WebRTC-HTTP Ingestion Protocol (WHIP)

WebRTC-HTTP Ingestion Protocol (WHIP) Millicast

sergio.garcia.murillo@cosmosoftware.io

CoSMo Software

alex.gouaillard@cosmosoftware.io

WIT wish This document describes a simple HTTP-based protocol that will allow WebRTC-based ingestion of content into streaming services and/or Content Delivery Networks (CDNs). This document updates RFCs 8840 and 8842.

Introduction The IETF RTCWEB Working Group standardized the JavaScript Session Establishment Protocol (JSEP) , a mechanism used to control the setup, management, and teardown of a multimedia session. It also describes how to negotiate media flows using the offer/answer model with the Session Description Protocol (SDP) , including the formats for data sent over the wire (e.g., media types, codec parameters, and encryption). WebRTC intentionally does not specify a signaling transport protocol at the application level. Unfortunately, the lack of a standardized signaling mechanism in WebRTC has been an obstacle to its adoption as an ingestion protocol within the broadcast and streaming industry, where a streamlined production pipeline is taken for granted. For example, cables carrying raw media to hardware encoders are plugged in and then the encoded media is pushed to any streaming service or Content Delivery Network (CDN) using an ingestion protocol. While WebRTC can be integrated with standard signaling protocols like SIP or Extensible Messaging and Presence Protocol (XMPP) , they are not designed to be used in broadcasting and streaming services, and there is also no sign of adoption in that industry. The Real-Time Streaming Protocol (RTSP) , which is based on RTP, does not support the SDP offer/answer model for negotiating the characteristics of the media session. This document proposes a simple protocol based on HTTP for supporting WebRTC as a media ingestion method that:

is easy to implement,
is as easy to use as popular IP-based broadcast protocols,
is fully compliant with WebRTC and RTCWEB specs,
enables ingestion on both classical media platforms and WebRTC end-to-end platforms (achieving the lowest possible latency),
lowers the requirements on both hardware encoders and broadcasting services to support WebRTC, and
is usable in both web browsers and standalone encoders.

Terminology The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be interpreted as described in BCP 14 when, and only when, they appear in all capitals, as shown here.

Overview The WebRTC-HTTP Ingestion Protocol (WHIP) is designed to facilitate a one-time exchange of Session Description Protocol (SDP) offers and answers using HTTP POST requests. This exchange is a fundamental step in establishing an Interactive Connectivity Establishment (ICE) and Datagram Transport Layer Security (DTLS) session between the WHIP client, which represents the encoder or media producer, and the media server, which is the broadcasting ingestion endpoint. Upon successful establishment of the ICE/DTLS session, unidirectional media data transmission commences from the WHIP client to the media server. It is important to note that SDP renegotiations are not supported in WHIP. This means that no modifications to the "m=" sections can be made after the initial SDP offer/answer exchange via HTTP POST is completed and that only ICE-related information can be updated via HTTP PATCH requests as defined in . The following diagram illustrates the core operation of WHIP for initiating and terminating an ingest session:

WHIP Session Setup and Teardown + | | |201 Created (SDP answer) | | | +<------------------------+ | | | ICE/STUN REQUEST | | +--------------------------------------->+ | | ICE/STUN RESPONSE | | |<---------------------------------------+ | | DTLS SETUP | | |<======================================>| | | RTP/RTCP FLOW | | +<-------------------------------------->+ | | HTTP DELETE | +---------------------------------------------------------->+ | 200 OK | <-----------------------------------------------------------x ]]> The elements in are described as follows:

WHIP client:: This represents the WebRTC media encoder or producer, which functions as a client of WHIP by encoding and delivering media to a remote media server.
WHIP endpoint:: This denotes the ingest server that receives the initial WHIP request.
WHIP endpoint URL:: This refers to the URL of the WHIP endpoint responsible for creating the WHIP session.
Media server:: This is the WebRTC media server or consumer responsible for establishing the media session with the WHIP client and receiving the media content it produces.
WHIP session:: This indicates the server handling the allocated HTTP resource by the WHIP endpoint for an ongoing ingest session.
WHIP session URL:: This refers to the URL of the WHIP resource allocated by the WHIP endpoint for a specific media session. To modify the session (e.g., ICE operations or session termination), the WHIP client can send requests to the WHIP session using this URL.

illustrates the communication flow between a WHIP client, WHIP endpoint, media server, and WHIP session. This flow outlines the process of setting up and tearing down an ingest session using WHIP, which involves negotiation, ICE for Network Address Translation (NAT) traversal, DTLS and the Secure Real-time Transport Protocol (SRTP) for security, and RTP/RTCP for media transport:

The WHIP client initiates the communication by sending an HTTP POST with an SDP offer to the WHIP endpoint.
The WHIP endpoint responds with a "201 Created" message containing an SDP answer.
The WHIP client and media server establish ICE and DTLS sessions for NAT traversal and secure communication.
RTP and RTCP flows are established for media transmission from the WHIP client to the media server, secured by the SRTP profile.
The WHIP client sends an HTTP DELETE to terminate the WHIP session.
The WHIP session responds with a "200 OK" to confirm the session termination.

Protocol Operation

HTTP Usage Following the guidelines in , WHIP clients MUST NOT match error codes returned by the WHIP endpoints and resources to a specific error cause indicated in this specification. WHIP clients MUST be able to handle all applicable status codes by gracefully falling back to the generic n00 semantics of a given status code on unknown error codes. WHIP endpoints and resources could convey finer-grained error information by a problem details json object in the response message body of the failed request as per . The WHIP endpoints and sessions are origin servers as defined in ; they handle the requests and provide responses for the underlying HTTP resources. Those HTTP resources do not have any representation defined in this specification, so the WHIP endpoints and sessions MUST return a 2xx successful response with no content when a GET request is received.

Ingest Session Setup In order to set up an ingest session, the WHIP client MUST generate an SDP offer according to the JSEP rules for an initial offer as per and send an HTTP POST request as per to the configured WHIP endpoint URL. The HTTP POST request MUST have a content type of "application/sdp" and contain the SDP offer as the body. The WHIP endpoint MUST generate an SDP answer according to the JSEP rules for an initial answer as per and return the following: a "201 Created" response with a content type of "application/sdp", the SDP answer as the body, and a Location header field pointing to the newly created WHIP session. If the HTTP POST to the WHIP endpoint has a content type different than "application/sdp" or the SDP is malformed, the WHIP endpoint MUST reject the HTTP POST request with an appropriate 4xx error response. As WHIP only supports the ingestion use case with unidirectional media, the WHIP client SHOULD use the "sendonly" attribute in the SDP offer but MAY use the "sendrecv" attribute instead; the "inactive" and "recvonly" attributes MUST NOT be used. The WHIP endpoint MUST use the "recvonly" attribute in the SDP answer. is an example of an HTTP POST sent from a WHIP client to a WHIP endpoint and the "201 Created" response from the WHIP endpoint containing the Location header pointing to the newly created WHIP session.

Example of the SDP Offer/Answer Exchange Done via an HTTP POST Once a session is set up, consent freshness as per SHALL be used to detect non-graceful disconnection by full ICE implementations and DTLS teardown for session termination by either side. To explicitly terminate a WHIP session, the WHIP client MUST send an HTTP DELETE request to the WHIP session URL returned in the Location header field of the initial HTTP POST. Upon receiving the HTTP DELETE request, the WHIP session will be removed and the resources freed on the media server, terminating the ICE and DTLS sessions. A media server terminating a session MUST follow the procedures in for immediate revocation of consent. The WHIP endpoints MUST support OPTIONS requests for Cross-Origin Resource Sharing (CORS) as defined in . The "200 OK" response to any OPTIONS request SHOULD include an Accept-Post header with a media type value of "application/sdp" as per .

ICE Support ICE is a protocol that addresses the complexities of NAT traversal commonly encountered in Internet communication. NATs hinder direct communication between devices on different local networks, posing challenges for real-time applications. ICE facilitates seamless connectivity by employing techniques to discover and negotiate efficient communication paths. Trickle ICE optimizes the connectivity process by incrementally sharing potential communication paths, reducing latency, and facilitating quicker establishment. ICE restarts are crucial for maintaining connectivity in dynamic network conditions or disruptions, allowing devices to re-establish communication paths without complete renegotiation. This ensures minimal latency and reliable real-time communication. Trickle ICE and ICE restart support are RECOMMENDED for both WHIP sessions and clients.

HTTP PATCH Request Usage The WHIP client MAY perform Trickle ICE or ICE restarts by sending an HTTP PATCH request as per to the WHIP session URL. This HTTP PATCH request MUST contain a body with an SDP fragment with media type "application/trickle-ice-sdpfrag" as specified in , which carries the relevant ICE information. If the HTTP PATCH request sent to the WHIP session URL has a content type different than "application/trickle-ice-sdpfrag" or the SDP fragment is malformed, the WHIP session MUST reject the HTTP PATCH with an appropriate 4xx error response. If the WHIP session supports either Trickle ICE or ICE restarts, but not both, it MUST return a "422 Unprocessable Content" error response for the HTTP PATCH requests that are not supported as per . The WHIP client MAY send overlapping HTTP PATCH requests to one WHIP session. Consequently, those HTTP PATCH requests may be received out of order by the WHIP session. Thus, if the WHIP session supports ICE restarts, it MUST generate a unique strong entity-tag identifying the ICE session as per . The initial value of the entity-tag identifying the initial ICE session MUST be returned in an ETag header field in the "201 Created" response to the initial POST request to the WHIP endpoint. WHIP clients SHOULD NOT use entity-tag validation when matching a specific ICE session is not required, for example, when initiating a DELETE request to terminate a session. WHIP sessions MUST ignore any entity-tag value sent by the WHIP client when ICE session matching is not required, as in the HTTP DELETE request. Missing or outdated ETags in the PATCH requests from WHIP clients will be answered by WHIP sessions as per and , with a "428 Precondition Required" response for a missing entity-tag and a "412 Precondition Failed" response for a non-matching entity-tag.

Trickle ICE Depending on the Trickle ICE support on the WHIP client, the initial offer by the WHIP client MAY be sent after the full ICE gathering is complete with the full list of ICE candidates, or it MAY only contain local candidates (or even an empty list of candidates) as per . For the purpose of reducing setup times, when using Trickle ICE, the WHIP client SHOULD send the SDP offer (containing either locally gathered ICE candidates or an empty list of candidates) as soon as possible. In order to simplify the protocol, the WHIP session cannot signal additional ICE candidates to the WHIP client after the SDP answer has been sent. The WHIP endpoint SHALL gather all the ICE candidates for the media server before responding to the client request, and the SDP answer SHALL contain the full list of ICE candidates of the media server. As the WHIP client needs to know the WHIP session URL associated with the ICE session in order to send a PATCH request containing new ICE candidates, it MUST wait and buffer any gathered candidates until the "201 Created" HTTP response to the initial POST request is received. In order to reduce the HTTP traffic and processing time required, the WHIP client SHOULD send a single aggregated HTTP PATCH request with all the buffered ICE candidates once the response is received. Additionally, if ICE restarts are supported by the WHIP session, the WHIP client needs to know the entity-tag associated with the ICE session in order to send a PATCH request containing new ICE candidates; thus, it MUST also wait and buffer any gathered candidates until it receives the HTTP response with the new entity-tag value to the last PATCH request performing an ICE restart. WHIP clients generating the HTTP PATCH body with the SDP fragment and its subsequent processing by WHIP sessions MUST follow the guidelines defined in with the following considerations:

As per , only "m=" sections not marked as bundle-only can gather ICE candidates, so given that the "max-bundle" policy is being used, the SDP fragment will contain only the offerer-tagged "m=" line of the bundle group.
The WHIP client MAY exclude ICE candidates from the HTTP PATCH body if they have already been confirmed by the WHIP session with a successful HTTP response to a previous HTTP PATCH request.

WHIP sessions and clients that support Trickle ICE MUST make use of entity-tags and conditional requests as explained in . When a WHIP session receives a PATCH request that adds new ICE candidates without performing an ICE restart, it MUST return a "204 No Content" response without a body and MUST NOT include an ETag header in the response. If the WHIP session does not support a candidate transport or is not able to resolve the connection address, it MUST silently discard the candidate and continue processing the rest of the request normally. shows an example of the Trickle ICE procedure where the WHIP client sends a PATCH request with updated ICE candidate information and receives a successful response from the WHIP session.

Example of a Trickle ICE Request and Response

ICE Restarts As defined in , when an ICE restart occurs, a new SDP offer/answer exchange is triggered. However, as WHIP does not support renegotiation of non-ICE-related SDP information, a WHIP client will not send a new offer when an ICE restart occurs. Instead, the WHIP client and WHIP session will only exchange the relevant ICE information via an HTTP PATCH request as defined in and MUST assume that the previously negotiated non-ICE-related SDP information still applies after the ICE restart. When performing an ICE restart, the WHIP client MUST include the updated "ice-pwd" and "ice-ufrag" in the SDP fragment of the HTTP PATCH request body as well as the new set of gathered ICE candidates as defined in . Similar to what is defined in , as per , only "m=" sections not marked as bundle-only can gather ICE candidates, so given that the "max-bundle" policy is being used, the SDP fragment will contain only the offerer-tagged "m=" line of the bundle group. A WHIP client sending a PATCH request for performing ICE restart MUST contain an If-Match header field with a field-value of "*" as per . states that an agent MUST discard any received requests containing "ice-pwd" and "ice-ufrag" attributes that do not match those of the current ICE Negotiation Session. However, any WHIP session receiving updated "ice-pwd" and "ice-ufrag" attributes MUST consider the request as performing an ICE restart instead and, if supported, SHALL return a "200 OK" with an "application/trickle-ice-sdpfrag" body containing the new ICE username fragment and password and a new set of ICE candidates for the WHIP session. Also, the "200 OK" response for a successful ICE restart MUST contain the new entity-tag corresponding to the new ICE session in an ETag response header field and MAY contain a new set of ICE candidates for the media server. As defined in , the set of candidates after an ICE restart may include some, none, or all of the previous candidates for that data stream and may include a totally new set of candidates. Therefore, after performing a successful ICE restart, both the WHIP client and the WHIP session MUST replace the previous set of remote candidates with the new set exchanged in the HTTP PATCH request and response, discarding any remote ICE candidate not present on the new set. Both the WHIP client and the WHIP session MUST ensure that the HTTP PATCH request and response bodies include the same "ice-options," "ice-pacing," and "ice-lite" attributes as those used in the SDP offer or answer. If the ICE restart request cannot be satisfied by the WHIP session, the resource MUST return an appropriate HTTP error code and MUST NOT terminate the session immediately and keep the existing ICE session. The WHIP client MAY retry performing a new ICE restart or terminate the session by issuing an HTTP DELETE request instead. In any case, the session MUST be terminated if the ICE consent expires as a consequence of the failed ICE restart as per . In case of unstable network conditions, the ICE restart HTTP PATCH requests and responses might be received out of order. In order to mitigate this scenario, when the client performs an ICE restart, it MUST discard any previous ICE username fragment and password and ignore any further HTTP PATCH response received from a pending HTTP PATCH request. WHIP clients MUST apply only the ICE information received in the response to the last sent request. If there is a mismatch between the ICE information at the WHIP client and at the WHIP session (because of an out-of-order request), the Session Traversal Utilities for NAT (STUN) requests will contain invalid ICE information and will be dropped by the receiving side. If this situation is detected by the WHIP client, it MUST send a new ICE restart request to the server. demonstrates a Trickle ICE restart procedure example. The WHIP client sends a PATCH request containing updated ICE information, including a new username fragment and password, along with newly gathered ICE candidates. In response, the WHIP session provides ICE information for the session after the ICE restart, including the updated username fragment and password, as well as the previous ICE candidate.

Example of an ICE Restart Request and Response

WebRTC Constraints To simplify the implementation of WHIP in both clients and media servers, WHIP introduces specific restrictions on WebRTC usage. The following subsections will explain these restrictions in detail.

SDP Bundle Both the WHIP client and the WHIP endpoint SHALL support and use the "max-bundle" policy as defined in . The WHIP client and the media server MUST support multiplexed media associated with the BUNDLE group as per . In addition, per , the WHIP client and media server SHALL use RTP/RTCP multiplexing for all bundled media. In order to reduce the network resources required at the media server, both the WHIP client and WHIP endpoints MUST include the "rtcp-mux-only" attribute in each bundled "m=" section as per .

Single MediaStream WHIP only supports a single MediaStream as defined in ; therefore, all "m=" sections MUST contain a "msid" attribute with the same value. The MediaStream MUST contain at least one MediaStreamTrack of any media kind, and it MUST NOT have two or more MediaStreamTracks for the same media (audio or video). However, it would be possible for future revisions of this specification to allow more than a single MediaStream or MediaStreamTrack of each media kind. Therefore, in order to ensure forward compatibility, if the number of audio and/or video MediaStreamTracks or the number of MediaStreams are not supported by the WHIP endpoint, it MUST reject the HTTP POST request with a "422 Unprocessable Content" or "400 Bad Request" error response. The WHIP endpoint MAY also return a problem statement that provides further error details about the failed request, as recommended in .

No Partially Successful Answers The WHIP endpoint SHOULD NOT reject individual "m=" sections, as specified in , if an error occurs when processing the "m=" section; instead, it SHOULD reject the HTTP POST request with a "422 Unprocessable Content" or "400 Bad Request" error response to prevent having partially successful ingest sessions, which can be misleading to end users. The WHIP endpoint MAY also return a problem statement as recommended in proving further error details about the failed request.

DTLS Setup Role and SDP "setup" Attribute When a WHIP client sends an SDP offer, it SHOULD insert an SDP "setup" attribute with an "actpass" attribute value, as defined in . However, if the WHIP client only implements the DTLS client role, it MAY use an SDP "setup" attribute with an "active" attribute value. If the WHIP endpoint does not support an SDP offer with an SDP "setup" attribute with an "active" attribute value, it SHOULD reject the request with a "422 Unprocessable Content" or "400 Bad Request" error response. NOTE: defines that the offerer must insert an SDP "setup" attribute with an "actpass" attribute value. However, the WHIP client will always communicate with a media server that is expected to support the DTLS server role, in which case the client might choose to only implement support for the DTLS client role.

Trickle ICE and ICE Restarts The media server SHOULD support full ICE, unless it is connected to the Internet with an IP address that is accessible by each WHIP client that is authorized to use it, in which case it MAY support only ICE lite. The WHIP client MUST implement and use full ICE. Trickle ICE and ICE restart support is OPTIONAL for both the WHIP clients and media servers as explained in .

Load Balancing and Redirections WHIP endpoints and media servers might not be colocated on the same server, so it is possible to load balance incoming requests to different media servers. WHIP clients SHALL support HTTP redirections as per . In order to avoid POST requests being redirected as GET requests, status codes "301 Moved Permanently" and "302 Found" MUST NOT be used; the preferred method for performing load balancing is via the "307 Temporary Redirect" response status code as described in . Redirections are not required to be supported for the PATCH and DELETE requests. In case of high load, the WHIP endpoints MAY return a "503 Service Unavailable" response indicating that the server is currently unable to handle the request due to a temporary overload or scheduled maintenance as described in , which will likely be alleviated after some delay. The WHIP endpoint might send a Retry-After header field indicating the minimum time that the user agent ought to wait before making a follow-up request as described in .

STUN/TURN Server Configuration The WHIP endpoint MAY return STUN/TURN server configuration URLs and credentials usable by the client in the "201 Created" response to the HTTP POST request to the WHIP endpoint URL. A reference to each STUN/TURN server will be returned using the Link header field with a "rel" attribute value of "ice-server". The Link target URI is the server URI as defined in and . The credentials are encoded in the Link target attributes as follows:

username: If the Link header field represents a Traversal Using Relays around NAT (TURN) server, then this attribute specifies the username to use with that TURN server.
credential: This attribute represents a long-term authentication password, as described in .

illustrates the Link headers included in a "201 Created" response, providing the ICE server URLs and associated credentials.

Example of a STUN/TURN Server's Configuration ; rel="ice-server" Link: ; rel="ice-server"; username="user"; credential="myPassword" Link: ; rel="ice-server"; username="user"; credential="myPassword" Link: ; rel="ice-server"; username="user"; credential="myPassword" ]]> NOTE: The naming of both the "rel" attribute value of "ice-server" and the target attributes follows that used in the RTCConfiguration dictionary in Section 4.2.1 of the W3C WebRTC recommendation (see ). The "rel" attribute value of "ice-server" is not prepended with the "urn:ietf:params:whip:" so it can be reused by other specifications, which may use this mechanism to configure the usage of STUN/TURN servers. NOTE: Depending on the ICE agent implementation, the WHIP client may need to call the setConfiguration method before calling the setLocalDescription method with the local SDP offer in order to avoid having to perform an ICE restart for applying the updated STUN/TURN server configuration on the next ICE gathering phase. There are some WebRTC implementations that do not support updating the STUN/TURN server configuration after the local offer has been created as specified in . In order to support these clients, the WHIP endpoint MAY also include the STUN/TURN server configuration in the responses to OPTIONS requests sent to the WHIP endpoint URL before the POST request is sent. However, this method is NOT RECOMMENDED to be used by the WHIP clients, and if it is supported by the underlying WHIP client's WebRTC implementation, the WHIP client SHOULD wait for the information to be returned by the WHIP endpoint in the response of the HTTP POST request instead. The generation of the TURN server credentials may require sending a request to an external provider, which can both add latency to the OPTIONS request processing and increase the processing required to handle that request. In order to prevent this, the WHIP endpoint SHOULD NOT return the STUN/TURN server configuration if the OPTIONS request is a preflight request for CORS as defined in , that is, if the OPTIONS request does not contain an Access-Control-Request-Method with a POST value and the Access-Control-Request-Headers HTTP header does not contain the Link value. The WHIP clients MAY also support configuring the STUN/TURN server URIs with long-term credentials provided by either the broadcasting service or an external TURN provider, overriding the values provided by the WHIP endpoint.

Congestion Control defines the congestion control requirements for interactive real-time media to be used in WebRTC. These requirements are based on the assumption that the data needs to be provided continuously within a very limited time window (a delay of no more than hundreds of milliseconds end-to-end). If the latency target is higher, some of the requirements present in could be relaxed to allow more flexible implementations.

Authentication and Authorization All WHIP endpoints, sessions, and clients MUST support HTTP authentication as per . Additionally, in order to ensure interoperability, bearer token authentication as defined in the next section MUST be supported by all WHIP entities. However, this does not preclude the support of additional HTTP authentication schemes as defined in .

Bearer Token Authentication WHIP endpoints and sessions MAY require the HTTP request to be authenticated using an HTTP Authorization header field with a bearer token as specified in . WHIP clients MUST implement this authentication and authorization mechanism and send the HTTP Authorization header field in all HTTP requests sent to either the WHIP endpoint or session (except the preflight OPTIONS requests for CORS). The nature, syntax, and semantics of the bearer token, as well as how to distribute it to the client, are outside the scope of this document. Examples of tokens that could be used include, but are not limited to, JSON Web Tokens (JWTs) as per and a shared secret stored on a database. The tokens are typically made available to the end user alongside the WHIP endpoint URL and configured on the WHIP clients (similar to the way Real Time Messaging Protocol (RTMP) URLs and Stream Keys are distributed). WHIP endpoints and sessions could perform the authentication and authorization by encoding an authentication token within the URLs for the WHIP endpoints or sessions instead. In case the WHIP client is not configured to use a bearer token, the HTTP Authorization header field MUST NOT be sent in any request.

Simulcast and Scalable Video Coding Simulcast as per MAY be supported by both the media servers and WHIP clients through negotiation in the SDP offer/answer. If the client supports simulcast and wants to enable it for ingesting, it MUST negotiate the support in the SDP offer according to the procedures in . A server accepting a simulcast offer MUST create an answer according to the procedures in . It is possible for both media servers and WHIP clients to support Scalable Video Coding (SVC). However, as there is no universal negotiation mechanism in SDP for SVC, the encoder must consider the negotiated codec(s), intended usage, and SVC support in available decoders when configuring SVC.

Protocol Extensions In order to support future extensions to be defined for WHIP, a common procedure for registering and announcing the new extensions is defined. Protocol extensions supported by the WHIP sessions MUST be advertised to the WHIP client in the "201 Created" response to the initial HTTP POST request sent to the WHIP endpoint. The WHIP endpoint MUST return one Link header field for each extension that it supports, with the extension "rel" attribute value containing the extension URN and the URL for the HTTP resource that will be available for receiving requests related to that extension. Protocol extensions are optional for both WHIP clients and servers. WHIP clients MUST ignore any Link target attribute with an unknown "rel" attribute value, and WHIP sessions MUST NOT require the usage of any extension. Each protocol extension MUST register a unique "rel" attribute value that starts with the prefix "urn:ietf:params:whip:ext" in the "WebRTC-HTTP Ingestion Protocol (WHIP) Extension URNs" registry (). For example, consider a potential extension of server-to-client communication using server-sent events as specified in Section 9.2 of . The URL for connecting to the server-sent event resource for the ingested stream could be returned in the initial HTTP "201 Created" response with a Link header field and a "rel" attribute of "urn:ietf:params:whip:ext:example:server-sent-events" (this document does not specify such an extension and uses it only as an example). In this theoretical case, the "201 Created" response to the HTTP POST request would look like: shows the "201 Created" response to the HTTP POST request in this theoretical case (i.e., the WHIP extension supported by the WHIP session, as indicated in the Link header of the "201 Created" response).

Example of a WHIP Extension ; rel="urn:ietf:params:whip:ext:example:server-sent-events" ]]>

Security Considerations This document specifies a new protocol on top of HTTP and WebRTC; thus, security protocols and considerations from related specifications apply to the WHIP specification. These include:

WebRTC security considerations: See . HTTPS SHALL be used in order to preserve the WebRTC security model.
Transport Layer Security (TLS): See and .
HTTP security: See and .
URI security: See .

On top of that, WHIP exposes a thin new attack surface specific to the REST API methods used within it:

HTTP POST flooding and resource exhaustion: It would be possible for an attacker in possession of authentication credentials valid for ingesting a WHIP stream to make multiple HTTP POST requests to the WHIP endpoint. This will force the WHIP endpoint to process the incoming SDP and allocate resources for being able to set up the DTLS/ICE connection. While the malicious client does not need to initiate the DTLS/ICE connection at all, the WHIP session will have to wait for the DTLS/ICE connection timeout in order to release the associated resources. If the connection rate is high enough, this could lead to resource exhaustion on the servers handling the requests, and they will not be able to process legitimate incoming ingests. In order to prevent this scenario, WHIP endpoints SHOULD implement a rate limit and avalanche control mechanism for incoming initial HTTP POST requests.
Insecure Direct Object References (IDORs) for WHIP session URLs: If the URLs returned by the WHIP endpoint for the location of WHIP sessions are easy to guess, it would be possible for an attacker to send multiple HTTP DELETE requests and terminate all the WHIP sessions currently running. In order to prevent this scenario, WHIP endpoints SHOULD generate URLs with enough randomness, using a cryptographically secure pseudorandom number generator following the best practices in "Randomness Requirements for Security" , and implement a rate limit and avalanche control mechanism for HTTP DELETE requests. The security considerations for Universally Unique IDentifiers (UUIDs) in are applicable for generating the WHIP session URLs.
HTTP PATCH flooding: Similar to the HTTP POST flooding, a malicious client could also create resource exhaustion by sending multiple HTTP PATCH requests to the WHIP session, although the WHIP sessions can limit the impact by not allocating new ICE candidates and reusing the existing ICE candidates when doing ICE restarts. In order to prevent this scenario, WHIP endpoints SHOULD implement a rate limit and avalanche control mechanism for incoming HTTP PATCH requests.

IANA Considerations Per this specification, IANA has added a new link relation type and a new URN sub-namespace for WHIP. IANA has also created registries to manage entries within the "urn:ietf:params:whip" and "urn:ietf:params:whip:ext" namespaces.

Link Relation Type: ice-server The link relation type below has been registered by IANA in the "Link Relation Types" registry per :

Relation Name:: ice-server
Description:: Conveys the STUN and TURN servers that can be used by an ICE agent to establish a connection with a peer.
Reference:: RFC 9725

URN Sub-namespace for WHIP (urn:ietf:params:whip) IANA has added a new entry in the "IETF URN Sub-namespace for Registered Protocol Parameter Identifiers" registry, following the template in :

Registry name:: whip
Specification:: RFC 9725
Repository:: <https://www.iana.org/assignments/whip>
Index value:: An IANA-assigned positive integer that identifies the registration. The first entry added to this registry uses the value 1, and this value is incremented for each subsequent entry added to the registry.

To manage this sub-namespace, IANA has created two registries within a new registry group called "WebRTC-HTTP Ingestion Protocol (WHIP)":

"WebRTC-HTTP Ingestion Protocol (WHIP) URNs" registry ()
"WebRTC-HTTP Ingestion Protocol (WHIP) Extension URNs" registry ()

WebRTC-HTTP Ingestion Protocol (WHIP) URNs Registry The "WebRTC-HTTP Ingestion Protocol (WHIP) URNs" registry is used to manage entries within the "urn:ietf:params:whip" namespace. The registration procedure is "Specification Required" . The registry contains the following fields: URN, Name, Reference, IANA Registry Reference, and Change Controller. This document is listed as the reference. The registry contains a single initial entry:

URN:: urn:ietf:params:whip:ext
Name:: WebRTC-HTTP Ingestion Protocol (WHIP) extension URNs
Reference:: of RFC 9725
IANA Registry Reference:: See "WebRTC-HTTP Ingestion Protocol (WHIP) Extension URNs" on <https://www.iana.org/assignments/whip>
Change Controller:: IETF

WebRTC-HTTP Ingestion Protocol (WHIP) Extension URNs Registry The "WebRTC-HTTP Ingestion Protocol (WHIP) Extension URNs" registry is used to manage entries within the "urn:ietf:params:whip:ext" namespace. The registration procedure is "Specification Required" . The registry contains the following fields: URN, Name, Reference, IANA Registry Reference, and Change Controller. This document is listed as the reference. A WHIP extension URN is used as a value in the "rel" attribute of the Link header as defined in for the purpose of signaling the WHIP extensions supported by the WHIP endpoint. WHIP extension URNs have an "ext" type.

Registering WHIP URNs and WHIP Extension URNs This section defines the process for registering new URNs in the "WebRTC-HTTP Ingestion Protocol (WHIP) URNs" registry () and the "WebRTC-HTTP Ingestion Protocol (WHIP) Extension URNs" registry ().

Registration Procedure The IETF has created a mailing list, <wish@ietf.org>, which can be used for public discussion of proposals prior to registration. Use of the mailing list is strongly encouraged. A designated expert (DE) , appointed by the IESG, will monitor the <wish@ietf.org> mailing list and review registrations. Registration of new entries in the WHIP registries defined in this document MUST be documented in a permanent and readily available public specification, in sufficient detail so that interoperability between independent implementations is possible, and reviewed by the DE as per . A Standards Track RFC is REQUIRED for the registration of new value data types that modify existing properties. A Standards Track RFC is also REQUIRED for registration of WHIP extension URNs that modify WHIP extensions previously documented in an existing RFC. The registration procedure begins when a completed registration template, defined in , is sent to <iana@iana.org>. Decisions made by the DE can be appealed to an Applications and Real-Time (ART) Area Director, then to the IESG. The normal appeals procedure described in RFC 2026 is to be followed. Once the registration procedure concludes successfully, IANA will create or modify the corresponding record in the "WebRTC-HTTP Ingestion Protocol (WHIP) URNs Registry" or "WebRTC-HTTP Ingestion Protocol (WHIP) Extension URNs" registry. An RFC specifying one or more new WHIP extension URNs MUST include the completed registration template(s), which MAY be expanded with additional information. These completed template(s) are intended to go in the body of the document, not in the IANA Considerations section. The RFC MUST include the syntax and semantics of any extension-specific attributes that may be provided in a Link header field advertising the extension.

Guidance for the Designated Expert The DE is expected to do the following:

Ascertain the existence of suitable documentation (a specification) as described in and verify that the document is permanently and publicly available. Specifications should be documented in an Internet-Draft.
Check the clarity of purpose and use of the requested registration.
Verify that any request for one of these registrations has been made available for review and comments by posting the request to the <wish@ietf.org> mailing list.
Ensure that any other request for a code point does not conflict with work that is active or already published by the IETF.

Registration Template A WHIP extension URN is defined by completing the following template:

URN:: A unique URN (e.g., "urn:ietf:params:whip:ext:example:server-sent-events")
Name:: A descriptive name (e.g., "Sender Side events")
Reference:: A formal reference to the publicly available specification
IANA Registry Reference:: The registry related to the new URN
Change Controller:: For Standards Track documents, this is "IETF". Otherwise, this is the name of the person or body that has change control over the specification.

References Normative References Fetch WHATWG WHATWG Living Standard Commit snapshot: . Linked Data Platform 1.0 W3C Recommendation Latest version available at: . Informative References HTML WHATWG WHATWG Living Standard Commit snapshot: . WebRTC: Real-Time Communication in Browsers W3C Recommendation Latest version available at: .

Acknowledgements The authors wish to thank , , , , , , , , , , and everyone else in the WebRTC community that have provided comments, feedback, text, and improvement proposals on the document and contributed early implementations of the spec.