feat: stun protocol & stun connection

[lchenut]

Presentation

This PR is a part of the stack to create the nim-libp2p webrtc-direct transport (defined here: https://github.com/libp2p/specs/blob/master/webrtc/webrtc-direct.md)
We implement a small version of the STUN protocol following https://datatracker.ietf.org/doc/html/rfc5389
As the RFC tells us: STUN serves as a tool for other protocols in dealing with NAT traversal, thus we also implement a small version of the ICE Lite protocol following https://datatracker.ietf.org/doc/html/rfc8445.

The STUN protocol reads and writes from the UdpConn. All the received STUN messages are treated as such and answered directly, all the other received messages are queued to be read by the underlying DTLS protocol.

Stun protocol

As said above, this STUN implementation isn't complete. At the moment of writing this PR, we are only interested in implementing the server part of the webrtc-direct transport. We will reconsider and improve the implementation when vacp2p/nim-libp2p#409 is addressed or if the webrtc-direct spec changes, for example. But for now on, there are some part missing.

Non-exhaustive list of what is missing:

• REALM and NONCE attributes (no authentification/security process described in the webrtc-direct spec)
• Retransmissions (client side, we only implement the server)
• Shared secret Request/Response/Error (again nothing described in the spec)

ICE Lite protocol

For the same reasons as to why the STUN protocol isn't fully implemented (and because it's in the webrtc-direct spec), we use the Lite implementation of ICE. And again, only the server (ICE-CONTROLLED) side. As the server in the webrtc-direct transport must be publicly available, the Lite version should be sufficient.

[diegomrsantos]

is this queue unbounded?

[lchenut]

Yes, those two queues are unbounded.

[diegomrsantos]

should they be?

[lchenut]

There's nothing in the RFC saying anything about this. And I'm not confident enough to say There should be a limit and this limit is this number. So I leave things as they are because of my uncertainty.

[diegomrsantos]

I'm not sure this is something always mentioned on specs, but I believe there should always be a limit to avoid memory DoS attacks. See more in https://github.com/libp2p/rust-libp2p/blob/master/docs/coding-guidelines.md#bound-everything.

[lchenut]

done

[diegomrsantos]

What does "might be a false positive" mean? Not a Stun message? Why is it moved to the dataRecv queue?

[lchenut]

Basically, there's a first check with the raw data (without decoding) where we check different things (the size of the message, the presence of the magic stun cookie etc...). When the incoming message is sorted, we can decode it. If something is wrong with the Fingerprint, it can means that it is, in fact, not a Stun Message but a message for another protocol. And the RFC specifies this by saying :

   The FINGERPRINT attribute can aid in distinguishing STUN packets from
   packets of other protocols.  See [Section 7](https://datatracker.ietf.org/doc/html/rfc8489#section-7).``` 

[diegomrsantos]

Can you briefly describe it in the comment and add the link? Why is it moved to the dataRecv queue?

[lchenut]

Why is it moved to the dataRecv queue?

Because StunConn uses two queues for received messages:

• one for Stun Messages stunMsgs which are decoded/answered/etc... in stunMessageHandler
• one for the others protocols dataRecv (in the case of the WebRTC stack, it's DTLS messages), which are popped from the queue when read is called.

And, if the Fingerprint is wrong, it could be a false negative, which mean, it's not a Stun Message, but probably a DTLS message, thus it should be in dataRecv and not in stunMsgs

[diegomrsantos]

It should be new as StunConn is a ref.

[lchenut]

done

[diegomrsantos]

Should we close the underlying UDP conn?

[lchenut]

Udp conn is a really bad name, it should be Udp Transport, I might change this in another PR.
But no, UdpConn is closed only when we close the Stun transport

[diegomrsantos]

should it be the last line?

[diegomrsantos]

Or maybe having a closing and closed, but not sure.

[lchenut]

I changed it, but as the proc is synchronous, it doesn't change anything

[diegomrsantos]

it is supposed to return a seq, but I believe it doesn't return anything, potentially nil.

[lchenut]

What do you mean? I initialize result. It definitely returns a seq.

[diegomrsantos]

I find it confusing. There are 3 different ways of returning in Nim and it's used arbitrarily.

[diegomrsantos]

I'd recommend to avoid result and use explicit returns unless you have a very strong preference for that.

[lchenut]

Hum.... I like result actually, it's a neat tool

[diegomrsantos]

I find it unusual and harder to reason. Another reason is that it is used arbitrarily in the procs. I believe it is better to follow the same pattern.

[diegomrsantos]

Looks great! Amazing job. Thanks for addressing the comments and delivering this.