UDP hole punching
   HOME

TheInfoList



OR:

UDP hole punching is a commonly used technique employed in network address translation (NAT) applications for maintaining
User Datagram Protocol In computer networking, the User Datagram Protocol (UDP) is one of the core communication protocols of the Internet protocol suite used to send messages (transported as datagrams in packets) to other hosts on an Internet Protocol (IP) network ...
(UDP) packet streams that traverse the NAT.
NAT traversal Network address translation traversal is a computer networking technique of establishing and maintaining Internet protocol connections across gateways that implement network address translation (NAT). NAT traversal techniques are required for m ...
techniques are typically required for client-to-client networking applications on the
Internet The Internet (or internet) is the global system of interconnected computer networks that uses the Internet protocol suite (TCP/IP) to communicate between networks and devices. It is a '' network of networks'' that consists of private, pub ...
involving hosts connected in
private network In Internet networking, a private network is a computer network that uses a private address space of IP addresses. These addresses are commonly used for local area networks (LANs) in residential, office, and enterprise environments. Both the IP ...
s, especially in
peer-to-peer Peer-to-peer (P2P) computing or networking is a distributed application architecture that partitions tasks or workloads between peers. Peers are equally privileged, equipotent participants in the network. They are said to form a peer-to-peer n ...
,
Direct Client-to-Client Direct Client-to-Client (DCC) (originally Direct Client Connection) is an IRC-related sub-protocol enabling peers to interconnect using an IRC server for handshaking in order to exchange files or perform non-relayed chats. Once established, a t ...
(DCC) and
Voice over Internet Protocol Voice over Internet Protocol (VoIP), also called IP telephony, is a method and group of technologies for the delivery of voice communications and multimedia sessions over Internet Protocol (IP) networks, such as the Internet. The terms Internet t ...
(VoIP) deployments. UDP hole punching establishes connectivity between two hosts communicating across one or more network address translators. Typically, third-party hosts on the public transit network are used to establish UDP port states that may be used for direct communications between the communicating hosts. Once port state has been successfully established and the hosts are communicating, port state may be maintained either by normal communications traffic, or in the prolonged absence thereof, by
keep-alive A keepalive (KA) is a message sent by one device to another to check that the link between the two is operating, or to prevent the link from being broken. Description Once a TCP connection has been established, that connection is defined to be v ...
packets, usually consisting of empty UDP packets or packets with minimal, non-intrusive content.


Overview

UDP hole punching is a method for establishing bidirectional UDP connections between
Internet The Internet (or internet) is the global system of interconnected computer networks that uses the Internet protocol suite (TCP/IP) to communicate between networks and devices. It is a '' network of networks'' that consists of private, pub ...
hosts in private networks using network address translators. The technique is not applicable in all scenarios or with all types of NATs, as NAT operating characteristics are not standardized. Hosts with network connectivity inside a private network connected via a NAT to the Internet typically use the
Session Traversal Utilities for NAT STUN (Session Traversal Utilities for NAT; originally Simple Traversal of User Datagram Protocol (UDP) through Network Address Translators) is a standardized set of methods, including a network protocol, for traversal of network address transl ...
(STUN) method or
Interactive Connectivity Establishment Interactive Connectivity Establishment (ICE) is a technique used in computer networking to find ways for two computers to talk to each other as directly as possible in peer-to-peer networking. This is most commonly used for interactive media such a ...
(ICE) to determine the public address of the NAT that its communications peers require. In this process another host on the public network is used to establish port mapping and other UDP port state that is assumed to be valid for direct communication between the application hosts. Since UDP state usually expires after short periods of time in the range of tens of seconds to a few minutes, and the UDP port is closed in the process, UDP hole punching employs the transmission of periodic ''keep-alive'' packets, each renewing the life-time counters in the UDP state machine of the NAT. UDP hole punching will not work with symmetric NAT devices (also known as bi-directional NAT) which tend to be found in large corporate networks. In symmetric NAT, the NAT's mapping associated with the connection to the known STUN server is restricted to receiving data from the known server, and therefore the NAT mapping the known server sees is not useful information to the endpoint. In a somewhat more elaborate approach both hosts will start sending to each other, using multiple attempts. On a Restricted Cone NAT, the first packet from the other host will be blocked. After that the NAT device has a record of having sent a packet to the other machine, and will let any packets coming from this IP address and port number through. This technique is widely used in
peer-to-peer Peer-to-peer (P2P) computing or networking is a distributed application architecture that partitions tasks or workloads between peers. Peers are equally privileged, equipotent participants in the network. They are said to form a peer-to-peer n ...
software and
Voice over Internet Protocol Voice over Internet Protocol (VoIP), also called IP telephony, is a method and group of technologies for the delivery of voice communications and multimedia sessions over Internet Protocol (IP) networks, such as the Internet. The terms Internet t ...
telephony. It can also be used to assist the establishment of
virtual private network A virtual private network (VPN) extends a private network across a public network and enables users to send and receive data across shared or public networks as if their computing devices were directly connected to the private network. The be ...
s operating over UDP. The same technique is sometimes extended to
Transmission Control Protocol The Transmission Control Protocol (TCP) is one of the main protocols of the Internet protocol suite. It originated in the initial network implementation in which it complemented the Internet Protocol (IP). Therefore, the entire suite is commonly ...
(TCP) connections, though with less success because TCP connection streams are controlled by the host OS, not the application, and sequence numbers are selected randomly; thus any NAT device that performs sequence-number checking will not consider the packets to be associated with an existing connection and drop them.


Flow

Let A and B be the two hosts with internal IP addresses iAddrA and iAddrB respectively, each in its own private network; NA and NB are the two NAT devices with external IP addresses eAddrA and eAddrB respectively; S is a public server with a known IP address. # A and B each begin a UDP conversation with S; the NAT devices NA and NB create UDP translation states and assign temporary external port numbers ePortA and ePortB. # S examines the UDP packets to get the source port used by NA and NB (the external NAT ports ePortA and ePortB). # S informs B about the values of eAddrA:ePortA and informs A about the values of eAddrB:ePortB. # A sends a packet to eAddrB:ePortB and B sends a packet to eAddrA:ePortA (not necessarily at the same time nor in any particular order). #* When those packets leave their private network, each NAT device adds an entry to its translation table: #** NA examines A's packet and adds the following
tuple In mathematics, a tuple is a finite ordered list (sequence) of elements. An -tuple is a sequence (or ordered list) of elements, where is a non-negative integer. There is only one 0-tuple, referred to as ''the empty tuple''. An -tuple is defi ...
to its translation table: (iAddrA, ePortA, eAddrB, ePortB). #** NB examines B's packet and adds the following tuple to its translation table: (iAddrB, ePortB, eAddrA, ePortA). #* Depending on the state of each NAT's translation table upon arrival of the remote's packet: #** If the tuple (iAddrA, ePortA, eAddrB, ePortB) was already added to NA's translation table before the arrival of B's packet, then NA passes B's packet, but otherwise drops it. #** If the tuple (iAddrB, ePortB, eAddrA, ePortA) was already added to NB's translation table before the arrival of A's packet, then NB passes A's packet, but otherwise drops it. # Once both NAT's have those tuples added, then "holes" have been "punched" in the NATs, allowing both hosts to directly communicate. * If both hosts have Restricted cone NATs or Symmetric NATs, the external NAT ports will differ from those used with S. On some routers, the external ports are picked sequentially, making it possible to establish a conversation through guessing nearby ports.


See also

* Hamachi *
Freenet Freenet is a peer-to-peer platform for censorship-resistant, anonymous communication. It uses a decentralized distributed data store to keep and deliver information, and has a suite of free software for publishing and communicating on the Web ...
*
ICMP hole punching ICMP hole punching is a technique employed in network address translator (NAT) applications for maintaining Internet Control Message Protocol (ICMP) packet streams that traverse the NAT. NAT traversal techniques are typically required for clie ...
*
TCP hole punching TCP NAT traversal and TCP hole punching (sometimes NAT punch-through) in computer networking occurs when two hosts behind a network address translation (NAT) are trying to connect to each other with outbound TCP connections. Such a scenario is p ...
*
Hole punching (networking) Hole punching (or sometimes punch-through) is a technique in computer networking for establishing a direct connection between two parties in which one or both are behind firewalls or behind routers that use network address translation (NAT). T ...
*
WebRTC WebRTC (Web Real-Time Communication) is a free and open-source project providing web browsers and mobile applications with real-time communication (RTC) via application programming interfaces (APIs). It allows audio and video communication to wor ...
*
Port Control Protocol Port Control Protocol (PCP) is a computer networking protocol that allows hosts on IPv4 or IPv6 networks to control how the incoming IPv4 or IPv6 packets are translated and forwarded by an upstream router that performs network address translat ...
(PCP) *
Teredo tunneling In computer networking, Teredo is a transition technology that gives full IPv6 connectivity for IPv6-capable hosts that are on the IPv4 Internet but have no native connection to an IPv6 network. Unlike similar protocols such as 6to4, it can perf ...


References


External links


Peer-to-Peer Communication Across Network Address TranslatorsPDF
contains a detailed explanation of the hole punching process
STUNT
Simple Traversal of UDP Through NATs and TCP too
Network Address Translation and Peer-to-Peer Applications (NATP2P)
{{DEFAULTSORT:Udp Hole Punching Computer network security