[Nice] Integrity check failed (stun?)

Wed Oct 10 14:53:02 PDT 2012

Hi,

Those are 'normal'. It only means that the STUN request that was received didn't
have the proper 'password' set to it. If your component state goes to READY then
you shouldn't worry about those, even if you see those warnings on the terminal,
just ignore them. If they are the cause for a FAILED state, then it's different,
and a full log might help figure out why it happened.

As for the STUN server, that's irrelevant. A STUN server is just a server
implementing the "Binding request" of the STUN protocol (just like a TURN server
implements the "Allocate requests" using the STUN protocol). ICE itself uses
STUN requests/responses to establish connectivity, so when there's a "stun
error", it probably is coming from connectivity checks, not from the stun server
setting!
My opinion is that, if you are seeing those warnings after the component state
goes to CONNECTED or READY, then it's probably just a STUN binding request or
binding indication that is periodically sent as a keep-alive to keep the NAT
bindings open in the router. Those requests do not have the MESSAGE-INTEGRITY
attribute set (where the password credentials is used to validate authenticity
of the message) since they are not meant to be parsed/acknowledged/replied to,
they are only meant to make the router keep the connection alive, so they'd
arrive to the peer who would discard them (because of the integrity check
failing) and are thus harmless.

Hope it helps,
Youness.

On 10/10/2012 02:08 PM, Federico Kouyoumdjian wrote:
> We are now facing this message "Integrity check failed". We checked the code and
> it seems to be stun the reason.
> 
>   if (valid == STUN_VALIDATION_UNAUTHORIZED) {
>     nice_debug ("Agent %p : Integrity check failed.", agent);
> 
> or
> 
>   if (valid == STUN_VALIDATION_UNAUTHORIZED_BAD_REQUEST) {
>     nice_debug ("Agent %p : Integrity check failed.", agent);
> 
> We are using this pjsip stun server. ¿Is there any better to work with nice?:
> //stun.pjsip.org
> #define STUN_ADDR "208.109.222.137"
> #define STUN_PORT 3478
> 
> In this link it shows that from version 0.0.13 to version 0.1.0 there was a
> change in the headers so we guess that this could be the reason since we
> recently upgraded to the newer versions of libnice (currently trying with
> version 0.1.2 but also have tried with version 0.1.3, and up to the last week we
> were using version 0.0.13
> http://upstream-tracker.org/diffs/libnice/0.0.13_to_0.1.0/diff.html
> 
> This is the log of nice:
> 
> (process:19586): libnice-DEBUG: Agent 0x9c89998 : Packet received on local
> socket 15 from [186.52.163.216]:33646 (28 octets).
> (process:19586): libnice-DEBUG: Agent 0x9c89998: inbound STUN packet for 1/1
> (stream/component) from [186.52.163.216]:33646 (28 octets) :
> STUN demux: OK!
> (process:19586): libnice-DEBUG: Agent 0x9c89998 : Integrity check failed.
> 
> Thanks!
> _______________________________________________
> nice mailing list
> nice at lists.freedesktop.org
> http://lists.freedesktop.org/mailman/listinfo/nice

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 259 bytes
Desc: OpenPGP digital signature
URL: <http://lists.freedesktop.org/archives/nice/attachments/20121010/9c0ca86e/attachment.pgp>