[p2p-hackers] traversing NAT and Java
Alex Pankratov
ap at hamachi.cc
Wed Sep 21 19:37:51 UTC 2005
Bernard Traversat wrote:
> Adam Fisk wrote:
>
>> Another interesting piece that I think would be a great addition to
>> JXTA is the TCP-hole-punching techniques described in papers such as
>> the following:
>>
>> http://pdos.csail.mit.edu/papers/p2pnat.pdf
This is a good paper, but it makes few assumptions that undermine
its practical adoption. For example -
>>> Most NATs will not forward ICMP TTL Exceeded messages
>>> back to an internal host
This might be true for the devices they tested with, but I would
be very careful with saying 'Most NATs'. I can name at least two
major firewall vendors (that also produce consumer grade devices)
that handle _all_ ICMP messages affecting TCP session state.
I am very actively involved with Hamachi, which is VPN system
based on UDP hole punching, and looking at stats collected so
far I must say that NAT devices out there sometimes do things
that make no sense at all. Basically for every assumption one
makes in their paper there is a NAT device will break it.
Not a big percentage per-assumption, but it all adds up.
It takes a lot of effort to take UDP hole-punching framework
from a prototype with 4:1 success rate (canonical 80%) to a
usable system yielding a rate of 20:1 or higher. And you can
safely double the amount of effort needed for TCP/hp. Just a
heads up :)
Alex
More information about the P2p-hackers
mailing list