UDP hole punching

From Wikipedia, the free encyclopedia

This article's introduction section may not adequately summarize its contents. To comply with Wikipedia's lead section guidelines, please consider expanding the lead to provide an accessible overview of the article's key points. (May 2009)

In computing, UDP hole punching is a commonly used NAT traversal technique.

Contents 1 Description 2 Algorithm 3 See also 4 External links

[edit] Description

Network address translation (NAT) traversal through User Datagram Protocol (UDP) hole punching is a method for establishing bidirectional UDP connections between Internet hosts in private networks using NAT. It does not work with all types of NATs as their behavior is not standardized.

Each host behind a NAT contacts a third, well-known server (usually a STUN server) in the public address space and then, once the NAT devices have established UDP state information, switches to direct communication hoping that the NAT devices will keep the states despite the packets coming from a different host.

UDP hole punching will not work with a Symmetric NAT (also known as bi-directional NAT) which tend to be found inside large corporate networks. With Symmetric NAT, the IP address of the well known server is different from that of the endpoint, and therefore the NAT mapping the well known server sees is different from the mapping that the endpoint would use to send packets through to the client. For details on the different types of NAT, see network address translation.

A somewhat more elaborate approach is where both hosts will start sending to each other, using multiple attempts. On a Restricted Cone NAT, the first packet from the other host will be blocked. After that the NAT device has a record of having sent a packet to the other machine, and will let any packets coming from these IP address and port number through.

The technique is widely used in peer-to-peer software and Voice over Internet Protocol telephony. It is one of the methods used in Skype to bypass firewalls and NAT devices.^{[citation needed]} It can also be used to assist the establishment of virtual private networks operating over UDP.

The same technique is sometimes extended to Transmission Control Protocol (TCP) connections, albeit with much less success.

[edit] Algorithm

Let A and B be the two hosts, each in its own private network; N1 and N2 are the two NAT devices; S is a public server with a well-known globally reachable IP address.

1. A and B each begin a UDP conversation with S; the NAT devices N1 and N2 create UDP translation states and assign temporary external port numbers
2. S relays these port numbers back to A and B
3. A and B contact each others' NAT devices directly on the translated ports; the NAT devices use the previously created translation states and send the packets to A and B

[edit] See also

• Gbridge
• Hamachi
• Freenet
• Hole punching

[edit] External links

• Peer-to-Peer Communication Across Network Address Translators, PDF
• STUNT
• Network Address Translation and Peer-to-Peer Applications (NATP2P)
• How Skype & Co. get round firewalls - simple explanation of how Skype uses UDP hole punching