiro, G., and
B. Burman, Ed., "A Taxonomy of Semantics and Mechanisms
for Real-Time Transport Protocol (RTP) Sources", RFC 7656,
DOI 10.17487/RFC7656, November 2015,
8.2. Informative References
[ANRW16] Barik, R., Welzl, M.,
[RFC7983] Petit-Huguenin, M. and A. Elmokashfi, "How to say that
you're special: Can we use bits in the IPv4 header?", ACM,
IRTF, ISOC Applied Networking Research Workshop (ANRW
2016), Berlin , July 2016.
Islam, S., Welzl, M., G. Salgueiro, "Multiplexing Scheme
Updates for Secure Real-time Transport Protocol (SRTP)
Extension for Datagram Transport Layer Security (DTLS)",
RFC 7983, DOI 10.17487/RFC7983, September 2016,
[RFC8083] Perkins, C. and S. Gjessing, "Coupled congestion
control V. Singh, "Multimedia Congestion Control:
Circuit Breakers for Unicast RTP media", draft-ietf-rmcat-coupled-cc-03
(work Sessions", RFC 8083,
DOI 10.17487/RFC8083, March 2017,
[RFC8174] Leiba, B., "Ambiguity of Uppercase vs Lowercase in progress), July 2016.
Schwartz, B. RFC
2119 Key Words", BCP 14, RFC 8174, DOI 10.17487/RFC8174,
May 2017, <https://www.rfc-editor.org/info/rfc8174>.
[RFC8260] Stewart, R., Tuexen, M., Loreto, S., and J. Uberti, "Recursively Encapsulated TURN
(RETURN) R. Seggelmann,
"Stream Schedulers and User Message Interleaving for Connectivity the
Stream Control Transmission Protocol", RFC 8260,
DOI 10.17487/RFC8260, November 2017,
[RFC8261] Tuexen, M., Stewart, R., Jesup, R., and Privacy in WebRTC", draft-
ietf-rtcweb-return-01 (work in progress), January 2016.
Patil, S. Loreto,
"Datagram Transport Layer Security (DTLS) Encapsulation of
SCTP Packets", RFC 8261, DOI 10.17487/RFC8261, November
[RFC8421] Martinsen, P., Reddy, T., and D. Wing, "TURN Server Auto
Discovery", draft-ietf-tram-turn-server-discovery-00 (work
in progress), July 2014.
[RFC3484] Draves, R., "Default Address Selection P. Patil, "Guidelines for Internet
Protocol version 6 (IPv6)",
Multihomed and IPv4/IPv6 Dual-Stack Interactive
Connectivity Establishment (ICE)", BCP 217, RFC 3484, February 2003.
[RFC5014] Nordmark, E., Chakrabarti, S., 8421,
DOI 10.17487/RFC8421, July 2018,
[RFC8445] Keranen, A., Holmberg, C., and J. Laganier, "IPv6
Socket API Rosenberg, "Interactive
Connectivity Establishment (ICE): A Protocol for Source Address Selection", RFC 5014,
[RFC5128] Srisuresh, P., Ford, B., and D. Kegel, "State of Peer-to-
Peer (P2P) Communication across Network
Translators (NATs)", Translator (NAT) Traversal", RFC 5128, March 2008.
[RFC7657] Black, D., Ed. and P. Jones, "Differentiated Services
(Diffserv) and Real-Time Communication", 8445,
DOI 10.17487/RFC8445, July 2018,
[RFC8446] Rescorla, E., "The Transport Layer Security (TLS) Protocol
Version 1.3", RFC 7657, 8446, DOI 10
.17487/RFC7657, November 2015,
Appendix A. Change log
This section should be removed before publication as an RFC.
A.1. Changes from -00 to -01
o Clarified DSCP requirements, with reference to -qos-
o Clarified "symmetric NAT" -> "NATs which perform endpoint-
o Made support of TURN over TCP mandatory
o Made support of TURN over TLS a MAY, and added open question
o Added an informative reference to -firewalls-
o Called out that we don't make requirements on HTTP proxy
A.2. Changes from -01 to -02
o Required support for 300 Alternate Server from STUN.
o Separated the ICE-TCP candidate requirement from the TURN-TCP
o Added new sections on using QoS functions, and on multiplexing
o Removed all mention of RTP profiles. Those are the business of
the RTP usage draft, not this one.
o Required support for TURN IPv6 extensions.
o Removed reference to the TURN URI scheme, as it was unnecessary.
o Made an explicit statement that multiplexing (or not) is an
A.3. Changes from -02 to -03
o Added required support 10.17487/RFC8446, August 2018,
[RFC8825] Alvestrand, H., "Overview: Real-Time Protocols for draft-ietf-tsvwg-sctp-ndata
o Removed discussion of multiplexing, since this is present in rtp-
Browser-Based Applications", RFC 4571 reference for framing RTP packets over TCP.
o Downgraded TURN TCP candidates from SHOULD to MAY, and added more
language discussing TCP usage.
o Added language on IPv6 temporary addresses.
o Added language describing multiplexing choices.
o Added a separate section detailing what it means when we say that
an WebRTC implementation MUST support both IPv4 and IPv6.
A.4. Changes from -03 to -04
o Added a section on prioritization, moved the DSCP section into it,
and added a section on local prioritization, giving a specific
DOI 10.17487/RFC8825, June 2020,
[RFC8826] Rescorla, E., "Security Considerations for interpreting "priority" in local prioritization.
o ICE-TCP candidates was changed from MAY to MUST, in recognition of
the sense of the room at the London IETF.
A.5. Changes from -04 to -05
o Reworded introduction
o Removed all references to "WebRTC". It now uses only the term
o Addressed a number of clarity / language comments
o Rewrote the prioritization to cover data channels WebRTC",
RFC 8826, DOI 10.17487/RFC8826, June 2020,
[RFC8827] Rescorla, E., "WebRTC Security Architecture", RFC 8827,
DOI 10.17487/RFC8827, June 2020,
[RFC8831] Jesup, R., Loreto, S., and to describe
multiple ways of prioritizing flows
o Made explicit reference to "MUST do DTLS-SRTP", M. Tüxen, "WebRTC Data
Channels", RFC 8831, DOI 10.17487/RFC8831, June 2020,
[RFC8832] Jesup, R., Loreto, S., and referred to
security-arch for details
A.6. Changes from -05 to -06
o Changed all references to "RTCWEB" to "WebRTC", except one
reference to the working group
o Added reference to the httpbis "connect" protocol (being adopted
o Added reference to the ALPN header (being adopted by RTCWEB)
o Added reference to the DART RTP document
o Said explicitly that SCTP M. Tüxen, "WebRTC Data Channel
Establishment Protocol", RFC 8832, DOI 10.17487/RFC8832,
June 2020, <https://www.rfc-editor.org/info/rfc8832>.
[RFC8833] Thomson, M., "Application-Layer Protocol Negotiation
(ALPN) for data channels has a single DSCP
A.7. Changes from -06 to -07
o Updated references
o Removed reference to draft-hutton-rtcweb-nat-firewall-
A.8. Changes from -07 to -08
o Updated references
o Deleted "bundle each media type (audio, video or data) into its
own 5-tuple (bundling by media type)" from MUST support
configuration, since JSEP does not have a means to negotiate this
A.9. Changes from -08 to -09
o Added a clarifying note about DTLS-SRTP and ICE interaction.
A.10. Changes from -09 to -10
o Re-added references to proxy authentication lost in 07-08
transition (Bug #5)
o Rearranged WebRTC", RFC 8833, DOI 10.17487/RFC8833, June
[RFC8834] Perkins, C., Westerlund, M., and rephrased text in section 4 about prioritization to
reflect discussions in TSVWG.
o Changed the "Connect" header to "ALPN", J. Ott, "Media Transport
and updated reference.
A.11. Changes from -10 to -11
o Added a definition Use of the term "flow" used RTP in the prioritization
o Changed the names of the four priority levels to conform to other
A.12. Changes from -11 to -12
o Added a SHOULD NOT about using deprecated temporary IPv6
o Updated draft-ietf-dart-dscp-rtp reference to WebRTC", RFC 7657
A.13. Changes from -12 to -13
o Clarify that the ALPN header needs to be sent.
o Mentioned that 8834, DOI 10.17487/RFC8834,
June 2020, <https://www.rfc-editor.org/info/rfc8834>.
[RFC8836] Jesup, R. and Z. Sarker, Ed., "Congestion Control
Requirements for Interactive Real-Time Media", RFC 7657 also talks about congestion control
A.14. Changes from -13 to -14
o Add note about non-support 8836,
DOI 10.17487/RFC8836, June 2020,
[RFC8837] Jones, P., Dhesikan, S., Jennings, C., and D. Druta,
"Differentiated Services Code Point (DSCP) Packet Markings
for marking flows as interactive or
A.15. Changes from -14 to -15
o Various text clarifications based on comments in Last Call WebRTC QoS", RFC 8837, DOI 10.17487/RFC8837, June
[RFC8841] Holmberg, C., Shpount, R., Loreto, S., and
o Clarified that only non-deprecated IPv6 addresses are used
o Described handling of downgrading of DSCP markings when blackholes
o Expanded acronyms in a new protocol list
A.16. Changes from -15 to -16
These changes are done post IESG approval, G. Camarillo,
"Session Description Protocol (SDP) Offer/Answer
Procedures for Stream Control Transmission Protocol (SCTP)
over Datagram Transport Layer Security (DTLS) Transport",
RFC 8841, DOI 10.17487/RFC8841, June 2020,
[RFC8842] Holmberg, C. and address IESG comments R. Shpount, "Session Description Protocol
(SDP) Offer/Answer Considerations for Datagram Transport
Layer Security (DTLS) and other late comments. Issue numbers refer to https://github.com/
o Moved Transport Layer Security (TLS)",
RFC 4594, 7656 8842, DOI 10.17487/RFC8842, June 2020,
7.2. Informative References
[ANRW16] Barik, R., Welzl, M., and -overview A. Elmokashfi, "How to normative (issue #28)
o Changed say that
you're special: Can we use bits in the terms "client", "WebRTC implementation" IPv4 header?", ANRW
'16: Proceedings of the 2016 Applied Networking Research
Workshop, pages 68-70, DOI 10.1145/2959424.2959442, July
[RETURN] Schwartz, B. and "WebRTC
device" to consistently be "WebRTC endpoint", as defined in
-overview. (issue #40)
o Added a note mentioning J. Uberti, "Recursively Encapsulated TURN service discovery
(RETURN) for Connectivity and RETURN (issue
o Added a note mentioning that rtp-usage requires circut breaker Privacy in WebRTC", Work in
Progress, Internet-Draft, draft-ietf-rtcweb-return-02, 27
[RFC3484] Draves, R., "Default Address Selection for Internet
Protocol version 6 (IPv6)", RFC 3484,
DOI 10.17487/RFC3484, February 2003,
[RFC5014] Nordmark, E., Chakrabarti, S., and
congestion control (issue #43)
o Added mention J. Laganier, "IPv6
Socket API for Source Address Selection", RFC 5014,
DOI 10.17487/RFC5014, September 2007,
[RFC5128] Srisuresh, P., Ford, B., and D. Kegel, "State of the "don't discard temporary IPv6 addresses that
Peer (P2P) Communication across Network Address
Translators (NATs)", RFC 5128, DOI 10.17487/RFC5128, March
[RFC7657] Black, D., Ed. and P. Jones, "Differentiated Services
(Diffserv) and Real-Time Communication", RFC 7657,
DOI 10.17487/RFC7657, November 2015,
[RFC8155] Patil, P., Reddy, T., and D. Wing, "Traversal Using Relays
around NAT (TURN) Server Auto Discovery", RFC 8155,
DOI 10.17487/RFC8155, April 2017,
[RFC8699] Islam, S., Welzl, M., and S. Gjessing, "Coupled Congestion
Control for RTP Media", RFC 8699, DOI 10.17487/RFC8699,
January 2020, <https://www.rfc-editor.org/info/rfc8699>.
This document is based on earlier draft versions embedded in use" (issue #44)
o Added a reference to draft-ietf-rmcat-coupled-cc (issue #46)
[RFC8825], which were the result of contributions from -16 to -17
o Added an informative reference many RTCWEB
Working Group members.
Special thanks for reviews of earlier draft versions of this document
go to Eduardo Gueiros, Magnus Westerlund, Markus Isomaki, and Dan
Wing; the "DSCP blackholing" paper
o Changed the reference for ICE contributions from RFC 5245 to draft-ietf-ice-
rfc5245bis Andrew Hutton also deserve special