| 1 |
When implementing NAT traversal we need to consider the following: |
|---|
| 2 |
( all quotes taken from [1] ) |
|---|
| 3 |
|
|---|
| 4 |
- NATs require some kind of periodic message to keep their port mappings |
|---|
| 5 |
current "some NATs have timeouts as short as 20 seconds" |
|---|
| 6 |
|
|---|
| 7 |
"Unfortunately, many NATs associate UDP idle timers with individual UDP |
|---|
| 8 |
sessions defined by a particular pair of endpoints, so sending keep-alives |
|---|
| 9 |
on one session will not keep other sessions active even if all the |
|---|
| 10 |
sessions originate from the same private endpoint. Instead of sending |
|---|
| 11 |
keep-alives on many different P2P sessions, applications can avoid |
|---|
| 12 |
excessive keep-alive traffic by detecting when a UDP session no longer |
|---|
| 13 |
works, and re-running the original hole punching procedure again ``on demand.'' |
|---|
| 14 |
|
|---|
| 15 |
- if UDP traffic is blocked by a firewall we might want to tunnel via TCP to |
|---|
| 16 |
a machine on the open internet. in this case we need to perform STUN protocol |
|---|
| 17 |
properly to analyze which machines are on the open internet (this info could |
|---|
| 18 |
be sent to peers with the status messages). |
|---|
| 19 |
|
|---|
| 20 |
- might be better to transmit hashes of passwords rather than the passwords |
|---|
| 21 |
themselves to keep users who enter semi-important passwords from |
|---|
| 22 |
accidentally transmitting them as plain text. |
|---|
| 23 |
|
|---|
| 24 |
- the udp port used to punch in a hole to communicate with other users |
|---|
| 25 |
could be selected dynamically rather than being fixed by the user |
|---|
| 26 |
"Finally, NAT implementations exist that consistently translate the |
|---|
| 27 |
client's private endpoint as long as only one client behind the NAT |
|---|
| 28 |
is using a particular private port number, but switch to symmetric |
|---|
| 29 |
NAT or even worse behaviors if two or more clients with different IP |
|---|
| 30 |
addresses on the private network try to communicate through the NAT |
|---|
| 31 |
from the same private port number" |
|---|
| 32 |
which means we should at least offer the option of clients manually |
|---|
| 33 |
setting their outbound ports to different values to avoid collissions |
|---|
| 34 |
behind the same NAT which exhibits the above behavior. |
|---|
| 35 |
|
|---|
| 36 |
|
|---|
| 37 |
- skype tries to connect via port80 and https ports if it can't make a |
|---|
| 38 |
connection in other ways. |
|---|
| 39 |
|
|---|
| 40 |
-- |
|---|
| 41 |
"A few poorly behaved NATs are known to scan the body of UDP datagrams |
|---|
| 42 |
for 4-byte fields that look like IP addresses, and translate them as |
|---|
| 43 |
they would the IP address fields in the IP header. To be robust against |
|---|
| 44 |
such behavior, applications may wish to obfuscate IP addresses in |
|---|
| 45 |
messages bodies slightly, for example by transmitting the one's |
|---|
| 46 |
complement of the IP address instead of the IP address itself. Of |
|---|
| 47 |
course, if the application is encrypting its messages, then this |
|---|
| 48 |
behavior is not likely to be a problem." |
|---|
| 49 |
|
|---|
| 50 |
- because sending requests to ports behind a nat can send the wrong request |
|---|
| 51 |
to the wrong machine, we need to make sure to handle this robustly |
|---|
| 52 |
in clients |
|---|
| 53 |
|
|---|
| 54 |
[1] Bryan Ford, Pyda Srisuresh, Dan Kegel, "Peer-to-Peer Communication Across |
|---|
| 55 |
Network Address Translators", http://www.brynosaurus.com/pub/net/p2pnat/ |
|---|
