Traffic Encryption
Channels that are encrypted use AES256-CBC, as described above. When traffic is transmitted over UDP, the entire UDP payload is encrypted. This means that an attacker cannot easily determine if the traffic is in a known format (such as RTP) or a custom format implemented by ICE. Even if the attacker correctly assumes that the payload uses a standard format like RTP, decrypting it becomes significantly more difficult because:
The RTP headers are encrypted.Each packet is preceded by a unique initialization vector, increasing the complexity of cryptanalysis.When traffic is transmitted over TCP, such as in client connections to Rallypoints or between Rallypoints in a mesh network, it is secured using TLS 1.3. This TLS encryption adds an extra layer of security on top of any existing channel encryption. Therefore, if a channel's traffic is encrypted and flows through TLS, it becomes double-encrypted in transit.
Important: ICE generally treats all traffic as packets transmitted over UDP. Even if packets are sent over TCP, ICE processes them as if they were UDP. Essentially, ICE views TLS connections as secure tunnels, similar to VPN connections, through which regular UDP traffic is transmitted as a TCP stream.