UDP hole punching
Encyclopedia
UDP hole punching is a commonly used technique employed in network address translator (NAT) applications for maintaining User Datagram Protocol
(UDP) packet streams that traverse the NAT. NAT traversal
techniques are typically required for client-to-client networking applications on the Internet
involving hosts connected in private network
s, especially in peer-to-peer
and Voice over Internet Protocol (VoIP) deployments.
UDP hole punching establishes connectivity between two hosts communicating across one or more network address translators. Typically, third party hosts on the public transit network are used to establish UDP port states that may be used for direct communications between the communicating hosts. Once port state has been successfully established and the hosts are communicating, port state may be maintained by either normal communications traffic, or in the prolonged absence thereof, by so called keep-alive packets, usually consisting of empty UDP packets or packets with minimal non-intrusive content.
hosts in private networks using network address translators. The technique is not applicable in all scenarios or with all types of NATs, as NAT operating characteristics are not standardized.
Hosts with network connectivity inside a private network connected via a NAT to the Internet typically use the STUN
method or Interactive Connectivity Establishment
(ICE) to determine the public address of the NAT that its communications peers require. In this process another host on the public network is used to establish port mapping and other UDP port state that is assumed to be valid for direct communication between the application hosts. Since UDP state usually expires after short periods of time in the range of tens of seconds to a few minutes, and the UDP port is closed in the process, UDP hole punching employs the transmission of periodic keep-alive packets, each renewing the life-time counters in the UDP state machine of the NAT.
UDP hole punching will not work with symmetric NAT devices (also known as bi-directional NAT) which tend to be found in large corporate networks. In symmetric NAT, the NAT's mapping associated with the connection to the well known STUN server is restricted to receiving data from the well-known server, and therefore the NAT mapping the well-known server sees is not useful information to the endpoint.
In a somewhat more elaborate approach both hosts will start sending to each other, using multiple attempts. On a Restricted Cone NAT, the first packet from the other host will be blocked. After that the NAT device has a record of having sent a packet to the other machine, and will let any packets coming from this IP address and port number through. This technique is widely used in peer-to-peer
software and Voice over Internet Protocol telephony. It can also be used to assist the establishment of virtual private network
s operating over UDP. The same technique is sometimes extended to Transmission Control Protocol
(TCP) connections, albeit with much less success.
User Datagram Protocol
The User Datagram Protocol is one of the core members of the Internet Protocol Suite, the set of network protocols used for the Internet. With UDP, computer applications can send messages, in this case referred to as datagrams, to other hosts on an Internet Protocol network without requiring...
(UDP) packet streams that traverse the NAT. NAT traversal
NAT traversal
NAT traversal is a general term for techniques that establish and maintain Internet protocol connections traversing network address translation gateways. Network address translation breaks end-to-end connectivity. Intercepting and modifying traffic can only be performed transparently in the...
techniques are typically required for client-to-client networking applications on the Internet
Internet
The Internet is a global system of interconnected computer networks that use the standard Internet protocol suite to serve billions of users worldwide...
involving hosts connected in private network
Private network
In the Internet addressing architecture, a private network is a network that uses private IP address space, following the standards set by RFC 1918 and RFC 4193. These addresses are commonly used for home, office, and enterprise local area networks , when globally routable addresses are not...
s, especially in peer-to-peer
Peer-to-peer
Peer-to-peer computing or networking is a distributed application architecture that partitions tasks or workloads among peers. Peers are equally privileged, equipotent participants in the application...
and Voice over Internet Protocol (VoIP) deployments.
UDP hole punching establishes connectivity between two hosts communicating across one or more network address translators. Typically, third party hosts on the public transit network are used to establish UDP port states that may be used for direct communications between the communicating hosts. Once port state has been successfully established and the hosts are communicating, port state may be maintained by either normal communications traffic, or in the prolonged absence thereof, by so called keep-alive packets, usually consisting of empty UDP packets or packets with minimal non-intrusive content.
Description
UDP hole punching is a method for establishing bidirectional UDP connections between InternetInternet
The Internet is a global system of interconnected computer networks that use the standard Internet protocol suite to serve billions of users worldwide...
hosts in private networks using network address translators. The technique is not applicable in all scenarios or with all types of NATs, as NAT operating characteristics are not standardized.
Hosts with network connectivity inside a private network connected via a NAT to the Internet typically use the STUN
STUN
STUN is a standardized set of methods, including a network protocol, used in NAT traversal for applications of real-time voice, video, messaging, and other interactive IP communications....
method or Interactive Connectivity Establishment
Interactive Connectivity Establishment
Interactive Connectivity Establishment is a technique used in computer networking involving network address translators in Internet applications of Voice over Internet Protocol , peer-to-peer communications, video, instant messaging and other interactive media...
(ICE) to determine the public address of the NAT that its communications peers require. In this process another host on the public network is used to establish port mapping and other UDP port state that is assumed to be valid for direct communication between the application hosts. Since UDP state usually expires after short periods of time in the range of tens of seconds to a few minutes, and the UDP port is closed in the process, UDP hole punching employs the transmission of periodic keep-alive packets, each renewing the life-time counters in the UDP state machine of the NAT.
UDP hole punching will not work with symmetric NAT devices (also known as bi-directional NAT) which tend to be found in large corporate networks. In symmetric NAT, the NAT's mapping associated with the connection to the well known STUN server is restricted to receiving data from the well-known server, and therefore the NAT mapping the well-known server sees is not useful information to the endpoint.
In a somewhat more elaborate approach both hosts will start sending to each other, using multiple attempts. On a Restricted Cone NAT, the first packet from the other host will be blocked. After that the NAT device has a record of having sent a packet to the other machine, and will let any packets coming from this IP address and port number through. This technique is widely used in peer-to-peer
Peer-to-peer
Peer-to-peer computing or networking is a distributed application architecture that partitions tasks or workloads among peers. Peers are equally privileged, equipotent participants in the application...
software and Voice over Internet Protocol telephony. It can also be used to assist the establishment of virtual private network
Virtual private network
A virtual private network is a network that uses primarily public telecommunication infrastructure, such as the Internet, to provide remote offices or traveling users access to a central organizational network....
s operating over UDP. The same technique is sometimes extended to Transmission Control Protocol
Transmission Control Protocol
The Transmission Control Protocol is one of the core protocols of the Internet Protocol Suite. TCP is one of the two original components of the suite, complementing the Internet Protocol , and therefore the entire suite is commonly referred to as TCP/IP...
(TCP) connections, albeit with much less success.
Algorithm
Let A and B be the two hosts, each in its own private network; N1 and N2 are the two NAT devices; S is a public server with a well-known globally reachable IP address.- A and B each begin a UDP conversation with S; the NAT devices N1 and N2 create UDP translation states and assign temporary external port numbers
- S relays these port numbers back to A and B
- A and B contact each others' NAT devices directly on the translated ports; the NAT devices use the previously created translation states and send the packets to A and B
External links
- Peer-to-Peer Communication Across Network Address Translators, PDF - contains detailed explanation on the hole punching process
- STUNT
- Network Address Translation and Peer-to-Peer Applications (NATP2P)
- How Skype & Co. get round firewalls - simple explanation of how Skype uses UDP hole punching
- Use of UDP to traverse NAT gateways Use of UDP to traverse NAT gateways