TCP hole punching
Encyclopedia
TCP hole punching is a commonly-used NAT traversal
technique, for sending 2-way messages between nodes in an Internet
computer network
. The term "NAT traversal" is a general term for techniques that establish and maintain TCP/IP network
and/or TCP
connections traversing network-address-translation
(NAT) gateways.
NAT traversal techniques are typically required for client-to-client networking applications, especially peer-to-peer
and Voice-over-IP (VoIP) deployments.
hosts in private networks using NAT. It does not work with all types of NATs, as their behavior is not standardized.
| Peer A ←→ Gateway A ← .. Network .. → Gateway B ←→ Peer B
|}
When two peers, A and B, instantiate TCP connections by binding to local ports Pa and Pb, respectively, they need to know the remote endpoint NAT port in order to make the connection.
A NAT port allocation can be one of the two:
Connection matrix representing the different cases:
The required state is just like after the three-way-handshake: Each host must have an acknowledge number other sequence number + 1.
This is achieved through Sequence and Acknowledgement Number coordination.
values.
The Low TTL value is used to generate outbound packets that will open up the NAT, but will never reach the other host.
The Low TTL is calculated as follow:
Loop until "ICMP TTL Exceeded" messages are no longer received. The own NAT host has been traversed. The LOW TTL Value = i + 1.
If the NAT host supports "ICMP TTL Exceeded" messages to internal hosts, then the RST reply from buddy can be inspected. The LOW TTL Value = i - 1.
OS Support
NAT traversal
NAT traversal is a general term for techniques that establish and maintain Internet protocol connections traversing network address translation gateways. Network address translation breaks end-to-end connectivity. Intercepting and modifying traffic can only be performed transparently in the...
technique, for sending 2-way messages between nodes in an Internet
Internet
The Internet is a global system of interconnected computer networks that use the standard Internet protocol suite to serve billions of users worldwide...
computer network
Computer network
A computer network, often simply referred to as a network, is a collection of hardware components and computers interconnected by communication channels that allow sharing of resources and information....
. The term "NAT traversal" is a general term for techniques that establish and maintain TCP/IP network
Computer network
A computer network, often simply referred to as a network, is a collection of hardware components and computers interconnected by communication channels that allow sharing of resources and information....
and/or TCP
Transmission Control Protocol
The Transmission Control Protocol is one of the core protocols of the Internet Protocol Suite. TCP is one of the two original components of the suite, complementing the Internet Protocol , and therefore the entire suite is commonly referred to as TCP/IP...
connections traversing network-address-translation
Network address translation
In computer networking, network address translation is the process of modifying IP address information in IP packet headers while in transit across a traffic routing device....
(NAT) gateways.
NAT traversal techniques are typically required for client-to-client networking applications, especially peer-to-peer
Peer-to-peer
Peer-to-peer computing or networking is a distributed application architecture that partitions tasks or workloads among peers. Peers are equally privileged, equipotent participants in the application...
and Voice-over-IP (VoIP) deployments.
Description
NAT traversal, through TCP hole punching, is a method for establishing bidirectional TCP connections between InternetInternet
The Internet is a global system of interconnected computer networks that use the standard Internet protocol suite to serve billions of users worldwide...
hosts in private networks using NAT. It does not work with all types of NATs, as their behavior is not standardized.
Network Drawing
-
- {| style="border: 1px black solid;"
| Peer A ←→ Gateway A ← .. Network .. → Gateway B ←→ Peer B
|}
Types of NAT
The availability of the TCP-hole-punching technique depends on the type of computer port allocation used by the NAT.When two peers, A and B, instantiate TCP connections by binding to local ports Pa and Pb, respectively, they need to know the remote endpoint NAT port in order to make the connection.
A NAT port allocation can be one of the two:
- predictable: the gateway uses a simple algorithm to map the local port to the NAT port. Most of the time a NAT will use port preservation, which is to say that the local port is mapped to the same port on the NAT.
- non predictable: the gateways uses an algorithm that is either random or too impractical to predict.
Connection matrix representing the different cases:
A predictable | A non-predictable | |
---|---|---|
B predictable | YES | YES |
B non-predictable | YES | NO |
- YES: the connection will work all the time
- NO: the connection will almost never work
Methods of port Prediction
- Two sequential internal port-allocation connections, from A to X, are both received sequentially by X. Hence, they are predictable by X.
- Consistent translation is found when 2 connections, from A to X, are sent from the same internal port-A and different ports on X. If X sees same external port-A in both connections, then the translation is considered consistent, and also predictable by X.
Sequence/Acknowledgment numbers negotiation
Because both parties are connecting to each other (e.g., 2x CONNECT, no LISTEN, ACCEPT, etc.), to generate OUTBOUND traffic, there is however a problem with:- TCP Sequence numbers
- Acknowledgment numbers
The required state is just like after the three-way-handshake: Each host must have an acknowledge number other sequence number + 1.
This is achieved through Sequence and Acknowledgement Number coordination.
Low TTL Value determination
Because some packets (syn, rst) MUST not reach the other host, as it would corrupt the connection setup in progress, then there is the need to apply a trick with the TTLTime to live
Time to live is a mechanism that limits the lifespan of data in a computer or network. TTL may be implemented as a counter or timestamp attached to or embedded in the data. Once the prescribed event count or timespan has elapsed, data is discarded. In computer networking, TTL prevents a data...
values.
The Low TTL value is used to generate outbound packets that will open up the NAT, but will never reach the other host.
The Low TTL is calculated as follow:
- Send SYN with TTL of i=1
-
-
- Wait for ICMP TTL Exceeded message
- i = i + 1, loop
- Wait for ICMP TTL Exceeded message
-
Loop until "ICMP TTL Exceeded" messages are no longer received. The own NAT host has been traversed. The LOW TTL Value = i + 1.
If the NAT host supports "ICMP TTL Exceeded" messages to internal hosts, then the RST reply from buddy can be inspected. The LOW TTL Value = i - 1.
OS Support
- Setting LOW TTL Value with setsockopt using IP_TTL option.
- Socket options must not be persistent: After successful connection, seq + ack number negotiation, the TTL value must be normalized with setsockopt again.
- Using standard Berkeley socket library.
- Sniffing thread on the wire for SYN sequence numbers.