axeda coding computers firewall geek hacks hole hole-punching holepunching howto ip lazysheeptagged nat nat-traversal nets network networking p2p p2s programming protocol punching security skype stun tcp technology traversal udp

My tags:

From Wikipedia, the free encyclopedia

In computing, UDP hole punching refers to a commonly used NAT traversal technique.

Contents 1 Description 2 Algorithm 3 See also 4 External links

[edit] Description

NAT traversal through UDP hole punching is a method for establishing bidirectional UDP connections between Internet hosts in private networks using NAT. It does not work with all types of NATs as their behavior is not standardized.

The basic idea is to have each host behind the NAT contact a third well-known server (usually a STUN server) in the public address space and then, once the NAT devices have established UDP state information, to switch to direct communication hoping that the NAT devices will keep the states despite the fact that packets are coming from a different host.

UDP hole punching will not work with a Symmetric NAT (also known as bi-directional NAT) which tend to be found inside large corporate networks. With Symmetric NAT, the IP address of the well known server is different from that of the endpoint, and therefore the NAT mapping the well known server sees is different from the mapping that the endpoint would use to send packets through to the client. For details on the different types of NAT, see network address translation.

A somewhat more elaborate approach is where both hosts will start sending to each other, using multiple attempts. On a Restricted Cone NAT, the first packet from the other host will be blocked. After that the NAT device has a record of having sent a packet to the other machine, and will let any packets coming from these IP address and port number through.

The technique is widely used in P2P software and VoIP telephony. It is one of the methods used in Skype to bypass firewalls and NAT devices. It can also be used to establish VPNs (using, e.g., OpenVPN, strongSwan).

The same technique is sometimes extended to TCP connections, albeit with much less success.

[edit] Algorithm

Let A and B be the two hosts, each in its own private network; N1 and N2 are the two NAT devices; S is a public server with a well-known globally reachable IP address.

1. A and B each begin a UDP conversation with S; the NAT devices N1 and N2 create UDP translation states and assign temporary external port numbers
2. S relays these port numbers back to A and B
3. A and B contact each others' NAT devices directly on the translated ports; the NAT devices use the previously created translation states and send the packets to A and B

[edit] See also

• STUN
• Gbridge
• Hamachi
• Freenet
• NeoRouter
• Hole punching

[edit] External links

• Peer-to-Peer Communication Across Network Address Translators, PDF
• STUNT
• Network Address Translation and Peer-to-Peer Applications (NATP2P)
• How Skype & Co. get round firewalls - simple explanation of how Skype uses UDP hole punching