NAT and Firewall TraversalIn short: the ability for peers to set up connections to other peers located behind NATs and Firewalls. OverviewWith the increasing shortage of IP-address space and rising security concerns, more and more users will access the Internet from behind a Network Address Translator (NAT) or firewall. We have investigated various techniques and tricks to be able to interact with these peers as if they were directly connected to the Internet. Implementing these techniques in Tribler will significantly enhance performance, since it will allow the swarm to tap into previously unavailable resources. These traversal techniques will become a feature of IPv8. Initially this was explored in remko_1035363_Onderzoekstaak_-_Final_Version.pdf. Further research is detailed below. Direct connectionsIn order to optimize performance, it is preferable if each peer could setup a direct connection to every other peer in the swarm. However in practice it turns out that it is not always possible. The actual situation depends on the way the peers are connected to the internet. Simplified, there can be 3 situations:
NOTE: it is possible for a peer to be connected to the internet through a cascade of multiple NAT/fw's. In order to setup connections to peers located behind a NAT/firewall, various solutions have been implemented in NAT/firewalls:
However the availability of these solutions our outside the control of the Tribler application. Instead we will explore a different solution which is based on the concept of holepunching. Holepunching manipulates the behavior of NAT/firewall to setup a direct connection. This concept is explored in the next section. TCP and UDP holepunchingIn order to set up connections across NAT/firewalls, TCP and UDP holepunching can be used. The current research is focuses on UDP holepunching. Connection steps
Data from researchThe implementation will result in various data points.
Implementation detailsRelay architecture and protocolTo simplify NAT traversal our approach is to first establish a TCP control channel. This temporary control channel is relayed through a conveyance peer which coordinates the UDP puncturing and conducts error handling. We assume each NATed peer to be connected by TCP to a number of conveyance peers. Key to connecting to a peer is therefore finding one of their active conveyance peers. It is a feature of IPv8 to discover these. This first phase in the NAT puncturing process requires a few new messages. Three peers are involved: Alice, Bob, and Charlie the Conveyance peer.
Using this relayed TCP control channel peers A and B establish a direct connection. For simplicity and security the relay is only valid for a limited number of minutes and KBytes after that it terminates. Attachments |