[Cryptography] Firewall penetration
Christian Huitema
huitema at huitema.net
Wed Feb 1 22:30:38 EST 2017
On 2/1/2017 11:18 AM, Jehan Tremback wrote:
> You might want to look into how WebRTC does it. There are several
> different strategies and fallbacks.
>
Yes. I would say, look at RTC in general. As Jerry Leichter wrote,
mostly they use third-party "rendezvous" sites. Also, they mostly use
UDP instead of TCP. The general strategy is to have the two stations
predict the UDP port number that will appear outside the firewall/NAT,
then manage to each send packets to the other in order to "open the
NAT". If one packet makes it all the way, the path is open and exchanges
can happen. Check for IETF specs such as ICE, STUN, TURN.
AFAIK, it works reasonably well for consumer-type connections, but still
fails in a few % of the cases. For those cases, you need a relay through
a server.
-- Christian Huitema
More information about the cryptography
mailing list