RTCIceTransport.getRemoteCandidates() does not return prflx candidates #2124
Comments
|
prflx candidates were not surfaced to JS in the past so this requires some thoughts. WebRTC stats do expose them somehow but it is mandated to not expose https://w3c.github.io/webrtc-stats/#dom-rtcicecandidatestats-address for privacy reasons. getSelectedCandidatePair() might expose prflx candidates. With some work, we could probably return prflx candidates as part of getRemoteCandidates(). What is the motivation/usecase for adding prflx candidates? |
|
Good questions. The most important part of a prflx candidate (the IP address) is readily observable to anyone with access to the network - but JS generally doesn't have that. It seems obvious that seeing a candidate in stats or in the active candidate pair, and then not finding that candidate in getRemoteCandidates, is going to be puzzling to users who expect logical consistency between these candidate sets. So we can either spend resources explaining the inconsistency, or find a consistent way of representing prflx candidates wherever candidates are listed. |
|
We need to be careful to not expose IP addresses that have been hidden via the use of mDNS. Otherwise, one could create two peer connections A and B:
Unless I've missed a mechanism in the mDNS draft (such as an additional STUN attribute). I guess we could just always anonymise/remove IP addresses from prflx candidates before handing them out in stats or any other API surface. |
|
I'm trying to understand the threat model here. This might prevent JS from learning about a prflx, but does this really make a difference if you control the ICE agent, or the STUN/TURN servers, or the web server, or any other network element that the browser sends packets to? Am I missing something here? |
|
With my example, you would not need to control any network element and could learn private IP addresses by just creating two |
|
Ok, so the threat model here is that you have a host candidate leaked to JS by having two PCs created on the same browser, and using mDNS. mDNS allows STUN transactions to succeed on host candidates without any host candidates being trickled, so we want to hide them from JS. I can see the value of hiding this information in this case, but having non-obfuscated prflx candidates available in the stats API for the general case is probably important. |
I'm wondering: Is there a concrete use case that would require this? |
Did we have a concrete use-case in mind when we specified ICE candidate stats? If so, that's the use-case you're looking for. If not, well... shrug |
|
Good question! I pass that on to the stats experts. 🙂 But to be honest, I have a feeling this might just be exposed because humans tend to like metrics. |
|
I wonder; what if we specified that when we learn about our own prflx candidates (ie; we get a STUN response that tells us about them), we trickle them as long as they don't expose any info we want to keep hidden. If we do trickle them, they end up being handled like a srflx. |
|
I can't quite follow that. Can you elaborate? In particular, I don't understand what "trickle them" means. |
|
When the browser receives a response to an ICE check, we treat the XOR-MAPPED-ADDRESS as a newly-discovered local candidate for that component, just like we would do with a response from a STUN server. We check to see whether that IP:port is one we've already discovered, and whether we want to obfuscate it. If neither of those are true, we call the icecandidate event handler with it. |
|
Thanks! How would we determine whether we want to obfuscate a |
|
By looking at the IP address, and comparing it to your local addresses. I wonder if the same checking should be performed for srflx, actually. |
|
getRemoteCandidates definition is only about candidates added through addIceCandidate. Proposal is therefore to close this issue and do the following actions:
|
|
Filed #2134 for getSelectedCandidatePair. |
|
Related PR: #2135 |
|
I don't agree. If we have candidate stats, we should be exposing prflx candidates unless there's some good reason not to. |
|
To be clear, I think it is completely reasonable to expose only the remote candidates that have been passed to addIceCandidate, and it is also reasonable to expose only the local candidates that have been signaled via the icecandidate event handler. The change that makes the most sense to me is to signal prflx via icecandidate exactly like we do srflx. |
I agree that in some cases, a prflx candidate could have been a srflx candidate, should the web app provide a STUN server. We need to do signaling of srflx candidates through the web app. |
|
I would argue that an API that only gives us some of the ICE candidate statistics isn't very useful. In my mind, the question is how we make this API useful in the scenario where there are prflx candidates. |
|
ICE candidate statistics are provided by WebRTC stats.
|
|
I don't think we ought to make exposure of a candidate to JS via stats (or stats-like stuff, eg getRemoteCandidates/getLocalCandidates) contingent on whether that candidate is part of a selected pair. |
|
@alvestrand might know more about the intent of this rule, maybe I am misinterpreting what the minimum stats production requirements are. I would separate this discussion from getRemoteCandidates/getLocalCandidates. |
|
Since |
|
Is it ok to close the issue? |
and others
The spec says getRemoteCandidates() returns the set of remote candidates passed to addIceCandidate, but prflx candidates are never passed to that interface. They are discovered via ICE. It seems that they should make an appearance in getRemoteCandidates() also.
The text was updated successfully, but these errors were encountered: