Internet-Draft ICE-MI256 May 2026
Hancke & Shpount Expires 3 November 2026 [Page]
Workgroup:
Transport and Services Working Group
Internet-Draft:
draft-hancke-ice-mi256-latest
Updates:
8445, 8863 (if approved)
Published:
Intended Status:
Informational
Expires:
Authors:
P. Hancke
R. Shpount

An ICE Option for MESSAGE-INTEGRITY-SHA256

Abstract

This document defines a new ICE option "mi256" that enables the use of MESSAGE-INTEGRITY-SHA256 for STUN short-term authentication in ICE. This is a usage specific negotiation method which lets ICE agents use the SHA-256 variant of the message-integrity attribute in favor of SHA-1.

About This Document

This note is to be removed before publishing as an RFC.

The latest revision of this draft can be found at https://fippo.github.io/mimi/draft-tsvwg-hancke-ice-mi256.html. Status information for this document may be found at https://datatracker.ietf.org/doc/draft-hancke-ice-mi256/.

Discussion of this document takes place on the WG Working Group mailing list (mailto:tsvwg@ietf.org), which is archived at https://datatracker.ietf.org/wg/tsvwg/. Subscribe at https://www.ietf.org/mailman/listinfo/tsvwg/.

Source for this draft and an issue tracker can be found at https://github.com/fippo/mimi.

Status of This Memo

This Internet-Draft is submitted in full conformance with the provisions of BCP 78 and BCP 79.

Internet-Drafts are working documents of the Internet Engineering Task Force (IETF). Note that other groups may also distribute working documents as Internet-Drafts. The list of current Internet-Drafts is at https://datatracker.ietf.org/drafts/current/.

Internet-Drafts are draft documents valid for a maximum of six months and may be updated, replaced, or obsoleted by other documents at any time. It is inappropriate to use Internet-Drafts as reference material or to cite them other than as "work in progress."

This Internet-Draft will expire on 3 November 2026.

Table of Contents

1. Conventions and Definitions

The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be interpreted as described in BCP 14 [RFC2119] [RFC8174] when, and only when, they appear in all capitals, as shown here.

2. Introduction

Interactive Connectivity Establishment (ICE) [RFC8445] uses STUN [RFC8489] with short-term credentials for connectivity checks. However, ICE assumes a single MESSAGE-INTEGRITY algorithm (SHA-1) and does not provide a mechanism for hash agility.

STUN defines a mechanism for hash agility and requires usages to define their own negotiation method as described in Section 16.3 of [RFC8489].

This document updates ICE by defining an ICE option "mi256" that signals support for MESSAGE-INTEGRITY-SHA256 and specifies how it is used for connectivity checks.

3. ICE Option

This document defines a new ICE option "mi256" following the procedures in [RFC8839] which indiciates support for the comprehension-required MESSAGE-INTEGRITY-SHA256 STUN attribute.

When the "mi256" ice-option is supported by both agents, all STUN transactions in the ICE session

Truncation is not permitted.

4. Peer-reflexive candidates

STUN Binding requests using MESSAGE-INTEGRITY-SHA256 for authentication can arrive at the offerer before the SDP answer containing the ice-options attribute.

If the request verifies correctly using the expected ICE short term credential, the agent infers that the peer supports the "mi256" ICE option semantics for the current ICE session.

5. Security Considerations

This document improves the security of ICE by enabling the use of SHA-256 instead of SHA-1 for message integrity.

6. IANA Considerations

This document requests that IANA make the following registrations:

6.1. ICE Option Registration

IANA is requested to add the following value to the "Interactive Connectivity Establishment (ICE) Options" registry:

ICE Option name: mi256

Description: The ICE option indicates that the ICE agent supports the MESSAGE-INTEGRITY-SHA256 STUN attribute.

Reference: RFC XXXX

7. Normative References

[RFC2119]
Bradner, S., "Key words for use in RFCs to Indicate Requirement Levels", BCP 14, RFC 2119, DOI 10.17487/RFC2119, , <https://www.rfc-editor.org/rfc/rfc2119>.
[RFC8174]
Leiba, B., "Ambiguity of Uppercase vs Lowercase in RFC 2119 Key Words", BCP 14, RFC 8174, DOI 10.17487/RFC8174, , <https://www.rfc-editor.org/rfc/rfc8174>.
[RFC8445]
Keranen, A., Holmberg, C., and J. Rosenberg, "Interactive Connectivity Establishment (ICE): A Protocol for Network Address Translator (NAT) Traversal", RFC 8445, DOI 10.17487/RFC8445, , <https://www.rfc-editor.org/rfc/rfc8445>.
[RFC8489]
Petit-Huguenin, M., Salgueiro, G., Rosenberg, J., Wing, D., Mahy, R., and P. Matthews, "Session Traversal Utilities for NAT (STUN)", RFC 8489, DOI 10.17487/RFC8489, , <https://www.rfc-editor.org/rfc/rfc8489>.
[RFC8839]
Petit-Huguenin, M., Nandakumar, S., Holmberg, C., Keränen, A., and R. Shpount, "Session Description Protocol (SDP) Offer/Answer Procedures for Interactive Connectivity Establishment (ICE)", RFC 8839, DOI 10.17487/RFC8839, , <https://www.rfc-editor.org/rfc/rfc8839>.

Authors' Addresses

Philipp Hancke
Roman Shpount