Comments (14)
The following things need to be validated on each incoming message:
Source byte
Only applicable to signaling nonces
- During server handshake:
- Assert that source byte is
0x00
(server)- During peer handshake:
- Assert that source byte is
0x00
(server), or...- ...as initiator:
- Assert that the source byte is in the range
0x02-0xff
(responder)- ...as responder:
- Assert that the source byte is
0x01
(initiator)
Looking good so far.
- After peer handshake:
- Assert that the source byte is the peer address
I don't understand the difference between during peer handshake and after peer handshake. Could you elaborate?
Receiver byte
Only applicable to signaling nonces
- Before receiving the
server-auth
message:
- Assert that the receiver byte is
0x00
(undefined)- For the
server-auth
message:
- Store the receiver byte as own address
- After an address has been assigned in the
server-auth
message:
- As initiator:
- Assert that the receiver byte is
0x01
(initiator)- As responder:
- Assert that the receiver byte always corresponds to the own address
Correct!
CSN
- The CSN is stored separately per signaling receiver or secure data channel, as per #30 (comment)
Basically per endpoint, yeah.
- On first message:
- The overflow number must be 0
- Store the CSN
Additionally, SN SHALL also be random.
- On each subsequent message:
- The CSN must be higher than the previous CSN
Cookie
- Assert that the server/peer cookie hasn't changed
Yes.
Open issues
- Is it enough to validate that the CSN is higher than before, or should we also check that the increase is within a predefined range?
Incremented by 1. Nothing else is acceptable as this is a reliable and ordered channel. Note, that we're assuming here that there is no message in between a client-to-client message that produces a 'send-error' and a following message. However, 'send-errors' are only recoverable during handover stages anyway.
Close the issue if there are no further questions. :)
from saltyrtc-meta.
I don't understand the difference between during peer handshake and after peer handshake. Could you elaborate?
During the peer handshake, a message can come from any responder in the valid responder range. After the peer handshake, only the "chosen" responder may be the source. Right?
Additionally, SN SHALL also be random.
That's not something we can validate.
Incremented by 1. Nothing else is acceptable as this is a reliable and ordered channel. Note, that we're assuming here that there is no message in between a client-to-client message that produces a 'send-error' and a following message. However, 'send-errors' are only recoverable during handover stages anyway.
So should we handle things differently before and after handover?
from saltyrtc-meta.
During the peer handshake, a message can come from any responder in the valid responder range. After the peer handshake, only the "chosen" responder may be the source. Right?
I think the initiator should always accept messages from other responders. What if the currently authenticated responder's connection dies and it reconnects immediately? It'll be assigned a different identity. And if the initiator would not react to its messages, it would have to wait until it realises the previous connection is dead (e.g. by a send-error
or not at all for a long time if there is nothing to send).
Additionally, SN SHALL also be random.
That's not something we can validate.
Indeed. But from the sender's side. :)
So should we handle things differently before and after handover?
What do you think?
from saltyrtc-meta.
What do you think?
Is there any downside to always checking that a) the counter is higher and b) the increment is < e.g. 16? The important thing is that the CSN is never reused. Package loss should not occur when using reliable transport protocols (unless when we do the handover, but there we have the send-error messages).
from saltyrtc-meta.
Yeah, I think so too. So, no change. Also, the current spec in the task-webrtc
branch states that the same CSN of the original signalling channel will be transferred and reused by the wrapped data channel of the handed over signalling channel.
from saltyrtc-meta.
So, no change.
No, currently the spec says that the CSN must be increased exactly by 1.
from saltyrtc-meta.
Oh, sorry, I thought you meant the behaviour (e.g. handle things of the CSN differently before and after handover - to which we, I think, both agree the answer is no).
Yeah, the spec says +1
and I think that's the way it should be as the channel is reliable and everything else would indicate that the implementation is broken.
from saltyrtc-meta.
Then again, you're right... that's a problem when a wrapped data channel is unordered.
from saltyrtc-meta.
Not just that, but when doing the handover to an ordered data channel, old packets that have still been sent to the websocket may get lost. If 1 packet gets lost, then the first message to the data channel will have a CSN incremented by 2 (as seen by the peer).
from saltyrtc-meta.
Right. That makes the CSN validation rather tricky. So, since we need a sliding window of the CSN for unordered/unreliable wrapped data channels, we might as well apply that sliding window technique to the original signalling channel as soon as the task kicks in. Thoughts?
from saltyrtc-meta.
Thoughts?
Same as before - is there any downside to applying a sliding window from the beginning? If yes, I'm fine with switching logic as soon as the task kicks in. If not, let's just go with a sane default, e.g. sliding window of 16.
from saltyrtc-meta.
Having a sliding window for a reliable signalling channel doesn't make sense to a bright reader that hasn't read the WebRTC task spec yet - then again he needs to implement it anyway to support that task or have a VERY flexible implementation. Personally, I want to have the strict validation as it is a good indicator for bugs in new implementations.
I think we should be a little teasing here and state in the spec that a sliding window technique for the CSN MUST be used but that the window size is 1
until a task decides otherwise 16
and done.
from saltyrtc-meta.
Fair enough :)
from saltyrtc-meta.
The sliding window sounded fairly easy but is an utter pain to implement, not to mention describing it in the specification. So, this is what I have in mind:
- Leave the CSN validation as it is in the protocol spec
- Disable CSN validation for wrapped data channels in the WebRTC task protocol spec
- Add a
handover
message to the WebRTC task. Before this message, no message shall be received on the wrapped data channel for the signalling. After this message, no message shall be received on the original signalling channel. Both clients can close the original signalling channel after both have sent ahandover
message. No lingering needed. - Drop re-sending completely after a
send-error
. Asend-error
is not recoverable and just exists to ensure a reliable communication channel. This way we can completely avoid the headache of unordered messages on the signalling channel.
from saltyrtc-meta.
Related Issues (20)
- Specify recommended exchange message HOT 4
- Post-Release-List HOT 7
- Handover Data Race HOT 1
- End of Candidates HOT 16
- Handover Disable Request HOT 3
- Inconsistency regarding handling of inactive responders HOT 3
- Candidates message example needs update
- Maximum message size can be dropped
- Maximum message size is u64 and may be 0 HOT 1
- ufrag renamed to usernameFragment HOT 1
- onIceCandidatesRemoved HOT 5
- Explain Identity HOT 2
- Accepting message sources other than 0x00 HOT 2
- Msgpack type for binary data HOT 2
- Non-binary websocket messages HOT 1
- Remove send-error message HOT 4
- What is close code 3003 "Handover of the Signalling Channel" being used for? HOT 2
- SaltyRTC and Verifpal HOT 2
- Questions about the protocol HOT 11
- Inconsistency (or unclear text) wrt. closing with an authenticated client. HOT 2
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from saltyrtc-meta.