As suggested in this thread (http://lists.freedesktop.org/archives/nice/2014-August/000944.html) I'm opening an issue about a bug I encountered.
After a successful ICE setup using libnice, apparently the NiceAgentRecvFunc callback I set is invoked for a specific component even when data is not coming from any remote candidate that was negotiated and authenticated.
To make a practical and reproduceable exampe, I tried setting up a media session and, after a successful ICE setup, I used the nc command to send data to the port my application had selected (so random source port on the nc side). Surprisingly, the callback was notified, and the data was available, while I expected the library to ignore this external data as it was not part of the "connection" established between the two parties.
To the best of my understanding, ICE's security is intended for the short-lived negotation, and does not extend to the session itself.
To guarantee session security, one would use something like SRTP.
Yes, but we shouldn't be accepting data from un-authenticated peer. Last draft I checked, this was required by WebRTC, and is actually required by the ICE RFC.
Migrated to Phabricator: http://phabricator.freedesktop.org/T104