Peter, Sure. Actually, to traverse with TCP you need to do three things: 1. Traverse the NAT 2. Put firewall in proper state CONNECTION-ESTABLISHED 3. Synchronize TCP layers on each peer
To achieve this, we set up an out-of-band control channel to a public peer server. Basically, each peer sets up a client connection to a common public server forming and end-to-end control channel. The signaling traffic at each node (SYN/SYN-ACK/ACK) is captured and sent from one node and injected into the other node. This way, even if the signaling traffic does not make it through, the TCP stack sees the packets as if are received. Putting the firewall in the proper state really depends on the type of firewall and we have a few algorithm to achieve this. But basically, you can put the firewall in the connection established state but sending out various combinations of SYN/SYN-ACK and ACK with small TTLs. It does not matter if they are block since they will still be received through the out-of-band control channel. Traversing the NAT for asymetic NATs is really not problem, but for symetric NATs we use a series of probes to predict the assigned port. Well, the last question you ask is interesting since it really depends on the firewall pairing. Even if you have a symetic NAT with port randomization, we will still work if the other firewall is a asymetric NAT. The only case we theoretically fail is if one firewall does port randomization and the other firewall is a symetric NAT with/without port randomization. Let me know if that helps, Jeff -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Peter K Chan Sent: Friday, December 15, 2006 1:28 PM To: theory and practice of decentralized computer networks Subject: RE: [p2p-hackers] A new approach to NAT/Firewall traversal Jeff, Interesting. Can you elaborate on how the direct CTP connection is formed between the two client nodes? Does your method work on all types of NAT/Firewall? Thanks, Peter -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Jeff Capone Sent: Friday, December 15, 2006 2:15 PM To: [email protected] Subject: [p2p-hackers] A new approach to NAT/Firewall traversal Hi, If anyone is interested, we have developed an alternative approach to firewall/NAT traversal using TCP. If you are interested in how it works, let me know. If you are interested in trying it out you can download it from http://www.leafnetworks.net Here is a brief overview of what we do... The Leaf 2006 client software uses "Out-of-Band TCP Signaling" to form a TCP connection between two computers running the Leaf 2006 client software. This out-of-band signaling is achieved by creating a control channel that is setup using the Leaf Peer Server and used to broker all the TCP signaling traffic. Once the TCP connection is formed, the control channel is torn down and there is a direct TCP connection between each computer. Once this socket connection is formed, it is used to create a virtual private network (VPN) interface that you see as the Leaf Network Adapter on your computer. Most VPN solutions that tunnel traffic over a TCP socket connection suffer from performance degradation - up to 40% loss in bandwidth. However, we have solved this problem and you will achieve full bandwidth connectivity between two computers connected in a Leaf Network. Once the private network is formed, we protect it with a built in firewall for the Leaf Network Adapter. _______________________________________________ p2p-hackers mailing list [email protected] http://lists.zooko.com/mailman/listinfo/p2p-hackers _______________________________________________ p2p-hackers mailing list [email protected] http://lists.zooko.com/mailman/listinfo/p2p-hackers _______________________________________________ p2p-hackers mailing list [email protected] http://lists.zooko.com/mailman/listinfo/p2p-hackers
