Hi all,
In the current configuration, plain UDP transports use the same port range configuration of WebRTC transports. In some scenario, it will be useful to select a different port range for plain UDP connections that are not using DTLS encryption in order to prevent man-in-the-middle attacks (using ad-hoc firewall configurations and/or other filtering techniques).
I’m digging into the code and the best way I found is modifying RTC::UdpSocket and RTC::PortManager and defining an additional plain property and using two new configuration options (plainMinPort and plainMaxPort).
Any comments/suggestions about this?
Edit:
Here you can find a first experimental implementation: GitHub - vpalmisano/mediasoup at custom_plain_ports
The plainMinPort and plainMaxPort options can be set to 0 to use the same port range defined by rtcMinPort and rtcMaxPort. Instead, in order to use a different port range, plainMinPort and plainMaxPort should be set to a different port range, not overlapping with rtcMinPort and rtcMaxPort.
I don’t like the idea of adding this kind of specific settings just for a specific transport. We may instead pass an optional port-range to createXxxTransport() (instead of passing them to the Worker) but that’s a huge change and honestly we cannot implement it now. It’s a good idea for v4 BTW.
My idea was using one port range for secure connections {secureMinPort, secureMaxPort} and another (optional) for unsecure connections {unsecureMinPort, unsecureMaxPort}, however changing the current configuration naming would be a breaking change for v3.
We may instead pass an optional port-range to createXxxTransport() (instead of passing them to the Worker ) but that’s a huge change and honestly we cannot implement it now.
Using this approach we should track the ports ranges passed to createXxxTransport() for avoiding port collisions between transports created across different workers.
Same happens already when the user creates many Workers. Port range conflicts may happen. Not new. It’s up to the app to properly distribute available ports.