Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Missing information on how ICE servers are propagated to the parties #276

Open
lukasz-pyrzyk opened this issue Mar 22, 2022 · 0 comments
Open

Missing information on how ICE servers are propagated to the parties #276

lukasz-pyrzyk opened this issue Mar 22, 2022 · 0 comments
Labels
question Further information is requested

Comments

@lukasz-pyrzyk
Copy link

lukasz-pyrzyk commented Mar 22, 2022
edited

Hi,

I'm after the first readout of the module about connectivity. I wonder what are recommendations for sending/storing ICE servers on two parties and if they need to be the same. In the beginning, I thought that STUN/TURN servers can work independently for the different parties within the same call, for example, the client1 can use the closest Twilio and client2 for example Xirsys servers.

For example, I wonder about a situation where

  • client1 uses Xirsys STUN/TURN servers
  • client2 uses Twilio STUN/TURN servers
  • Or just about an edge case where client1 uses Twilio East US, and client2 West US.

However, after reading about TURN permissions it looks like its not a good idea. In the TURN permission policy i see paragraph:

The remote host needs to give you the IP and port as it appears to the TURN server. This means it should send a STUN Binding Request to the TURN Server. A common error case is that a remote host will send a STUN Binding Request to a different server. They will then ask you to create a permission for this IP.

Let's say you want to create permission for a host behind an Address Dependent Mapping. If you generate the Mapped Address from a different TURN server, all inbound traffic will be dropped. Every time they communicate with a different host it generates a new mapping. Permissions expire after 5 minutes if they are not refreshed.

So, it sounds like using different ICE servers may lead to a situation where client2 is unable to establish a direct connection to a client1 TURN server (Twilio), because NAT Mapping is Address Dependent Mapping to Xirsys STUN server.

client1 <--> client1 TURN Twilio <--> srfx client2 
(failed, client2 cannot receive data from client1 TURN server because of the NAT Mapping is Address Dependant and it was created for Xirys, not Twilio)

and because of that ICE framework will be forced to use two TURN servers.
client1 <--> client1 TURN Twilio <--> client2 TURN Xirsys <--> client2

So, is using different ICE servers a risk that connection will be handled by two TURN servers instead of only one? Is there any additional risk?

If given situation is supposed to be avoided, is there a built-in mechanism for sending ICE servers from client1 to client2?
@mogren mogren added the question Further information is requested label Apr 5, 2022
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
question Further information is requested
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@mogren @lukasz-pyrzyk