[Cryptography] peering through NAT

jamesd at echeque.com jamesd at echeque.com
Sat May 11 05:03:52 EDT 2019

On 2019-05-11 13:06, Christian Huitema wrote:
> But then, having a unique stable address/identifier for each device has some pretty nasty privacy implications. It is not hard to find privacy advocates who believe that Carrier Grade NAT is great, because it lets people hide.

On reflection, the best solution would be a peer to peer system where 
each peer has a public key, some peers have accessible ports and can be 
accessed by any peer, messages percolate from peer to peer, and the 
messages can propose a stun rendezvous - a peer that wants a direct 
connection with another peer behind a NAT nominates a time and an IP 
port, and at the appointed time, both peers fire off UDP packets to each 
other on that port.

This, however, requires a reliability and bandwidth throttling mechanism 
on top of udp, an ssl like layer on top of udp.  A number of libraries 
contain such mechanisms, but the mechanism tends to be connected to lots 
of things, not happy with any of them that I have looked at.  You just 
want a monkey, and get the entire jungle.

By and large, VOIP does go through UDP with a throttling mechanism, but 
libraries that provide this are not small and generic, but rather 
special purpose - they expect you to use the entire library in the 
intended way for the intended purpose, and using it in a different way 
needs a rewrite.  The GameNetworkingSockets library sort of provides a 
udp reliability and throttling layer, though it is a bit broken at the 
moment, and is thinking about providing this with stun.  But integrating 
stun with the GameNetworkingSockets library seems to need a lot of 
inside knowledge of the GameNetworkingSockets library.

More information about the cryptography mailing list