►
Description
No description was provided for this meeting.
If this is YOUR meeting, an easy way to fix this is to add a description to your video, wherever mtngs.io found it (probably YouTube).
A
Hello:
everyone,
I'm
martin
ziemann
working
at
protocol
labs
in
the
on
on
lippy2b,
and
I
want
to
bring
bring
in
this
talk.
I
want
to
talk
about
the
p2p
and
what
options
we
have
there
to
improve
the
connectivity
situation
across
across
the
network,
and
this
is
mostly
mostly
focusing
on
browsers,
because
this
is
where
libido.
B
A
Doesn't
perform
as
well
at
the
moment,
so
in
general.
What
is
the
libi2p
connection?
It's
a
point
point-to-point
connection
between
two
libid2p
nodes
since
there's,
no
one-size-fits-all,
as
we
will
see
later,
each
lippy2p
host
has
offers
different
connection
options.
They
are
encoded
in
multi-addresses.
A
in
general.
The
p2p
connections
are
encrypted.
We
run
a
security
handshake
and
we
have
multiple
options.
There.
We
use
noise
and
tls
1.3
that
bring
that
gives
us
well.
First
of
all,
an
encrypted
connection
and
knowledge
of
the
remote
psid.
A
After
a
connection
is
encrypted
after
a
tcp
connection
is
encrypted,
we
apply
a
stream
multiplexer,
something
like
yamax,
mplex
or
hopefully
soon,
something
something
better
than
that
for
quick.
We
don't
need
to
do
do
all
of
this,
because
quick
connections
are
encrypted
and
and
stream
multiplexed
on
the
transport
level.
A
So
this
this
table
shows
shows
the
connection
options
that
we
have
so
I've
been
talking
about
tcp
and
quick
and.
C
A
A
A
This
is
a
problem
for
us,
because
we
want
to
connect
browsers
to
go,
live,
p2p
nodes.
Imagine
browser
wants
to
go
to
the
dht
and
find
where,
where
a
certain
file
is
a
certain
cid
is
and
then
download
it
from
there.
A
A
A
The
special
websocket
upgrade
http
request,
and
if
the
server
agrees
to
this,
this
basically
means
like
we
are
not
doing
http
anymore.
We
are
now
using
the
raw
tcp
underlying
tcp
connection
from
that
moment
on
and
there's
also
a
way
to
do
this
over
http
2.
So
you
can
have
you
can
have
multiple
streams
on
top
of
or
with
the
same
connection.
A
The
problem
with
this
is,
we
can
use
this
in
in
the
p2p,
but
the
browser
will
enforce
the
enforce
encrypted
connections.
A
So
if
you
loaded
a
website
via
https,
which
is
basically
every
website
that
you
load
nowadays,
the
browser
won't
will
just
not
let
you
establish
a
websocket
connection
you
need
to,
and
this
is
the
error
that
you
get
when
you
do
it.
When
you
try
to
do
it,
you
need
to
do
a
web
socket,
secure
connection.
A
The
problem
for
lippy2p
is
our
nodes,
usually
don't
have
certificates
well,
we
do
have
certificates,
but
we
have
self-signed
certificates
and,
of
course
the
browser
will
not
trust
a
self-signed
certificate.
A
browser
will
require
a
certificate
from
from
a
ca
that
it
trusts.
Let's
say:
let's
encrypt,
you
can
get
those
let's
encrypt
certificates
for
free,
but
you
need
the
domain
name
to
get
them.
Let's
encrypt
doesn't
issue,
it
doesn't
issue
certificates
for
ip
addresses,
so
it's
feasible
for
some
nodes
in
our
networks
to
get
a
domain
name
like.
A
If
you
are
an
operator
like
a
pinning
service
or
something,
then
you
probably
already
have
a
domain
name.
You
probably
also
already
have
a
tls
certificate
and
you
can
use
that
for
your
websocket
connection,
there's
an
option
in
the
p2p
where
you
pass
in
the
dls
config
and
your
node
will
be
reachable
via
secure
web
sockets.
A
A
There's
another
problem
with
this
approach
and
it's
the
number
of
round
trips
it
takes.
So
if
we,
if
we
count
them,
we
do
one
tcp
handshake
takes
a
roundtrip.
We
do
a
tls
handshake
takes
another
round
trip.
We
do
the
websocket
upgrade
http
request
takes
a
round
trip.
We
then
negotiate
the
security
protocol
for
the
lib
p2p
handshake
takes
another
round
trip.
We
do
that.
We
do
that.
Handshake
takes
another
round
trip.
We
then
negotiate.
Amplex
or
yamax
takes
yet
another
round
trip.
So
we
are
at
six
round
trips.
A
We
can
optimize
this
a
little
bit
with
protocol
select.
I
don't
want
to
go
into
detail
details
about
this.
This
might
save
us
two
network
routers,
but
we
are
still
at
four
run
trips,
which
is
quite
a
bit
and
we're
doing
double
encryption
here,
because
the
tier,
the
the
underlying
tcp
connection
is
encrypted,
and
then
we
run
noise,
noise
or
another
tls.
On
top
of
that,
and
double
encryption
obviously
is
not
great
for
for
performance.
A
A
I
haven't
looked
into
this
in
in
detail,
but
this
might
be
a
way
to
a
way
to
move
this
forward.
So
let's
look
at
web
transport.
Web
transport
is
a
new
protocol,
there's
not
even
an
rfc.
Yet
it's
at
the
it's
under
development
at
the
itf
there's
a
there's,
a
web
transport
working
group.
A
It
is
you
get
like
conceptually,
you
can
think
of
it
as
websocket,
but
done
over
quick.
So
you
get
a
lot
of
the
benefits
of
of
quick
right
out
of
the
box.
Yes,
stream
multiplexing,
you
have
a
very
fast
handshake.
You
have
quick
advanced
loss,
recovery
and
and
congestion
control.
A
A
It
does,
however,
have
the
same
same
security
requirements
from
the
browser
side.
The
browser
also
wants
to
see
a
certificate
that
it
can
trust,
at
least
that's
what
we
thought
january
this
year,
which,
which
is
why
we
thought
like
okay.
This
will
be
like
the
same
fringe
use
case
that
we
have
for
websocket,
not
very
interesting
for
the
p2p,
but
then
the
w3c
changed
the
standard
and
they
said
we
we
want
to.
A
And
this
is
exactly
what
we
need
for
lip
p2p
right.
We
have.
These
multi
addresses
that
we
can
encode
stuff
into
so
now
we
can
have
an
a
web
transport
address.
That
doesn't
only
say
like
this.
Is
this
ip
address
and
this
port,
but
we
can
also
say
like
this:
node
has
the
following
hash,
and
here
we
have,
we
can
specify
two
hashes.
A
Well,
actually
you
can
in
the
multi
address
you
can
specify
as
many
hashes
as
you
want,
because
web
transport
does
post
some
some
restrictions
on
the
certificate
that
you
can
use.
As
I
said
earlier,
this
is
intended
for
short
lived
for
short-lived
vms,
so
one
of
the
things
that
the
browser
will
do
when
it
gets
the
certificate,
it
will
not
only
verify
the
hash
of
the
certificate.
It
will
also
verify
that
it's
not
rsa,
okay,
fine,
we
can.
A
We
can
do
that,
but
it
will
also
say,
like
the
certificate
cannot
be
long
valid
for
longer
than
14
days,
which
means
if
we
want
to
build
this
into
lib
p2p,
and
we
have
nodes
that
run
a
lot
longer
than
just
14
days.
We
will
need
to
rotate
the
certificate
while
the
node
is
running
to
keep
us
accessible
via
web
transport.
A
So
the
idea
is
to
to
generate
one
certificate
valid
for
the
first
14
days
and
another
certificate
for
the
next
14
days
and
then
after
14
days,
you
switch
over
the
certificate
and
generate
a
new
one,
and
and
as
long
as
the
browser
got
the
the
addre,
it
got
your
address
less
than
14
days
ago.
It
will
be
able
to
connect
to
you
no
actually
less
than
well
between
14
and
28
days.
A
A
Then
we
have
another
round
trip
for
the
web
transport
request,
and
then
we
have
one
round
trip
for
the
noise
handshake
that
we
run
on
top
of
that
web
transport
stream.
We
need
to
do
this,
this
noise
handshake,
because
we
need
to
make
we
need
to
to
learn
about
the
pspr
id
and
in
this
noise
handshake.
This
is
the
first
time
we
can
actually
control
the
certificate
that
that
we
are
well.
A
A
It
should
be
possible
to
run
step
two
and
three.
At
the
same
time,
the
specification
allows
it
but,
as
I
said
like,
this
is
still
the
itf
is
still
working
on
this
protocol,
and
the
browser
manufacturer
is
also
still
working
on
this
protocol.
So
at
the
moment
it
takes
three
round
trips,
but
in
principle
it
should
be.
It
should
be
possible
to
to
do
a
step
two
and
three
at
the
same
time,
which
would
bring
us
down
to
just
two
network
round
trips
to
have
a
fully
functioning
p2p
connection
set
up.
So
this
is
huge.
A
A
A
A
A
A
It's
basically
just
a
long
description.
Saying
like
these
are
my
addresses.
These
are
my
audio
codecs.
These
are
my
video
codecs
that
I
support
and
the
two
nodes
need
to
exchange
those
sdps
and
once
they've
done
that
they
will
webrtc
will
establish
the
connection
punching
through
through
firewalls,
if
necessary
and
at
the
end
returning
you
a
webrtc
connection,
the
weber.
So
we
we
kind
of
have
a
checking
and
act
problem
here
right.
A
A
A
limited
relay
is,
as
the
name
says,
it's
it's
a
relay
that
is
willing
to
transfer
a
limited
amount
of
data
for
a
limited
amount
of
time,
it's
very
cheap
to
run
a
limited
relay.
So
if
you
start
a
lip
p
to
p
node
and
that
lipitor
p
node
is
detects
that
it's
in
a
public
position
not
behind
a
firewall,
it
will
start
that
relay
service
and
other
nodes
can
use
it
then.
A
A
In
the
browser,
how
do
you?
How
do
you
establish
the
a
webrtc
connection?
You?
You
need
to
generate
your
own
certificate
and
since
webrtc
is
built
as
a
peer-to-peer
protocol
made
for
video
conferencing,
there's
no
certificate
check
like
you,
don't
need
you
don't
need
to
see
a
site
certificate.
Unfortunately,
the
api
is
kind
of
limited.
The
only
thing
that
you
can
pass
into
the
generate
certificate
function
is
a
key
key
generation
algorithm,
so
we
can't
encode
the
peer
id
into
the
certificate.
A
A
So
this
is
also
also
getting
getting
specified
and
worked
on
right.
Now
we
are
expecting
to
to
have
something
to
show
in
the
next
next
couple
of
months.
I'm
pretty
excited
about
this.
All
of
the
work
is
happening
in
in
our
specs
like
to
to
make
any
changes
in
lib
p2p.
We
first
need
to
make
a
spec
change.
Then
we
write
the
code.
So
if
you
want
to
get
involved,
the
specs
repository
is
the
best
way
and
with
that
I
thank
you
for
your
attention.
D
Thank
you
for
the
talk
I'm
wondering
so
with
web
transport.
Do
we
still
have
the
same
problem
as
web
sockets,
namely
double
encryption?
That
is,
the
web
transport
encryption
and
the
noise
encryption?
We.
A
Don't
because
we
can
use
that
certificate
to
make
sure
that
there's
we
can
use
the
certificate
hash
to
make
sure
that
there's
no
man
in
the
middle
in
the
connection.
So,
if
you
think
about
what
would
happen,
if
there
was
a
man
in
the
middle
and
con
in
the
connection,
then
we
would
have
a
different
certificate.
Hash.
B
A
So
we
run
the
noise
handshake,
which
gives
us
first
the
pr
ids,
but
then
on
this
noise
noise
handshake.
We
also
send
the
certificate
hash,
so
the
server
will
see
if
the
certificate
hash
that
the
client
has
got
out
of
this
handshake
matches
the
certificate
that
it
actually
owns,
and
it
will
not
accept
the
connection
if,
if,
if
there's
a
mismatch,
so
we
run
this
handshake
once
on
the
first
stream
and
as
soon
as
this
handshake
completes,
we
know
there's
no
man
in
the
middle.
In
the
connection,
we
know
the
peer
ids.
A
We
can
just
use
the
raw
web
transport
streams
after
that.
D
And
if
it's
okay,
another
question
you
mentioned
so
with
webrtc
that
you
essentially
one
of
the
advantages
that
we
have
is
that
we
have
these
leap,
p2p
hosts
and
they
have
this
kind
of
like
limited
relay
functionality,
which
we
can
now
use
to
exchange
these
sdps
right,
yes,
is
the
limited
relay
functionality.
Is
that
essentially,
what
is
used
for
circuit
relay
v2?
D
Yes,
and
does
that
mean
that
we
can
now
use
all
of
these
lead
p2p
hosts
to
do
the
whole
punching
for
webrtc,
okay
running
in
the
browser,
essentially
so
browser
to
browser?
They
can
just
rely
on
this
whole
swarm
of
leap
to
p
hosts,
yes
to
do
the
hole
punching.
A
Well,
not
to
do
the
hole
punching,
so
this
is
a
little
bit
technical.
We
use
those
nodes
running
the
circuit
v2
protocol,
as
you
said,
to
do
the
hole
punching
between
gold,
b2p
and
rusty
p2p
nodes
for
webrtc.
We
don't
need
to
do
the
whole
punching
ourselves.
In
fact,
we
can't,
because
this
is
all
inside
the
webrtc
stack
webrtc
that
comes
with
hole,
punching
capabilities,
and
we
can't
just
go
to
the
browser
and
say
like
no,
we
do
our
own
hole
punching
disable
your
whole
punching,
there's
no
api
for
that.
A
D
A
E
E
F
Good
stuff,
martin,
a
couple
quick
questions
your
table
earlier
had
web
transport
is
the
red
x,
but
there
are
some.
Can
you
explain
the
browser
implementation
story?
Oh
sorry,.
B
A
At
the
moment,
only
only
chrome,
well,
you
need
to
distinguish
between
web
transport
and
web
transport
with
the
server
certificate.
Hashes
service
certificate
hashes
has
been
implemented
in
chrome
since,
like
april
or
may
this
year,
the
other
browsers
are
still
working
on
their
web
transport
implementation.
At
the
moment,
it's
not
clear
if
they
will
implement
the
server
certificate.
Hashes
function,
at
least
for
safari.
It's
not
clear.
Firefox
has
said
like
we.
We
view
this.
A
This
whole
trend
web
transport
thing
as
like
one
specification,
and
if
we
do
web
transport
we'll
also
do
server
certificate
hashes
and
for
apple.
Well,
you
know
it
after
they
ship.
A
Yes,
so,
as
I
said,
specification
is
the
the
best
way
to
to
to
get
started.
We
also
need
need
help
with
the
implementation
there's
all
for
for
webrtc.
For
web
transport,
there
is
a
pull
request
for
webrt
rtc,
there's
a
pull
request
since
today
for
jsli
p2p.
A
We
also
need
help
with
the
implementation
for
for
for
web
transport
and
for
webrtc.
So
if
you
want
to
get
involved,
now
is
a
good
time.
B
I
heard
that
there
was
this
spec
in
the
works
for
giving
raw
tcp
and
udp
access.
Is
that
something
that
is
on
your
radar?
Slash
actually
happening,
slash
potentially
useful
for
the
p2p.
E
Is
there
a
path
forward
for
like
yeah
like
browser
to
browser
peer-to-peer
stuff
without
an
internet
connection
and
yeah
like
yeah,
I
guess
that's
the
question
and
or
with
maybe
some
hub
in
the
room
that
doesn't
have
a
global
internet
connection.
How
do
you
see
like
putting
these
together
to
make
that
work,
or
is
that
still
down
down
the
line
so.
A
So
browser
to
browser
requires
webrtc,
as
I've
explained,
I'm
not
sure
if
the
if
the
webrtc
protocol
allows
you
to
to
use
something
like
mdns
like
this
is
what
what
we're
using
for.
C
A
E
B
A
Stp,
if
the
question
was,
if
you
can
have
a
business
card
with
your
with
your
sdp,
like
encoded
in
a
qr
code
or
so
so
so
the
the
sdp
contains
your
ip
address.
So
as
long
as
you
have
a
static
ip
address,
it's
possible.
But
if
you
are
in
a
home
network,
you
probably
don't,
but
you
could
configure
your
router.