ICE - Interactive Connectivity Establishment

The requirement was: The system should be able to be operated like a telephone. We therefore built ZSipOs as a crypto box that is connected between the network and a normal SIP telephone.

ZSipOs Box


Operation (dialling, picking up, speaking and hanging up) is done via the telephone. Only the connection and security status are displayed on the box, as well as the SAS (see ZRTP). As long as both sides are transparently connected to the Internet with a routable IP address, the ZRTP communication works directly via the RTP connection that was negotiated in the SIP protocol.

In various cases this does not work:

a) The connection in the telephone network is not yet completely via the IP network. (ISDN instead of All-IP).
b) The subscribers are only connected to the Internet to a limited extent (NAT/firewall).
c) The IP connection is not managed transparently in the network, but e.g. by the proxy or network provider or a network provider. Special protocol variants, such as ZRTP, can be blocked by this.

Cases b) or c) are quite typical in IP telephony. Here there are established solutions to establish a direct communication path between the participants.

The STUN algorithm is used by a client to determine at which address (addr./port) it can be directly addressed from the Internet. A TURN server serves as a relay to enable communication through a NAT firewall.

Under the name "ICE", a method is standardised with which a client can determine its communication options in the network.

If transparent communication through the primary RTP connection does not work, both participants use ICE to determine their communication options, exchange them, choose the best option and start ZRTP.

But how can this exchange take place before a transparent connection exists?

Our approach

We already have a normal, unsecured telephone connection to the remote station. The simplest way to exchange data via a telephone connection is to transmit dial tones.

Unfortunately, it takes quite a long time to use the complete set of communication options ("Offer"). We therefore use a small auxiliary server (ICE Helper). Each participant uses ICE to determine its communication options via ICE and deposits them at the ICE Helper, for which both receive a registration number. The ICE helper then sends this number as a sequence of dialling tones to the other party. The interlocutor calls up the offer under this number at ICE-Helper, selects the best communication path and starts the ZRTP communication.

  • Important: The ICE Helper only supports the establishment of a direct connection of the participants. It is not a secret carrier. The cryptographic protection of the connection is completely independent of this.