Jump to content

  • Log In with Google      Sign In   
  • Create Account

We're offering banner ads on our site from just $5!

1. Details HERE. 2. GDNet+ Subscriptions HERE. 3. Ad upload HERE.


On a scale from 1 to 10 how bad of an idea would it be to use a JSON like format for game networking?


Old topic!
Guest, the last post of this topic is over 60 days old and at this point you may not reply in this topic. If you wish to continue this conversation start a new topic.

  • You cannot reply to this topic
25 replies to this topic

#1 BinaryStorm   Members   -  Reputation: 136

Like
0Likes
Like

Posted 10 January 2013 - 02:04 PM

It's actually lua, but there's not much difference there.

 

So I'm making a turned based strategy game and it does a lot of work with lua scripts server side. I created a wrapper class that I really like to use. So far I've been using it to interact with objects in the lua environment and save and load data etc. Then I thought: 'why not just use lua to send data across the network too?'

 

I figure the biggest bottleneck would be interpreting the code at the client and that doesn't worry since each individual client won't be receiving that many messages.

 

I know it's more bulky than binary, but it seems pretty convenient. Do you think it'll have a big impact on how many users the server can support? Sorry if this is a dumb question.



Sponsor:

#2 PaloDeQueso   Members   -  Reputation: 283

Like
4Likes
Like

Posted 10 January 2013 - 02:19 PM

1: If it's truly turn based, this should be completely fine, and will make life a lot easier I'd say. I've even considering using compressed json strings for packets on real time games just because JSON rocks.


Douglas Eugene Reisinger II
Projects/Profile Site

#3 EmployeeNumber8   Crossbones+   -  Reputation: 1103

Like
0Likes
Like

Posted 10 January 2013 - 02:32 PM

I know it's more bulky than binary

 

My friend, you've answered your own question. If you can use binary, then use binary... or maybe you should try both and do some performance testing.



#4 ApochPiQ   Moderators   -  Reputation: 16079

Like
1Likes
Like

Posted 10 January 2013 - 03:31 PM

This is a severely bad idea, unless you really want malicious players to have free run of your game - both client and server.

#5 Kylotan   Moderators   -  Reputation: 3338

Like
2Likes
Like

Posted 10 January 2013 - 04:00 PM

A JSON like format - great. It will make debugging easier, that's for sure.

 

But Lua? Unless you have a Lua parser that will treat it purely as data and not try to execute it, it would be extremely dangerous. Anybody on the internet could craft some malicious Lua code and send it to your server to be executed.



#6 BinaryStorm   Members   -  Reputation: 136

Like
0Likes
Like

Posted 10 January 2013 - 04:13 PM

Didn't think about security. For what it's worth, messages would probably be executed in their own lua states, and I won't even load the standard libraries into those. I use states like that to load data.



#7 ApochPiQ   Moderators   -  Reputation: 16079

Like
3Likes
Like

Posted 10 January 2013 - 04:18 PM

What does that gain you over just transmitting data and using a simple parser to break it back out into the objects you want at each endpoint?

#8 magicstix   Members   -  Reputation: 191

Like
2Likes
Like

Posted 10 January 2013 - 06:46 PM

Why not use google protocol buffers instead? It'll be much faster and it has inter-language communication capabilities. The only drawback is the awkward build process.



#9 Buster2000   Members   -  Reputation: 1737

Like
0Likes
Like

Posted 11 January 2013 - 02:27 AM

I use json all the time for turn based networking for mobile games.  I only use simple dictionaries though.  One thing to watchout for with LUA though is if you are targeting iPhone.  I know somebody who tried sending lua scripts as part of in app purchase downloadable content and his app was rejected.



#10 Ravyne   GDNet+   -  Reputation: 7868

Like
2Likes
Like

Posted 11 January 2013 - 04:47 AM

Agreed on the security angle, however you should have more robust security in place than simple obscurity. What people seem to be worried about is, whatever protection scheme you have, the consequences become really dire, really immediately, if you're sending executable instructions around.

 

However, if you're truly using lua as a data-passing layer only, it probably wouldn't be too difficult to write a parser for that subset of the language (which would allow you continue using it as you are), convert to JSON (at least maintain ease of debugging), or use some other compact format, even binary.



#11 KnolanCross   Members   -  Reputation: 1336

Like
0Likes
Like

Posted 11 January 2013 - 07:35 AM

The points are:

- Worse performance

- Away higher bandwith consuption.

- Easier to hack.

 

You can counter the second one by compressing the packages and the third one by encrypting the protocol (it still will be easier than binary approach, but not THAT easy). Both those counters will make the first point even worst.

 

So, here are your cons, weight then and decide if it is worth it. Personally I wouldn't unless it is something like school project, round based with small player base game.


Currently working on a scene editor for ORX (http://orx-project.org), using kivy (http://kivy.org).


#12 BinaryStorm   Members   -  Reputation: 136

Like
0Likes
Like

Posted 11 January 2013 - 08:01 AM

I guess there isn't that much to gain. I just really love using my Lua wrapper class. It has a lot of cool functionality, but it's probably not the tool for this job. Thanks for all the answers.



#13 samoth   Crossbones+   -  Reputation: 4936

Like
0Likes
Like

Posted 11 January 2013 - 08:23 AM

Existing (and even moderately successful) real-life games do that. I know at least two Facebook MOs that do this, one recently added XOR-encryption (*cough*) for security. I remember one (successful) MMO that I played years ago that would simply send the output of Java's Serialize() over the network (unencrypted). No, it didn't break their neck. They eventually added encryption after 5 or 6 years to thwart proxy botting. They're still in business.

 

How good/bad an idea is it on a scale from 1 to 10? Depends, it can be anything from 1 to 15.

 

If you use a properly encrypted stream, the only disadvantage to using JSON is that you waste a bit if extra bandwidth copared to something binary. If you can afford that extra bandwidth, there's no issue. The huge advantage is that JSON already works, and is dead easy to use.

 

Now if you don't encrypt your traffic and you are already struggling with bandwidth, then 10 is not a high enough number to express the trouble you're getting in.



#14 Ravyne   GDNet+   -  Reputation: 7868

Like
1Likes
Like

Posted 11 January 2013 - 09:27 AM

You can counter the second one by compressing the packages and the third one by encrypting the protocol (it still will be easier than binary approach, but not THAT easy). Both those counters will make the first point even worst.

 

Actually, neither of those counters make the first worse -- the biggest bottleneck here is bandwidth over the wire, compression reduces the amount of info, thereby making better use of bandwidth, and encryption has no real effect. A computer can decompress and decrypt a packet 100 times over and still take Sunday off in the time it took that same packet to traverse the wire.

 

Heck, AAA console games compress data on the disc because its faster to read less data and decompress it than it is to just read the raw data -- and the disc transfer speed is probably an order of magnitude faster than an average internet connection, and the console CPUs less than half as fast as a typical modern computer.

 

I suppose on the server side, if you've got tens of thousands of players sending packets into your data center, decompression and decryption *might* be a noticeable in your profiling data, but if you're running something that large and successful you can afford to throw hardware resources at the problem.

 

There are plenty of valid cons here, but that you'd have to compress and encrypt the packets to make it viable is far from one of them.



#15 hplus0603   Moderators   -  Reputation: 5547

Like
0Likes
Like

Posted 11 January 2013 - 02:45 PM

This is a severely bad idea, unless you really want malicious players to have free run of your game - both client and server.

The format of the packets -- whether JSON, XML, ASN.1-BER, or your custom binary serialization format -- does not change your security model at all.

JSON is fine as long as throughput doesn't matter. I know several turn-based games that use JSON, including some that I've worked on myself.

Once you measure your data rate in "packets per second" rather than "seconds per packet," you may find that JSON is too verbose -- or, more likely, that HTTP is too verbose, if that's your transport. At that point, a direct, persistent connection with binary payloads starts making a lot of sense.
enum Bool { True, False, FileNotFound };

#16 ApochPiQ   Moderators   -  Reputation: 16079

Like
1Likes
Like

Posted 11 January 2013 - 04:36 PM

The format of the packets -- whether JSON, XML, ASN.1-BER, or your custom binary serialization format -- does not change your security model at all.

JSON is fine as long as throughput doesn't matter. I know several turn-based games that use JSON, including some that I've worked on myself.

Once you measure your data rate in "packets per second" rather than "seconds per packet," you may find that JSON is too verbose -- or, more likely, that HTTP is too verbose, if that's your transport. At that point, a direct, persistent connection with binary payloads starts making a lot of sense.


I never said anything to the contrary.

My point is transmitting executable code as a communication mechanism does change your security profile. To make it secure you have to basically strip out all execution potential from your data stream and the interpretation mechanisms, at which point you may as well just use an existing serialization mechanism in the first place.


[Edit] For further clarity: I'm not talking about the subject line (which talks about JSON) but rather about the actual question the OP asked, which was using Lua as a JSON replacement. JSON is not executable by default; Lua is. That's all I'm saying is a bad idea.

Edited by ApochPiQ, 11 January 2013 - 04:37 PM.


#17 hplus0603   Moderators   -  Reputation: 5547

Like
0Likes
Like

Posted 12 January 2013 - 07:30 PM

My point is transmitting executable code as a communication mechanism does change your security profile. To make it secure you have to basically strip out all execution potential from your data stream and the interpretation mechanisms, at which point you may as well just use an existing serialization mechanism in the first place.

Every web browser and web site sends gobs of executable code to your client -- Javascript is the de facto application language of the future. Yet, security holes don't come from Javascript; they come from Java or Flash plug-ins written in native code.
enum Bool { True, False, FileNotFound };

#18 ApochPiQ   Moderators   -  Reputation: 16079

Like
0Likes
Like

Posted 12 January 2013 - 09:38 PM

I really don't understand what that has to do with the present discussion.

JavaScript is heavily sandboxed but still has security implications (were you not on the Internet in the late 1990's?). It's not like someone just says "herp derp have some executable code!" and magically it's safe because we called it JavaScript. I really can't believe that you'd be trying to imply something that disingenuous, either, so I don't follow your point at all.

I also have a hard time believing that you're unaware of the vast differences in security model between web services and client/server games. So I have no idea why you feel that one-way transmission of executable data via the web is a relevant point of comparison for bidirectional communication where a client can submit unverified executable data back to a server.


If you really want to use the web as a comparison, fix your analogy. The OP is suggesting creating a web site where I can upload arbitrary PHP or ASP.Net or JSP code and execute it as a superuser. All I'm saying here is that to ensure security you need to take a lot of precautions - things which you seem to be implying don't exist on the web, when I think you honestly know a lot better.



So yeah. I'm confused now.

#19 hplus0603   Moderators   -  Reputation: 5547

Like
0Likes
Like

Posted 13 January 2013 - 01:13 AM

You're right, this is side tracking. The argument that sending executable code is unsafe isn't particularly strong IMO.

Sending code from the server to the client is done all the time, even for native code: That's what a patcher does!

You can sandbox whatever you execute to the set of instructions that make sense, and not give access to anything that would be dangerous, for code sent from client to server. Many games do this, too -- any game with a mod system, any game with user scripts (like Second Life,) any web site that lets you add javascript to your pages, etc.

Regarding "you have to encrypt to avoid tha haxx OMGWFTBBQ!1!" argument, we've had that so many times. Encrypting data that the client generates is pretty useless, as the potential attacker has full control of the client anyway, and can simply use your own encryption function to send whatever data he wants to. There is a narrow middle ground where some encryption dissuades the most casual of hackers, and your game isn't successful enough that anyone real wants to attack it, where it might help, but I feel that you're better off making your game good enough that you'll exceed that narrow window :-)
enum Bool { True, False, FileNotFound };

#20 stormwarestudios   Members   -  Reputation: 215

Like
0Likes
Like

Posted 16 January 2013 - 09:23 PM

1: If it's truly turn based, this should be completely fine, and will make life a lot easier I'd say. I've even considering using compressed json strings for packets on real time games just because JSON rocks.

 

Seconded. If you're writing abstractly enough, then swapping out portions of your network data-transmission module when your game reaches a point where security and/or performance are under scrutiny shouldn't be a big deal. The up-side is you've got a working game in a shorter amount of time, which lets you focus on more important things -- like finishing the game.






Old topic!
Guest, the last post of this topic is over 60 days old and at this point you may not reply in this topic. If you wish to continue this conversation start a new topic.



PARTNERS