![(please configure the [header_logo] section in trac.ini)](/images/TriblerLogo.png)
NAT and Firewall Traversal
With the increasing shortage of IP-address space and rising security concerns, more and more users will access the Internet from behind a Network Address Translator (NAT) or firewall. We have investigated various techniques and tricks to be able to interact with these peers as if they were directly connected to the Internet. Implementing these techniques in Tribler will significantly enhance performance.
See remko_1035363_Onderzoekstaak_-_Final_Version.pdf
Todo list to finish before summer, collaborate with Lucia who is working on general case:
- Full taxonomy
- Port mapping
- inbound filter
- timeout (inbound/outbound)
- overloading
- UDP/TCP differentiation
- Refined measurements with [source:abc/branches/lucia/release-4.5_r9986/Tribler/Core/NATFirewall Natcheck] for Feb deployment
- Describe results + problem of NAT box design with CPU/mem restrictions
- A few advanced puncture tests for port-restricted NATs
- Set-up relay connection protocol on top of PEX 2.0 in swarms
- Final report writing
Relay architecture and protocol
To simplify NAT traversal our approach is to first establish a TCP control channel. This temporary control channel is relayed through a conveyance peer which coordinates the UDP puncturing and conducts error handling. We assume each NATed peer to be connected by TCP to a number of conveyance peers. Key to connecting to a peer is therefore finding one of their active conveyance peers. It is a feature of IPv8 to discover these.
This first phase in the NAT puncturing process requires a few new messages. Three peers are involved: Alice, Bob, and Charlie the Conveyance peer.
- Set-up relay connection request (A to C)
- Set-up relay connection indication (C to B)
- Set-up relay connection accept (B to C)
- Set-up relay connection completed (C to A)
- Set-up relay data exchange (From A/B to B/A via C)
- Set-up relay connection auto-termination
Using this relayed TCP control channel peers A and B establish a direct connection. For simplicity and security the relay is only valid for a limited number of minutes and KBytes after that it terminates.
internal machines
Attachments
- remko_1035363_Onderzoekstaak_-_Final_Version.pdf (232.6 KB) - added by pouwelse@… 11 months ago.
