UDP hole punching

UDP hole punching

In computing, UDP hole punching refers to a commonly used NAT traversal technique.

Description

NAT traversal through UDP hole punching is a method for establishing bidirectional UDP connections between Internet hosts in private networks using NAT. It does not work with all types of NATs as their behavior is not standardized.

The basic idea is to have each host behind the NAT contact a third well-known server (usually a STUN server) in the public address space and then, once the NAT devices have established UDP state information, to switch to direct communication hoping that the NAT devices will keep the states despite the fact that packets are coming from a different host.

UDP hole punching will not work with a Symmetric NAT (also known as bi-directional NAT) which tend to be found inside large corporate networks. With Symmetric NAT, the IP address of the well known server is different from that of the endpoint, and therefore the NAT mapping the well known server sees is different from the mapping that the endpoint would use to send packets through to the client. For details on the different types of NAT, see network address translation.

A somewhat more elaborate approach is where both hosts will start sending to each other, using multiple attempts. On a Restricted Cone NAT, the first packet from the other host will be blocked. After that the NAT device has a record of having sent a packet to the other machine, and will let any packets coming from these IP address and port number through.

The technique is widely used in P2P software and VoIP telephony. It is one of the methods used in Skype to bypass firewalls and NAT devices. It can also be used to establish VPNs (using, e.g., OpenVPN, strongSwan).

The same technique is sometimes extended to TCP connections, albeit with much less success.

Algorithm

Let A and B be the two hosts, each in its own private network;N1 and N2 are the two NAT devices;S is a public server with a well-known globally reachable IP address.
# A and B each begin a UDP conversation with S; the NAT devices N1 and N2 create UDP translation states and assign temporary external port numbers
# S relays these port numbers back to A and B
# A and B contact each others' NAT devices directly on the translated ports; the NAT devices use the previously created translation states and send the packets to A and B

ee also

* STUN
* Gbridge
* Hamachi
* Freenet
* Hole punching

External links

* [http://www.brynosaurus.com/pub/net/p2pnat/ Peer-to-Peer Communication Across Network Address Translators] , [http://www.brynosaurus.com/pub/net/p2pnat.pdf PDF]
* [http://nutss.gforge.cis.cornell.edu/stunt.php STUNT]
* [http://pdos.csail.mit.edu/~baford/nat/draft-ford-natp2p-00.txt Network Address Translation and Peer-to-Peer Applications (NATP2P)]
* [http://www.heise-online.co.uk/security/How-Skype-Co-get-round-firewalls--/features/82481 How Skype & Co. get round firewalls] - simple explanation of how Skype uses UDP hole punching


Wikimedia Foundation. 2010.

Игры ⚽ Поможем написать курсовую

Look at other dictionaries:

  • Hole punching — is a computer networking technique for establishing communications between two parties in separate organizations who are both behind restrictive firewalls. Used for applications such as online gaming, P2P and VoIP, both clients establish a… …   Wikipedia

  • TCP hole punching — NAT traversal through TCP hole punching is a method for establishing bidirectional TCP connections between Internet hosts in private networks using NAT. It does not work with all types of NATs as their behavior is not… …   Wikipedia

  • Simple traversal of UDP over NATs — Simple Traversal of User Datagram Protocol through Network Address Translators (NATs) (abbreviated STUN), is a standards based IP protocol used as one of the methods of NAT traversal in applications of real time voice, video, messaging, and other …   Wikipedia

  • NAT traversal — is a general term for techniques that establish and maintain Internet protocol connections traversing network address translation (NAT) gateways. Network address translation breaks end to end connectivity. Intercepting and modifying traffic can… …   Wikipedia

  • Hamachi — Infobox Software name = Hamachi caption = Screenshot of Hamachi developer = LogMeIn Inc. latest release version = 1.0.3.0 latest release date = Aug 18, 2008 operating system = Microsoft Windows, Linux, Mac OS X genre = P2P, VPN | license =… …   Wikipedia

  • OpenVPN — ‎ Original author(s) James Yonan Developer(s) OpenVPN project / OpenVPN Technologies, Inc. Initial release 1.1.0 / April 10, 2002 …   Wikipedia

  • Marabunta — For other uses, see Marabunta (disambiguation). Marabunta Marabunta version 0.3 running under Linux …   Wikipedia

  • Hamachi — Desarrollador LogMeIn Inc. www.logmeinhamachi.com www.hamachi.cc Información general Última versión estab …   Wikipedia Español

  • Freenet — Infobox Software name = Freenet caption = An indexing freesite (a freenet hosted page) called The Freedom Engine developer = The Freenet Projectcite web | title = Freenet: People | url = http://freenetproject.org/people.html | date = 2008 09 22 | …   Wikipedia

  • Gbridge — Infobox Software name = Gbridge caption = Gbridge 1.0 developer = Gbridge LLC released = August 2008 language = English genre = VPN / File synchronization / Remote control software license = Freeware website = http://www.gbridge.com/Gbridge is an …   Wikipedia

Share the article and excerpts

Direct link
Do a right-click on the link above
and select “Copy Link”