[Cryptography] Firewall penetration

Christian Huitema huitema at huitema.net
Wed Feb 1 22:30:38 EST 2017



On 2/1/2017 11:18 AM, Jehan Tremback wrote:
> You might want to look into how WebRTC does it. There are several 
> different strategies and fallbacks.
>

Yes. I would say, look at RTC in general. As Jerry Leichter wrote, 
mostly they use third-party "rendezvous" sites. Also, they mostly use 
UDP instead of TCP. The general strategy is to have the two stations 
predict the UDP port number that will appear outside the firewall/NAT, 
then manage to each send packets to the other in order to "open the 
NAT". If one packet makes it all the way, the path is open and exchanges 
can happen. Check for IETF specs such as ICE, STUN, TURN.

AFAIK, it works reasonably well for consumer-type connections, but still 
fails in a few % of the cases. For those cases, you need a relay through 
a server.

-- Christian Huitema


More information about the cryptography mailing list