Clarification Needed: WebRTC M114 and RFC 5763 Section 6.7.1 Compliance
74 views
Skip to first unread message
sumit meena
Oct 6, 2025, 2:53:19 PM (5 days ago) Oct 6
to discuss-webrtc
We recently updated to WebRTC M114 and had the following observation.
As per RFC 5763 (section 6.7.1) , it says that the client must complete ice connectivity check (i.e. stun binding) before DTLS handshake begins. However, from the pcaps we can see that DTLS handshake initiates the moment there is a stun binding response for one candidate pair.Is there a specific reason why it is not complying to RFC 5763 or is this following any other RFC standard.
As per RFC 5763 (section 6.7.1) , it says that the client must complete ice connectivity check (i.e. stun binding) before DTLS handshake begins. However, from the pcaps we can see that DTLS handshake initiates the moment there is a stun binding response for one candidate pair.Is there a specific reason why it is not complying to RFC 5763 or is this following any other RFC standard.
Harald Alvestrand
Oct 6, 2025, 2:54:45 PM (5 days ago) Oct 6
to discuss...@googlegroups.com
I think you're misinterpreting section 6.7.1.
To quote:
--
This list falls under the WebRTC Code of Conduct - https://webrtc.org/support/code-of-conduct.
---
You received this message because you are subscribed to the Google Groups "discuss-webrtc" group.
To unsubscribe from this group and stop receiving emails from it, send an email to discuss-webrt...@googlegroups.com.
To view this discussion visit https://groups.google.com/d/msgid/discuss-webrtc/96464323-8181-4f42-9198-77573f1e3350n%40googlegroups.com.
Harald Alvestrand
Oct 6, 2025, 2:57:50 PM (5 days ago) Oct 6
to discuss...@googlegroups.com
(apologies for earlier incomplete reply)
I think you did not interpret RFC 5763 correctly.
I think you did not interpret RFC 5763 correctly.
To quote RFC 5763 section 6.7.1:
When ICE is being used, the ICE connectivity checks are performed before the DTLS handshake begins. Note that if aggressive nomination mode is used, multiple candidate pairs may be marked valid before ICE finally converges on a single candidate pair. Implementations MUST treat all ICE candidate pairs associated with a single component as part of the same DTLS association. Thus, there will be only one DTLS handshake even if there are multiple valid candidate pairs.
When ICE is being used, the ICE connectivity checks are performed before the DTLS handshake begins. Note that if aggressive nomination mode is used, multiple candidate pairs may be marked valid before ICE finally converges on a single candidate pair. Implementations MUST treat all ICE candidate pairs associated with a single component as part of the same DTLS association. Thus, there will be only one DTLS handshake even if there are multiple valid candidate pairs.
The text does not say that all connectivity checks must be completed. In fact it expressly notes that the IP address may change after the first DTLS packets have been sent. At least one connectivity check must complete, but the DTLS exchange can start as soon as a valid candidate pair exists.
On Mon, Oct 6, 2025 at 8:53 PM sumit meena <in.sum...@gmail.com> wrote:
--
Roman Shpount
Oct 6, 2025, 7:29:24 PM (5 days ago) Oct 6
to discuss-webrtc
Hi All,
Firstly, RFC 5763 has been updated by RFC 8842.
Secondly, as Harald correctly mentions, neither document specifies that DTLS cannot be sent before ICE nomination is complete. For instance, in the case of continuous nomination, ICE nomination is never complete. DTLS is only allowed to be sent over valid candidate pairs, but the ICE nomination can still be in progress.
Best regards,
Roman Shpount
sumit meena
Oct 9, 2025, 3:02:06 AM (2 days ago) Oct 9
to discuss-webrtc
Thank you so much for the clarification, Roman and Harald :)
This is very helpful
This is very helpful
Reply all
Reply to author
Forward
0 new messages