Andrew Cooke | Contents | Latest | RSS | Previous | Next

C[omp]ute

Welcome to my blog, which was once a mailing list of the same name and is still generated by mail. Please reply via the "comment" links.

Always interested in offers/projects/new ideas. Eclectic experience in fields like: numerical computing; Python web; Java enterprise; functional languages; GPGPU; SQL databases; etc. Based in Santiago, Chile; telecommute worldwide. CV; email.

Personal Projects

Choochoo Training Diary

Last 100 entries

Surprise Paradox; [Books] Good Author List; [Computing] Efficient queries with grouping in Postgres; [Computing] Automatic Wake (Linux); [Computing] AWS CDK Aspects in Go; [Bike] Adidas Gravel Shoes; [Computing, Horror] Biological Chips; [Books] Weird Lit Recs; [Covid] Extended SIR Models; [Art] York-based Printmaker; [Physics] Quantum Transitions are not Instantaneous; [Computing] AI and Drum Machines; [Computing] Probabilities, Stopping Times, Martingales; bpftrace Intro Article; [Computing] Starlab Systems - Linux Laptops; [Computing] Extended Berkeley Packet Filter; [Green] Mainspring Linear Generator; Better Approach; Rummikub Solver; Chilean Poetry; Felicitations - Empowerment Grant; [Bike] Fixing Spyre Brakes (That Need Constant Adjustment); [Computing, Music] Raspberry Pi Media (Audio) Streamer; [Computing] Amazing Hack To Embed DSL In Python; [Bike] Ruta Del Condor (El Alfalfal); [Bike] Estimating Power On Climbs; [Computing] Applying Azure B2C Authentication To Function Apps; [Bike] Gearing On The Back Of An Envelope; [Computing] Okular and Postscript in OpenSuse; There's a fix!; [Computing] Fail2Ban on OpenSuse Leap 15.3 (NFTables); [Cycling, Computing] Power Calculation and Brakes; [Hardware, Computing] Amazing Pockit Computer; Bullying; How I Am - 3 Years Post Accident, 8+ Years With MS; [USA Politics] In America's Uncivil War Republicans Are The Aggressors; [Programming] Selenium and Python; Better Walking Data; [Bike] How Fast Before Walking More Efficient Than Cycling?; [COVID] Coronavirus And Cycling; [Programming] Docker on OpenSuse; Cadence v Speed; [Bike] Gearing For Real Cyclists; [Programming] React plotting - visx; [Programming] React Leaflet; AliExpress Independent Sellers; Applebaum - Twilight of Democracy; [Politics] Back + US Elections; [Programming,Exercise] Simple Timer Script; [News] 2019: The year revolt went global; [Politics] The world's most-surveilled cities; [Bike] Hope Freehub; [Restaurant] Mama Chau's (Chinese, Providencia); [Politics] Brexit Podcast; [Diary] Pneumonia; [Politics] Britain's Reichstag Fire moment; install cairo; [Programming] GCC Sanitizer Flags; [GPU, Programming] Per-Thread Program Counters; My Bike Accident - Looking Back One Year; [Python] Geographic heights are incredibly easy!; [Cooking] Cookie Recipe; Efficient, Simple, Directed Maximisation of Noisy Function; And for argparse; Bash Completion in Python; [Computing] Configuring Github Jekyll Locally; [Maths, Link] The Napkin Project; You can Masquerade in Firewalld; [Bike] Servicing Budget (Spring) Forks; [Crypto] CIA Internet Comms Failure; [Python] Cute Rate Limiting API; [Causality] Judea Pearl Lecture; [Security, Computing] Chinese Hardware Hack Of Supermicro Boards; SQLAlchemy Joined Table Inheritance and Delete Cascade; [Translation] The Club; [Computing] Super Potato Bruh; [Computing] Extending Jupyter; Further HRM Details; [Computing, Bike] Activities in ch2; [Books, Link] Modern Japanese Lit; What ended up there; [Link, Book] Logic Book; Update - Garmin Express / Connect; Garmin Forerunner 35 v 230; [Link, Politics, Internet] Government Trolls; [Link, Politics] Why identity politics benefits the right more than the left; SSH Forwarding; A Specification For Repeating Events; A Fight for the Soul of Science; [Science, Book, Link] Lost In Math; OpenSuse Leap 15 Network Fixes; Update; [Book] Galileo's Middle Finger; [Bike] Chinese Carbon Rims; [Bike] Servicing Shimano XT Front Hub HB-M8010; [Bike] Aliexpress Cycling Tops; [Computing] Change to ssh handling of multiple identities?; [Bike] Endura Hummvee Lite II; [Computing] Marble Based Logic; [Link, Politics] Sanity Check For Nuclear Launch; [Link, Science] Entropy and Life

© 2006-2017 Andrew Cooke (site) / post authors (content).

What is TCP hole punching?

From: andrew cooke <andrew@...>

Date: Sat, 25 Jun 2011 17:37:52 -0400

It is common (largely because of the restricted number of IPV4 addresses) for
several computers to share the same "external" address.  This is done by NAT
(Network Address Translation) at the point where the internal network meets
the external network.

By default, NAT does not support "incoming" connections.  This is because
there is no simple way for a computer connecting from "outside" to identify a
particular internal computer (since all share the same external address).

The lack of incoming connections means that an application on a computer on an
internal network must initiate all network exchanges and, furthermore, can
only connect to a computer that does have an external address.  This is a
problem for peer-to-peer (P2P) systems, since it requires a separate, public
server to act as the target for connections.

The problem is made worse by the fact that the TCP specification does not
allow for a conversation to be "redirected" to a different machine.  When two
P2P peers have both connected to a central server there is no simple mechanism
for them to address each other directly; all traffic must continue to be
routed through the public server to which the initial connections were made.

This last point is the problem solved by TCP hole punching.  It is a mechanism
that allows two peers to converse directly, even when NAT is in use.

Because a variety of implementations are used, the details that follow are
only a rough sketch.  See the references posted by others for more details [I
am writing this answer not because I am an expert on this, but because I found
neither of the other answers to be very clear].

In general, hole punching requires the following:
 - An external, public server that is the target for initial connections, and
   which helps coordinate the connection process.
 - Two peers behind NAT, who will eventually be connected directly.
 - NAT implementations that are lenient in the traffic that they accept, and
   which are predictable in how they operate.
 - A protocol (like TCP) which is lenient in the traffic it accepts and 
   which, in particular, uses a state machine and messages that are more 
   symmetric than the server / client roles that are assumed at a higher
   level.

The "leniency" I mention above is driven by the need for these components to
function reliably on unreliable networks and to support a wide variety of
traffic (it is not, typically, a result of poor implementation).

The general process (bearing in mind that this is only a rough sketch) for
hole punching is:
 - Peers connect to a central, public server and agree on which pairs will
   connect.
 - The central server identifies, for each NAT, how future outgoing 
   connections are created (when a peer makes a connection that passes 
   through the NAT then a port must be opened on on the NAT to receive the 
   response; typically the port numbers used are sequential).

Peers then open new connections, each aware of the external (NAT) address and
likely port of the other peer.

By manipulating the TCP traffic (eg. by setting TTL values so that some
outgoing packets cannot reach the other peer) and/or by exploiting uncertainty
in timings and leniency in the NAT and TCP implementations, and by exploiting
symmetry in the underlying state machines and messages, it is then possible
for the two new connections, each of which was opened as client, to reach a
state as though they were opened in a normal client / server conversation.
Once the two peer connections are in the desired state no further use is made
of the public server; the peers can communicate directly with each other.

Andrew

Comment on this post