[libnice] Force an external address (srflx) candidate?

Tue Oct 20 19:29:03 UTC 2020

Hi,
The thing is that the external address might be the same. But on very
new connection, the port will be different. And we have no way what
kind of mapping from internal to external port the router will chose.
>From what I understand, it is even recommended to router manufacturer
that they randomize the external port to try to make it harder for
attackers to guess the next port.
So even if we remebered the external address, it wouldn't help so much.
What can help, is to build libnice with UPnP support. This way, the
external address can be retrieved over the LAN and this is very quick.
We could also implement NAT-PMP, which is what Apple routers use. But I
don't know if this is common anymore.
Olivier
On Tue, 2020-10-20 at 17:42 +0000, Stuart Marshall wrote:
> I like the idea of doing just one STUN request to avoid the many
> semi-duplicate candidates.
> 
>  
> 
> Another interesting thing to think about is that in most cases (99.9%
> ish) the STUN query is going to return the same result as last time.
> In most cases the host computer has not moved networks and the
> external address has not changed.
> 
>  
> 
> What if libnice could remember the previous external address and lead
> with that as a candidate. Libnice could still do one (or more) STUN
> queries to check if the external address has changed. But starting
> with the previously known external
>  address could speed up connection a lot.
> 
>  
> 
> The challenge is “how to remember the previous external address”.
> Libnice lives in somebody’s process and on some random host computer.
> Libnice might be completely shut down in-between uses, even if the
> process keeps running.
> 
>  
> 
> What if libnice remembered the previous external address somewhere in
> process space. If the process shuts down the knowledge is lost. But
> if the process keeps running (e.g. a server or a long running
> browser) then the external address is
>  remembered. Is there a cross-platform place to stash data?
> Environment variables might work. A persistent background thread
> might work.
> 
>  
> 
> The reason I suggest optimizations like this is customer experience.
> I see chrome to gstreamer establish connections in less than a
> second. Gstreamer to gstreamer often takes much more time – easily
> five seconds plus.
> 
>  
> 
> Stuart
> 
>  
> 
> 
> From:
> nice <nice-bounces at lists.freedesktop.org>
> 
> Date: Monday, October 19, 2020 at 11:00 AM
> 
> To: Stuart Marshall <stuart at seelye.net>
> 
> Cc: Juan Navarro <juan.navarro at gmx.es>, nice at lists.freedesktop.org <
> nice at lists.freedesktop.org>
> 
> Subject: Re: [libnice] Force an external address (srflx) candidate?
> 
> 
> 
> Hi Stuart,
> 
> 
> 
> On 10/14/20 at 09:22pm, Stuart Marshall wrote:
> 
> > In contrast, the ICE candidates emitted by Chrome are stunningly
> few and precise. I understand that the ICE protocols and the libnice
> implementation were/are meant to be general case. But they miss
> obvious efficiencies that can be provided by additional external
>  information. STUN servers facilitate some of that additional
> information, but introduce a dependency and more latency.
> 
> > 
> 
> > My knowledge of libnice internals is not great, but I kind of wish
> we could
> 
> > 
> 
> >   1.  Feed some particular IP candidate addresses to it,
> 
> >   2.  Tell it to skip a bunch of other candidate generation and
> testing
> 
> 
> 
> I think of some optimisations, that could help to limit the number of
> 
> candidates, without weakening the versatility of the ice method
> overall
> 
> (except in *rare* cases where the server running libnice uses source
> 
> routing, ie chooses the default route based on the source IP
> address):
> 
> 
> 
> We could use a single server reflexive candidate and relay local
> 
> candidate, per stream/component.
> 
> 
> 
> Generally, there's no gain to send a stun request from each local
> 
> interface, because all packets will reach the same stun server by the
> 
> same default route. 
> 
> 
> 
> The consequence is that we obtain <N> distinct server-reflexive
> 
> candidates from <N> distinct source IP addresses. These
> 
> server-reflexives candidates are distinct because their IP address
> will
> 
> be the same (this is our public IP address), but the port mapping
> will
> 
> be different. The same applies to turn relay candidates too
> (including
> 
> unnecessary resources reservations on the turn servers BTW).
> 
> 
> 
> To avoid that, we could for example:
> 
>   1. discard these redundant candidates when we discover them (when
> 
>   processing the discovery stun response).
> 
>   2. or more radically, just send a single stun and turn discovery
> request.
> 
> 
> 
> In case of 2. the choice of the local interface used as the base
> address
> 
> to send this unique stun/turn discoevry request is normally not
> 
> relevant, because the routing table will hopefully make these packets
> go
> 
> out by the same default route again, whatever source interface they
> come
> 
> from.
> 
> 
> 
> To summarize, I think that sending a single stun request from a
> single
> 
> network interface during gathering phase to obtain our server-
> reflexive
> 
> address is normally a cheap operation (one RTT when the thr stun
> server
> 
> is available), but what is expensive from libnice point of view is to
> 
> deal with many identical reflexive/relay candidates during the
> 
> connecting phase, because it creates many possibilities to be tested.
> 
> And the more possibilities we have to test, the more time it takes to
> 
> complete.
> 
> 
> 
> Best wishes,
> 
> 
> _______________________________________________nice mailing 
> listnice at lists.freedesktop.org
> https://lists.freedesktop.org/mailman/listinfo/nice
-- 
Olivier Crête
olivier.crete at collabora.com


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.freedesktop.org/archives/nice/attachments/20201020/0a95cf81/attachment-0001.htm>