Hole punching (or sometimes punch-through) is a technique in

computer networking A computer network is a set of computers sharing resources located on or provided by network nodes. The computers use common communication protocols over digital interconnections to communicate with each other. These interconnections are ma ...

for establishing a direct connection between two parties in which one or both are behind firewalls or behind routers that use network address translation (NAT). To punch a hole, each client connects to an unrestricted third-party server that temporarily stores external and internal

address An address is a collection of information, presented in a mostly fixed format, used to give the location of a building, apartment, or other structure or a plot of land, generally using political boundaries and street names as references, along w ...

and

port A port is a maritime facility comprising one or more wharves or loading areas, where ships load and discharge cargo and passengers. Although usually situated on a sea coast or estuary, ports can also be found far inland, such as Ham ...

information for each client. The server then relays each client's information to the other, and using that information each client tries to establish direct connection; as a result of the connections using valid port numbers, restrictive firewalls or routers accept and forward the incoming packets on each side. Hole punching does not require any knowledge of the network topology to function.

ICMP hole punching ICMP hole punching is a technique employed in network address translator (NAT) applications for maintaining Internet Control Message Protocol (ICMP) packet streams that traverse the NAT. NAT traversal techniques are typically required for clie ...

UDP hole punching UDP hole punching is a commonly used technique employed in network address translation (NAT) applications for maintaining User Datagram Protocol (UDP) packet streams that traverse the NAT. NAT traversal techniques are typically required for clie ...

and

TCP hole punching TCP NAT traversal and TCP hole punching (sometimes NAT punch-through) in computer networking occurs when two hosts behind a network address translation (NAT) are trying to connect to each other with outbound TCP connections. Such a scenario is p ...

respectively use Internet Control Message, User Datagram and

Transmission Control Protocol The Transmission Control Protocol (TCP) is one of the main protocols of the Internet protocol suite. It originated in the initial network implementation in which it complemented the Internet Protocol (IP). Therefore, the entire suite is commonly ...

Overview

Networked devices with public or globally accessible

IP address An Internet Protocol address (IP address) is a numerical label such as that is connected to a computer network that uses the Internet Protocol for communication.. Updated by . An IP address serves two main functions: network interface ident ...

es can create connections between one another easily. Clients with private addresses may also easily connect to public servers, as long as the client behind a router or firewall initiates the connection. However, hole punching (or some other form of

NAT traversal Network address translation traversal is a computer networking technique of establishing and maintaining Internet protocol connections across gateways that implement network address translation (NAT). NAT traversal techniques are required for m ...

) is required to establish a direct connection between two clients that both reside behind different firewalls or routers that use network address translation (NAT). Both clients initiate a connection to an unrestricted server, which notes endpoint and session information including public IP and port along with private IP and port. The firewalls also note the endpoints in order to allow responses from the server to pass back through. The server then sends each client's endpoint and session information to the other client, or peer. Each client tries to connect to its peer through the specified IP address and port that the peer's firewall has opened for the server. The new connection attempt punches a hole in the client's firewall as the endpoint now becomes open to receive a response from its peer. Depending on network conditions, one or both clients might receive a connection request. Successful exchange of an authentication nonce between both clients indicates the completion of a hole punching procedure.Ford, Bryan; Srisuresh, Pyda; Kegel, Dan (2005)
Peer-to-Peer Communication Across Network Address Translators
/ref>

Examples

VoIP Voice over Internet Protocol (VoIP), also called IP telephony, is a method and group of technologies for the delivery of voice communications and multimedia sessions over Internet Protocol (IP) networks, such as the Internet. The terms Internet t ...

products, online gaming applications, and

P2P P2P may refer to: * Pay to play, where money is exchanged for services * Peer-to-peer, a distributed application architecture in computing or networking ** List of P2P protocols * Phenylacetone, an organic compound commonly known as P2P * Poin ...

networking software all use hole punching. *Telephony software

Skype Skype () is a proprietary telecommunications application operated by Skype Technologies, a division of Microsoft, best known for VoIP-based videotelephony, videoconferencing and voice calls. It also has instant messaging, file transfer, deb ...

uses hole punching to allow users to communicate with one or more users audibly.Schmidt, Jürgen (2006)
The hole trick
/ref> *Fast-paced online multi-player games may use a hole punching technique or require users to create a permanent

firewall pinhole In computer networking, a firewall pinhole is a port that is not protected by a firewall to allow a particular application to gain access to a service on a host in the network protected by the firewall. Leaving ports open in firewall configurati ...

in order to reduce network latency. *

VPN A virtual private network (VPN) extends a private network across a public network and enables users to send and receive data across shared or public networks as if their computing devices were directly connected to the private network. The be ...

applications such as Hamachi or ZeroTier utilize hole punching to allow users to connect directly to subscribed devices behind firewalls. *Decentralized

peer-to-peer file sharing Peer-to-peer file sharing is the distribution and sharing of digital media using peer-to-peer (P2P) networking technology. P2P file sharing allows users to access media files such as books, music, movies, and games using a P2P software program tha ...

software relies on hole punching for file distribution.

Requirements

Reliable hole punching requires consistent endpoint translation, and for multiple levels of NATs, hairpin translation. When an outbound connection from a private endpoint passes through a firewall, it receives a public endpoint (public IP address and port number), and the firewall translates traffic between them. Until the connection is closed, the client and server communicate through the public endpoint, and the firewall directs traffic appropriately. Consistent endpoint translation reuses the same public endpoint for a given private endpoint, instead of allocating a new public endpoint for every new connection. Hairpin translation creates a loopback connection between two of its own private endpoints when it recognizes that the destination endpoint is itself. This functionality is necessary for hole punching only when used within a multiple-layered NAT.

External links

How NAT traversal works

References

{{Reflist Computer network security

Overview

Examples

Requirements

See also

External links

References