INTERNET-DRAFTMMUSIC Working Group D. Yon Document: draft-ietf-mmusic-sdp-comedia-05.txt Dialout.Net Expires September 2003 March 2003Internet-Draft Dialout.Net, Inc Expires: November 12, 2004 G. Camarillo Ericsson May 14, 2004 Connection-Oriented Media Transport in SDP <draft-ietf-mmusic-sdp-comedia-05.txt>the Session Description Protocol (SDP) draft-ietf-mmusic-sdp-comedia-06.txt Status of this Memo This document is an Internet-DraftBy submitting this Internet-Draft, I certify that any applicable patent or other IPR claims of which I am aware have been disclosed, and isany of which I become aware will be disclosed, in full conformanceaccordance with all provisions of Section 10 of RFC2026.RFC 3668. Internet-Drafts are working documents of the Internet Engineering Task Force (IETF), its areas, and its working groups. Note that other groups may also distribute working documents as Internet- Drafts.Internet-Drafts. Internet-Drafts are draft documents valid for a maximum of six months and may be updated, replaced, or obsoleted by other documents at any time. It is inappropriate to use Internet-Drafts as reference material or to cite them other than as "work in progress." The list of current Internet-Drafts can be accessed at: http://www.ietf.org/ietf/1id-abstracts.txtat http:// www.ietf.org/ietf/1id-abstracts.txt. The list of Internet-Draft Shadow Directories can be accessed at:at http://www.ietf.org/shadow.html. This Internet-Draft will expire on November 12, 2004. Copyright Notice Copyright (C) The Internet Society (2002).(2004). All Rights Reserved. Abstract This document describes how to express media transport over connection-oriented protocols using the Session Description Protocol (SDP). It defines two new protocol identifiers: TCP and TLS.TCP/TLS. It also defines the syntax and semantics for anSDP "direction" attribute thatsetup attribute, which describes the connection setup procedure. Yon 1 1procedure, and the SDP reconnect attribute. Table of Contents 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . . 3 2. Terminology . . . . . . . . . . . . . . . . . . . . . . . . . 3 3. Protocol Identifiers . . . . . . . . . . . . . . . . . . . . . 3 3.1 TCP . . . . . . . . . . . . . . . . . . . . . . . . . . . 3 3.2 TCP/TLS . . . . . . . . . . . . . . . . . . . . . . . . . 4 4. Setup Attribute . . . . . . . . . . . . . . . . . . . . . . . 4 4.1 The Setup Attribute in the Offer/answer Model . . . . . . 4 4.2 Multiple-Connection Avoidance when Using Actpass . . . . . 5 5. The Reconnect Attribute . . . . . . . . . . . . . . . . . . . 6 6. Connection Lifetime . . . . . . . . . . . . . . . . . . . . . 7 6.1 Session Renegotiation . . . . . . . . . . . . . . . . . . 7 7. Examples . . . . . . . . . . . . . . . . . . . . . . . . . . . 8 7.1 Passive/Active . . . . . . . . . . . . . . . . . . . . . . 8 7.2 Passive/Active with Reconnect . . . . . . . . . . . . . . 9 7.3 Actpass . . . . . . . . . . . . . . . . . . . . . . . . . 9 8. Security Considerations . . . . . . . . . . . . . . . . . . . 10 9. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 10 10. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . 10 11. References . . . . . . . . . . . . . . . . . . . . . . . . . 11 11.1 Normative References . . . . . . . . . . . . . . . . . . . . 11 11.2 Informational References . . . . . . . . . . . . . . . . . . 11 Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . 12 Intellectual Property and Copyright Statements . . . . . . . . 13 1. Introduction The Session Description Protocol [SDP] provides a general-purpose format for describing multimedia sessions in announcements or invitations. SDP uses an entirely textual data format (the US-ASCII subset of [UTF-8])UTF-8 ) to maximize portability among transports. SDP does not define a protocol, but only the syntax to describe a multimedia session with sufficient information to discover andparticipate in that session. Session descriptions may be sent using arbitrary existing application protocols for transport (e.g., SAP, SIP, RTSP,SAP , SIP , RTSP , email, HTTP,HTTP , etc.). [SDP] describesSDP  defines two protocol identifiers: RTP/AVP and UDP, both of which are unreliable,represent unreliable connectionless protocols, anprotocols. While these transports are appropriate choicechoices for multimedia streams. There are, however,streams, there are applications for which theconnection-oriented transports such as TCP are more appropriate, but [SDP] provides no way to describe a session that uses protocols other than RTP or UDP.appropriate. We define two new protocol identifiers: TCP and TCP/TLS. Both represent connection-oriented reliable transports. Connection-oriented protocols introduce a new factor when describing a session: not only must it be possible to express that a protocol will be based on this protocol, but it must also describehow should end points perform the connection setup procedure. This memo definesWe define two new protocol identifiers, TCP and TLS, along with the syntax and semantics of the a=directionattributes to describe connection setup: setup and a=reconnect attributes. 2reconnect. 2. Terminology In this document, the key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and "OPTIONAL" are to be interpreted as described in BCP 14, RFC 2119  and indicate requirement levels for compliant implementations. 33. Protocol Identifiers The m= line in [SDP]following is where an endpoint specifiesthe protocol usedABNF for thean m= line, as specified by RFC 2327 . media-field = "m=" media in the session. See the "Media Announcements" section of [SDP]space port ["/" integer] space proto 1*(space fmt) CRLF We define two new values for a discussion on protocol identifiers.the proto field: TCP and TCP/TLS. 3.1 TCP The TCP protocol identifier is similar to the UDP protocol identifier in that it only describes the transport protocol without any connotation as toprotocol, and not the upper-layer protocol. An m= line that specifies "TCP" MUST further qualify the application-layer protocol using aan fmt identifier. Media lines with the TCP protocol identifier (see [SDP] Appendix B).are carried using TCP . 3.2 TLSTCP/TLS The TLSTCP/TLS protocol identifier specifies that the session will use the Transport Layer Security (TLS) protocol [TLS] with an implied transport protocol of TCP. To describe on top on a media session that uses TLS over TCP, the protocol identifier "TLS" must be specified in the m= line. Yon INTERNET-DRAFT - Expires September 2003 2TCP  connection. An m= line that specifies TLScontain the TCP/TLS protocol identifier MUST further qualify the protocol using a fmt identifier. 4 Direction4. Setup Attribute An importantThe setup attribute indicates which of connection-oriented protocols isthe setup procedure. One endpoint needs toend points should initiate the connection and the other endpoint needs to acceptestablishment (e.g., send the connection.initial TCP SYN). The directionsetup attribute is used to describe these roles,charset-independent and the syntax is as follows: a=direction:<role>can be a session-level or a media-level attribute. The <role>following is onethe ABNF of the following: passive:setup attribute: setup-attr = "a=setup:" role role = "active" / "passive" / "actpass" Active: The endpoint will acceptinitiate an incomingoutgoing connection. active:Passive: The endpoint will initiateaccept an outgoingincoming connection. both:ActPass: The endpoint will both accept an incoming connection and will initiate an outgoing connection. 4.1 SemanticsThe default value of direction:passive By specifying direction:passive, the endpoint indicates that the port number specified inthe setup attribute is actpass. That is, an m= line without an associated setup line is availableconsidered to acceptbe actpass. 4.1 The Setup Attribute in the Offer/answer Model The offer/answer model, defined in RFC 3264 , provides endpoints with a connectionmeans to obtain shared view of a session. Some session parameters are negotiated (e.g., codecs to use), while others are simply communicated from one endpoint to the other endpoint. 4.2 Semantics(e.g., IP addresses). The value of direction:active By specifying direction:active,the endpointsetup attribute falls into the first category. That is, both endpoints negotiate its value using the offer/answer model. The negotiation of the value of the setup attribute takes places as follows. The offerer states which role or roles is willing to perform and the answerer, taking the offerer's willingness into consideration, chooses which roles both endpoints will actually perform during connection establishment. The following are the values that the setup attribute can take in an offer/answer exchange: Offer Answer _______________ active passive passive active actpass active / passive / actpass The value active indicates that it willthe endpoint SHOULD initiate a connection to the port number on the m= line of the other endpoint. The port number on its own m= line is irrelevant, and the opposite endpoint MUST NOT attempt to initiate a connection to the port number specified there. Nevertheless, since the m= line must contain a valid port number, the endpoint specifying direction:activeusing the value active SHOULD specify a port number of 9 (the discard port) on its m= line. The endpoint MUST NOT specify a port number of zero, as that carries other semantics in [SDP].SDP. The following SDP fragment shows an example of direction:active: c=IN IP4 10.1.1.1 m=image 9 TCP t38 a=direction:active IN IP4 4.3 Semantics of direction:both By specifying direction:both, the endpointvalue passive indicates that it will boththe endpoint SHOULD be ready to accept a TCPconnection on the port number of its ownspecified in the m= line, andline. The value actpass indicates that it will alsothe endpoint SHOULD initiate a connection to the port number on the m= line of the other endpoint. Yon INTERNET-DRAFT - Expires September 2003 3 Since this attribute describes behaviorendpoint and that is similarthe endpoint SHOULD be ready to connectionless media descriptionsaccept a connection on the port number specified in [SDP], itthe m= line. It is RECOMMENDED that, if possible, endpoints set the default value forport number on their m= line to the direction attribute and is therefore optional. Endpoints may choosesource port number which they will use to specify direction:both for one or moreestablish the connection towards the remote endpoint. This way, the transport-layer protocol (e.g., TCP) can take care of simultaneous opens. Endpoints typically use the actpass value for the following reasons: 1)1. The endpointofferer has no preference as to whether it accepts or initiates the connection, and thereforeconnection and, so, is offeringletting the remote endpoint a choice of connection setup procedures. 2)answerer choose. 2. The endpoints intend to use a single connection to transport the media, but it is not known whether firewallNAT (Network Address Translator) issues will prevent either endpoint from initiating or accepting the connection. ThereforeSo, both endpoints will attempt to initiate a connection in hopeshoping that at least one will succeed. If one4.2 Multiple-Connection Avoidance when Using Actpass When an offer/answer exchange results in actpass, each endpoint specifies either direction:active or direction:passive andattempts to establish a transport connection towards the other specifies direction:both, both endpoints MUST behave as if the latter had specified the inverse directionendpoint. If only one of the former. For example, specifying direction:both when the other endpoint specifies direction:active SHALL cause both endpointsconnections succeeds, this connection is used to behave astransfer media. Nevertheless, if the former had specified direction:passive. Conversely, specifying direction:both when the other endpoint specifies direction:passive SHALL causeboth endpointsconnections succeed, one of them needs to behave as if the former had specified direction:active. Ifbe terminated so that both endpoints specify direction:both then each endpoint MUST initiateexchange data over a connectionsingle connection. In this section, we provide rules to choose which of the two connections should be terminated (or not even initiated). First of all, if the endpoints follow the recommendation of setting the port number specified on thein their m= line ofto the opposite endpoint. There is one exceptionsource port number which they will use to this requirement:establish the connection towards the remote endpoint, the transport layer should take care of simultaneous opens (at least if TCP is the transport protocol). If, for some reason, any of the endpoints does not follow this recommendation, both endpoints should follow the rules below. If an endpoint receives the incomingis notified about a connection establishment attempt from the oppositeother endpoint prior to initiatingbefore performing its own outbound connection, then that endpoint MAY use that connection rather than attempt to make an outbound connection to the opposite endpoint. If only one connection succeeds, then thatconnection will be used to carry the media. Onceattempt, it has transmitted data on this connection, the initiatingSHOULD behave as a passive endpoint MUSTand SHOULD NOT perform another connectionattempt to the accepting endpoint. This allows the accepting endpoint to release or recycle the listening port for another session once it has received data from the initiating endpoint. If both connections succeed, the following rules SHALL apply: a) Each endpoint MUST accept data from eitherestablish any other connection. b) OnceIn case two connections are established, if an endpoint has transmittedreceives data to(i.e., media) over one of the connections, it MUST use that connection exclusively for transmission. c) Once an endpoint has transmitted AND received data, if oneconnections before having sent any data on any of the connections is determined to be idle,connections, the endpoint SHOULD close the idle connection. Yon INTERNET-DRAFT - Expires September 2003 4 4.4 Optimizing direction:both As discussed in the previous section, there isterminate the possibilityconnection that has not carried any data. When two connections will be created when only one is needed. While rules in the previous section accommodate the closing of an idle connection, they do not prevent a race condition where theare established and both endpoints simultaneouslystart sending data on opposite connections thereby causing two connections to be used where one would have sufficed. While it is not possible to entirely eliminate this race condition,before receiving anything from the other endpoint, it is inmay happen that each of the endpoints' interest to minimize its occurrence. Therefore, whenendpoints choose a session is negotiated through interactive exchange of SDP between endpoints (as in the case of SIP) AND the result of the negotiation is that each endpoint specifies direction:both, it is RECOMMENDED that the endpoints use the following guidelines: a) There comes a point during the exchange of SDP where one endpoint is prepared to send the final message that will complete the negotiation and allow the session to begin. For the purposes of this discussion, the endpoint that will send this final message will be called the Initiator, and the endpoint that will receive this message will be called the Acceptor. b) The Initiator, upon receiving sufficient information to initiate a connection, MUST attempt to connect to the Acceptor as soon as possible. c) In order to lower the likelihood that the Acceptor will also attempt to initiate a connection, the Initiator SHOULD incorporate a short delay between initiating the connection and sending the final SDP to the Acceptor. d) The delay time chosen by the Initiator MUST NOT introduce an unacceptable session setup delay should thedifferent connection to the Acceptor not succeed. 4.5 Bidirectional versus Unidirectional Media In traditional SDP transport types the flow is unidirectional. If the intent is for media to flow in both directions, both endpoints must specify SDP that describes where to deliver the media and what media type(s) to use. For example, if only Endpoint A presents SDP then media can only flow towards Endpoint A, as Endpoint B has not specified where and how to send media to it. Because most connection-oriented media is inherently bi-directional, endpoints may encounter a situation where only one side presented SDP yet there is now a network path that can carry media in either direction. In keeping with traditional SDP semantics, an endpoint MUST NOTsend data to the other endpoint unless it has specified SDP information describingdata. If the type of media it can accept. It is, however, perfectly acceptable for an endpoint to transmitanswerer receives data on the sameover a connection it is using to receive data, so long as Yon INTERNET-DRAFT - Expires September 2003 5 the other endpoint has advertised its willingness to accept data. Likewise, it is perfectly acceptable for an endpoint to receiveafter having sent data on the same connectionother connection, it is using to transmitSHOULD continue sending data toon the corresponding remote endpoint. Inother words, for a bi-directional application-level session, aconnection may be used to senduntil an application-layer data in both directions (contingent to rules outlined in Section 2.3) as long as one side of the connection is attached to either of the advertised SDP transport addresses. 4.6 Treating UDP and RTP/AVP like Connection Oriented Media Endpoints MAY specify a direction attribute for UDP or RTP/AVP media. This indicatesboundary. At that point, the endpoint would like to treat this media as a type of connection-oriented media. (The endpoint may doanswerer SHOULD terminate this to facilitate NAT traversal for example.) Note that for backwards compatibility, an endpoint which can specify direction:active MUST include valid addresses and ports in the SDP as always. If the peer's SDP does not include a direction attribute, it knows that the peer does not support connection- oriented media, and media exchange will proceed normally, as if connection-oriented media were not offered. Endpoints that specify direction:passive MUST NOT send any media, any packets whatsoever (including control packets such as RTCP), from their passive ports until they receive a packet on these ports and record the source addressconnection and port of the sender. The passive endpoint then assumes that the first packet received corresponds to its active peer. From this point onward, passive endpoints MUST send UDP or RTP media from the same port as the port indicated in the m= line. Passive endpoints MUST send RTCP media (if any) fromstart using the portconnection on which they expect to receive it (typicallythe RTP port number plus 1). Endpointsofferer was sending data. Note that specify direction:active MUST be prepared to receive on the ports from which they send. Once they learn the IP address and port of their peer from the peer's SDP, they SHOULD immediately send some kind of media (even if just comfort noise) to each of these ports. This is so the peer can learn their IP address and port,different applications may define application-layer boundaries in orderdifferent ways. A typical suitable point for the answerer to send media back without additional delay. Effectively,change connections is the exchangeend of an application-layer message and the first media packet completes a bi- directional handshake betweenbeginning of the active and passive peer. 5next one. 5. The Reconnect Attribute The preceding description of the a=directionsetup attribute has been in the context of using SDP to initiate a session. However,Still, SDP may be exchanged between endpoints at various stages of a session to accomplish tasks such as terminating a session, redirecting media to a new endpoint, or renegotiating the media parameters for a session, etc.session. After the initial session has been established, it may be ambiguous as to whether subsequent SDP exchange represents a confirmation that the endpoint is to continue using the current media connection unchanged, or is a request to make a new media Yon INTERNET-DRAFT - Expires September 2003 6connection. The reconnect attributeattribute, which is charset-independent and can be a session-level or a media-level attribute, is used to disambiguate these two scenarios, and the syntaxscenarios. The following is as follows: a=reconnect SDP containing a=reconnect signals thatthe specified session does NOT refer to an existing connection between the two endpoints. If the endpoints agree to continueABNF of the session,reconnect attribute: reconnect-attr = "a=reconnect" On reception of an m= line with a reconnect attribute, the endpoints MUSTSHOULD close the existing connection for the currently negotiated session,connection, in case it was still up, and MUST createSHOULD establish a new connection according to the a=directionsetup attribute in the SDP. If an endpoint receives SDP that contains a=reconnect, the endpoint's response MUST also contain a=reconnect. Endpoints MUST NOT include a=reconnect in SDP that negotiates the start of a session. See section 6, "Connection and Listener Lifetime Considerations" for more information on scenarios that are relevant tom= line. Either the a=reconnect attribute. 6 Connection and Listener Lifetime Considerations 6.1 Listener Lifetime An endpoint that has specified direction:bothofferer or direction:passive MUST be ready to acceptthe answerer can include a connection onreconnect attribute in an m= line. In any event, if the appropriate address and port duringoffer contained this attribute, the time slot(s) advertised for that session. The endpointanswer MUST keep the address and port available for incoming connections until either: a) The time window for the session has expired, or b) The endpoint has received the expected number of incoming connections on that address and port, or c) Subsequent exchanges have superceded the SDP that originally advertised the availability of the address and port. Once the endpoint has determined that a listener is no longer needed on a specific address and port,contain it SHOULD terminate the listener. The endpoint is then free to re-use the address and port for subsequent session advertisements. 6.2as well. 6. Connection Lifetime An endpoint that intends to initiate the connection MUSTSHOULD initiate the connection immediately after it has sufficient information to do so, even if it does not intend to immediately begin sending media to the remote endpoint. This allows media to flow from the remote endpoint. An endpoint MUSTSHOULD NOT close the connection until the session has expired, been explicitly terminated, or the media stream is redirected to a different address or port. Yon INTERNET-DRAFT - Expires September 2003 7If the endpoint determines that the connection has been closed, it MAY attempt to re-establish the connection. The decision to do so is application and/orand context dependant. If the endpoint opts to re-establish the connection, it MUST NOT assume that the original address and port advertised by the remote endpoint is still valid. Instead, the endpoint MUST renegotiate the session parameters by exchanging new SDP. 6.36.1 Session Renegotiation and Connection LifetimeThere are scenarios where SDP is sent by an endpoint in order to renegotiate an existing session. These include muting/unmuting a session, renegotiating the attributes of the media used by the session, or extending the length of a session about to expire. Connection-oriented media introduces some ambiguities into session renegotiation as to when the direction attribute must be obeyed and when it is ignored. The scenario of extending the duration of an existing session is a good example: in order to extend an existing session, endpoints will typically resend the original SDP with updated time information. In connectionless media the result is no change to the existing media streams. The problem with connection oriented media is that the original SDP will contain a directionsetup attribute which can be construedconsidered as a request to create a new connection, as opposed to a request to maintain steady state. To avoid this ambiguity, theThe following rule SHALL apply to subsequent exchanges of SDP:help avoid this ambiguity: If the transport section (the c= and m= lines) combined with the direction attributeof an SDP messagedescription describes an existing connection between two endpoints, ANDendpoints and the SDPm= line does not contain a=reconnect, thena reconnect attribute, the endpoints MUSTSHOULD use that connection to carry the media described in the remainder of the message. The endpoints MUSTSHOULD NOT attempt to set up a new connection, regardless of what is specified in the directionsetup attribute. This disambiguates most session renegotiation scenarios, withNote that if the exception of muting. Muting a media stream is accomplished by sendingport number in the original session SDP but with an "a=inactive" or "a=sendonly/recvonly" attribute. Thism= line changes, there is still valid for connection oriented media, withno need to use the additional caveat thatreconnect attribute because the endpoints MUST NOT closenew port will trigger the establishment of a new connection described by that SDP. 7anyway. 7. Examples What follows are a number of examples that show the most common usage of the directionsetup attribute combined with TCP-based media descriptions. For the purpose of brevity, the main portion of the session description is omitted in the examples and is assumed to be the following: Yon INTERNET-DRAFT - Expires September 2003 8v=0 o=me 2890844526 2890842807 IN IP4 10.1.1.2 s=Call me using TCP t=3034423619 3042462419 7.1 Example: simple passive/activePassive/Active An endpointofferer at 10.1.1.21922.214.171.124 signals theits availability offor a T.38 fax session at port 54111: c=IN IP4 10.1.1.219126.96.36.199 m=image 54111 TCP t38 a=direction:passivea=setup:passive An endpointanswerer at 10.1.1.119188.8.131.52 receiving this descriptionoffer responds with the following:following answer: c=IN IP4 10.1.1.119184.108.40.206 m=image 9 TCP t38 a=direction:activea=setup:active The endpoint at 10.1.1.119220.127.116.11 then initiates the TCP connection to port 54111 at 10.1.1.2.192.0.2.2. 7.2 Example: simple passive/activePassive/Active with reconnectReconnect Continuing the preceding example, consider the scenario where the TCP connection fails and the endpoints wish to reestablish the connection for the session. The endpoint at 10.1.1.21918.104.22.168 signals this intent with the following SDP: c=IN IP4 10.1.1.21922.214.171.124 m=image 54111 TCP t38 a=direction:passivea=setup:passive a=reconnect The a=reconnectreconnect attribute informs the endpoint at 10.1.1.119126.96.36.199 that this SDP represents the intent to establish a new connection for media transport, rather than continuing with the original connection. Because the endpoint at 10.1.1.119188.8.131.52 may not yet be aware that the TCP connection has failed, this eliminates any ambiguity. If 10.1.1.119184.108.40.206 agrees to continue the session using a new connection, it responds with: c=IN IP4 10.1.1.119220.127.116.11 m=image 9 TCP t38 a=direction:activea=setup:active IN IP4 a=reconnect 7.3 Example: agnostic bothActpass An endpointofferer at 10.1.1.21918.104.22.168 signals theits availability offor a T.38 fax session at TCP port 54111, but54111. Additionally, this offerer is also willing to set up the media stream by initiating the TCP connection: Yon INTERNET-DRAFT - Expires September 2003 9 c=IN IP4 10.1.1.2 m=image 54111 TCP t38 a=direction:both The endpoint at 10.1.1.1 has three choices: 1) It can respond with either of the two direction:active descriptions listed in the previous example. In this case the endpoint at 10.1.1.1 must initiate a connection to port 54111 at 10.1.1.2. 2) It can respond with a description similar to the following: c=IN IP4 10.1.1.1 m=image 54321 TCP t38 a=direction:passive In this case the endpoint at 10.1.1.2 must initiate a connection to port 54321 at 10.1.1.1. 3) It can respond with a description that specifies direction:both, which is covered in the next example. 7.4 Example: redundant both An endpoint at 10.1.1.2 uses the same description as the previous example:c=IN IP4 10.1.1.21922.214.171.124 m=image 54111 TCP t38 a=direction:both Unlike the previous example, thea=setup:actpass The endpoint at 10.1.1.119126.96.36.199 responds with the following description: c=IN IP4 10.1.1.119188.8.131.52 m=image 54321 TCP t38 a=direction:botha=setup:actpass This will cause the endpoint at 10.1.1.2offerer (at 192.0.2.2) to initiate a connection to port 54321 at 10.1.1.1,192.0.2.1 and the endpoint at 10.1.1.1answerer (at 192.0.2.1) to initiate a connection to port 54111 at 10.1.1.2. Whichever TCP connection succeeds will be used. If both succeed, one of the connections may be closed as an optimization, using the rules in section 3.3. In order to minimize the chance that two connections are created, the endpoint at 10.1.1.1 may opt to use192.0.2.2. Ideally, the recommendation in section 3.4, whichofferer would result in events occurring in the following sequence: 1) The endpoint at 10.1.1.2 sends SDPuse 192.0.2.2:5411 as listed above. The endpoint MUST enable a listener on port 54111 at this time, but is not able to initiate a TCP connection due to the fact Yon INTERNET-DRAFT - Expires September 2003 10 that it does not have sufficient information from the endpoint at 10.1.1.1. 2) The endpoint at 10.1.1.1, upon receiving the SDP, immediately initiates a TCP connection to 10.1.1.2:54111. 3) In order to minimizethe chancesource of a duplicate connection,its connection attempt and the endpoint at 10.1.1.1 pausesanswerer would use 192.0.2.1:54321 as its. 8. Security Considerations See RFC 2327  for a short timesecurity and other considerations specific to allowthe endpoint at 10.1.1.2Session Description Protocol in general. An attacker may attempt to receive thesubstitute TCP/TLS with only TCP connection initiation. 4) After the short pause, the endpoint at 10.1.1.1 sends the SDP response as listed above. The pausein #3 gives the first TCP connection attempta chancesession description. So, it is STRONGLY RECOMMENDED that integrity protection be applied to succeed, since withholdingthe SDP response deprives the endpoint at 10.1.1.2 ofsession descriptions. For session descriptions carried in SIP , S/MIME is the information it needsnatural choice to attempt its own TCP connection. 7.5 Example: "Bidirectional" RTP and RTCP An endpoint at 10.1.1.2 is behindprovide such end-to-end integrity protection, as described in RFC 3261 . Other applications MAY use a different form of integrity protection. This document touches upon NAT and does not know its own public address. c=IN IP4 10.1.1.2 m=audio 9 RTP/AVP 0 a=direction:active A peer with a public IP address responds as follows and waits to receive RTP and RTCP packets from its active peer. c=IN IP4 184.108.40.206 m=audio 18240 RTP/AVP 0 a=direction:passive The endpoint at 10.1.1.2 immediately sends RTP from port 9012traversal. Implementers should be aware of some issues that relate to 220.127.116.11 port 18240. A NAT translatesthe source addressuse of private IP addresses within the offer/answer model (i.e., they are not specific to 18.104.22.168 port 1542. The passive endpoint receives this RTP packet and storesthis source address.document). When the passivean endpoint wants to send RTP media it sends it back to 22.214.171.124 port 1542. The NAT translates this destinationreceives a session description with a private IP address back to 10.1.1.2 port 9012 and delivers itthat belongs to a different address space, in most of the active endpoint. Likewisecases, the endpoint at 10.1.1.2 immediately sends RTCP from port 9013will not be able to 126.96.36.199:18241. The NAT translatesreach such an address. Nevertheless, if this to 188.8.131.52:1984. The passive endpoint receivesparticular address also exists in the RTCP packet and storesendpoint's address space, the source address. The passiveendpoint sends its RTCP to 184.108.40.206:1984 which is translated back to 10.1.1.2:9013 and delivered tomay end up reaching a different peer than the active endpoint. 8 Security Considerations See [SDP] for security and other considerations specific toone that generated the Session Description Protocol in general. Yon INTERNET-DRAFT - Expires September 2003 11 9session description. It is RECOMMENDED that endpoints authenticate their peer somehow (e.g., using TLS ) or that they encrypt their media. 9. IANA Considerations As recommendedThis document defines two session and media level SDP attributes: setup and reconnect. Their formats are defined in Section 4 and Section 5 respectively. These two attributes should be registered by [SDP] Appendix B,the directionIANA on http://www.iana.org/assignments/sdp-parameters under "att-field (both session and reconnect attributes described in thismedia level)". This document defines two proto values: TCP and TCP/TLS. Their formats are defined in Section 3.1 and Section 3.2 respectively. These two proto values should be registered with IANA, as shouldby the "TCP" and "TLS" protocol identifiers.IANA on http:// www.iana.org/assignments/sdp-parameters under "proto". 10. Acknowledgements The authorauthors would like to thank Jonathan Rosenberg, Rohan Mahy, Anders Kristensen, JeorgJoerg Ott, Paul Kyzivat, andRobert Fairlie- CuninghameFairlie-Cuninghame, and Colin Perkins for their valuable insights and contributions. Yon INTERNET-DRAFT - Expires11. References 11.1 Normative References  Postel, J., "Transmission Control Protocol", STD 7, RFC 793, September 2003 12 Appendix A: Direction Attribute Syntax This appendix provides an Augmented BNF [ABNF] grammar for expressing the direction attribute for connection setup. It is intended as an extension to the grammar1981.  Bradner, S., "Key words for the Session Description Protocol, as defineduse in [SDP]. Specifically, it describes the syntax for the new "connection-setup" attribute field, which MAY be either a session-level or media-level attribute. connection-setup = "direction" ":" direction-spec direction-spec = "both" / "active" / "passive" reconnect-attribute = "reconnect" References [ABNF] D. Crocker, P. Overell, "Augmented BNF for Syntax Specifications: ABNF,"RFCs to Indicate Requirement Levels", BCP 14, RFC 2119, March 1997.  Dierks, T. and C. Allen, "The TLS Protocol Version 1.0", RFC 2234, November 1997 [SDP] M.2246, January 1999.  Handley, M. and V. Jacobson, "SDP: Session Description Protocol,"Protocol", RFC 2327, April 1998 [T38] International Telecommunication Union, "Procedures for Real-Time Group 3 Facsimile Communications over IP Networks," Recommendation T.38, June 1998 [TLS] T. Dierks, C. Allen, "The TLS Protocol,"1998.  Rosenberg, J. and H. Schulzrinne, "An Offer/Answer Model with Session Description Protocol (SDP)", RFC 2246, January 1999 [UTF-8] F.3264, June 2002.  Yergeau, F., "UTF-8, a transformation format of Unicode andISO 10646,"10646", STD 63, RFC 3629, November 2003. 11.2 Informational References  Schulzrinne, H., Rao, A. and R. Lanphier, "Real Time Streaming Protocol (RTSP)", RFC 2326, April 1998.  Fielding, R., Gettys, J., Mogul, J., Frystyk, H., Masinter, L., Leach, P. and T. Berners-Lee, "Hypertext Transfer Protocol -- HTTP/1.1", RFC 2616, June 1999.  Handley, M., Perkins, C. and E. Whelan, "Session Announcement Protocol", RFC 2044,2974, October 1996 Author's Address2000.  Rosenberg, J., Schulzrinne, H., Camarillo, G., Johnston, A., Peterson, J., Sparks, R., Handley, M. and E. Schooler, "SIP: Session Initiation Protocol", RFC 3261, June 2002. Authors' Addresses David Yon Dialout.Net, Inc.Inc One Indian Head Plaza Nashua, NH 03060 Phone: (603) 324-4100USA EMail: email@example.com Full CopyrightGonzalo Camarillo Ericsson Hirsalantie 11 Jorvas 02420 Finland EMail: Gonzalo.Camarillo@ericsson.com Intellectual Property Statement Copyright (C)The Internet Society (2003). All Rights Reserved. This document and translationsIETF takes no position regarding the validity or scope of it mayany Intellectual Property Rights or other rights that might be copied and furnishedclaimed to others, and derivative works that comment on or otherwise explain it or assist in itspertain to the implementation may be prepared, copied, published and distributed, in wholeor in part, without restrictionuse of any kind, provided thatthe above copyright notice and this paragraph are included on all such copies and derivative works. However,technology described in this Yon INTERNET-DRAFT - Expires September 2003 13document itself mayor the extent to which any license under such rights might or might not be modified inavailable; nor does it represent that it has made any independent effort to identify any way,such as by removingrights. Information on the copyright notice or referencesIETF's procedures with respect to rights in IETF Documents can be found in BCP 78 and BCP 79. Copies of IPR disclosures made to the Internet SocietyIETF Secretariat and any assurances of licenses to be made available, or other Internet organizations, except as needed forthe purposeresult of developing Internet standards in which case the proceduresan attempt made to obtain a general license or permission for copyrights defined inthe Internet Standards process must be followed,use of such proprietary rights by implementers or as required to translate it into languages other than English. The limited permissions granted above are perpetual and will notusers of this specification can be revoked byobtained from the Internet Society orIETF on-line IPR repository at http://www.ietf.org/ipr. The IETF invites any interested party to bring to its successorsattention any copyrights, patents or patent applications, or assigns.other proprietary rights that may cover technology that may be required to implement this standard. Please address the information to the IETF at firstname.lastname@example.org. Disclaimer of Validity This document and the information contained herein isare provided on an "AS IS" basis and THE CONTRIBUTOR, THE ORGANIZATION HE/SHE REPRESENTS OR IS SPONSORED BY (IF ANY), THE INTERNET SOCIETY AND THE INTERNET ENGINEERING TASK FORCE DISCLAIMSDISCLAIM ALL WARRANTIES, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE INFORMATION HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE." Yon INTERNET-DRAFT - Expires September 2003 14PURPOSE. Copyright Statement Copyright (C) The Internet Society (2004). This document is subject to the rights, licenses and restrictions contained in BCP 78, and except as set forth therein, the authors retain all their rights. Acknowledgment Funding for the RFC Editor function is currently provided by the Internet Society.