NAT and Firewall Traversal
In short: the ability for peers to set up connections to other peers located behind NATs and Firewalls.
With the increasing shortage of IP-address space and rising security concerns, more and more users will access the Internet from behind a Network Address Translator (NAT) or firewall. We have investigated various techniques and tricks to be able to interact with these peers as if they were directly connected to the Internet. Implementing these techniques in Tribler will significantly enhance performance, since it will allow the swarm to tap into previously unavailable resources. These traversal techniques will become a feature of IPv8.
Initially this was explored in remko_1035363_Onderzoekstaak_-_Final_Version.pdf. Further research is detailed below.
In order to optimize performance, it is preferable if each peer could setup a direct connection to every other peer in the swarm. However in practice it turns out that it is not always possible. The actual situation depends on the way the peers are connected to the internet. Simplified, there can be 3 situations:
- Both peers are connected directly to the internet. Both peers can setup a direct connection to each other.
| A |-----((Internet))-----| B |
- One peer is located behind a NAT/firewall, the other is connected directly to the internet. Only peer A is able to set up a connection to B, the reverse is not possible.
+---+ | | +---+
| A |-----| |---((Internet))---| B |
+---+ | | +---+
- Both peers are located behind a NAT/firewall. Neither peer can setup a connection to the other peer.
+---+ | | | | +---+
| A |-----| |---((Internet))---| |-----| B |
+---+ | | | | +---+
NOTE: it is possible for a peer to be connected to the internet through a cascade of multiple NAT/fw's.
In order to setup connections to peers located behind a NAT/firewall, various solutions have been implemented in NAT/firewalls:
- The ability to set up static rules to allow for incoming connections to peers located behind the NAT/fw. This requires user intervention in the NAT/fw.
- UPnP Gateway could be implemented. Using UPnP forwarding rules can be set up on a NAT/fw to allow incoming connections towards the peer.
- Using Application Layer Gateways (ALGs) in de NAT/firewall to allow incoming connections to pass through.
However the availability of these solutions our outside the control of the Tribler application. Instead we will explore a different solution which is based on the concept of holepunching. Holepunching manipulates the behavior of NAT/firewall to setup a direct connection. This concept is explored in the next section.
TCP and UDP holepunching
In order to set up connections across NAT/firewalls, TCP and UDP holepunching can be used. The current research is focuses on UDP holepunching.
- Identify peer connectivity to internet
- Connect to other peer using a relay connection
- Exchange connectivity information
- Use a connection setup strategy to setup a connection.
Data from research
The implementation will result in various data points.
- Overview of types of NATs seen by Tribler.
- The effectiveness of port prediction.
- The effectiveness of various connection setup strategies that employ holy punching techniques.
Relay architecture and protocol
To simplify NAT traversal our approach is to first establish a TCP control channel.
This temporary control channel is relayed through a conveyance peer which coordinates
the UDP puncturing and conducts error handling.
We assume each NATed peer to be connected by TCP to a number of conveyance peers.
Key to connecting to a peer is therefore finding one of their active conveyance peers.
It is a feature of IPv8 to discover these.
This first phase in the NAT puncturing process requires a few new messages.
Three peers are involved: Alice, Bob, and Charlie the Conveyance peer.
- Set-up relay connection request (A to C)
- Set-up relay connection indication (C to B)
- Set-up relay connection accept (B to C)
- Set-up relay connection completed (C to A)
- Set-up relay data exchange (From A/B to B/A via C)
- Set-up relay connection auto-termination
Using this relayed TCP control channel peers A and B establish a direct connection.
For simplicity and security the relay is only valid for a limited number of minutes and KBytes
after that it terminates.