Hi David, We have done a bit of load testing on the connection and see about 6-8% reduction in throughput. We have setup networks with as many as 12 members and have tested across numerous firewall combinations.
Thanks! Jeff -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of David Barrett Sent: Friday, December 15, 2006 2:58 PM To: 'theory and practice of decentralized computer networks' Subject: RE: [p2p-hackers] A new approach to NAT/Firewall traversal This is really cool! What kind of peer connectivity are you able to achieve in the real world? How widespread have you been able to test? -david > -----Original Message----- > From: [EMAIL PROTECTED] [mailto:p2p-hackers- > [EMAIL PROTECTED] On Behalf Of Jeff Capone > Sent: Friday, December 15, 2006 1:47 PM > To: 'theory and practice of decentralized computer networks' > Subject: RE: [p2p-hackers] A new approach to NAT/Firewall traversal > > Hi Alex, > > We have solved these problems too. > > 1. We implement our own TCP stack so we do not have the decreased > performance due to the double-acking problem - I can elaborate on that > more if you like? If you try it out, you will only see there is only > about a 6% reduction in throughput due to the increased packet size (1 > extra TCP header). > > 2. Since we implement our own TCP stack, these attacks should not > affect us. We know exactly what we are excepting to receive and > firewall the rest. > > Hope that helps, > Jeff > > -----Original Message----- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] On Behalf Of Alex > Pankratov > Sent: Friday, December 15, 2006 2:30 PM > To: 'theory and practice of decentralized computer networks' > Subject: RE: [p2p-hackers] A new approach to NAT/Firewall traversal > > Jeff, > > Building VPN connections over TCP has two known problems - > > * TCP over TCP leading to the problem with retransmissions > and resulting in a decreased performance. This is the one > you mention below. > > * the lack of protection against trivial DoS attacks. TCP > based VPN can be brought down by an active attacker with > exactly one packet. That's unless peers authenticate all > TCP packets similar to how BGP does with MD5 checksums. > > Second point is why IMO TCP-based tunneling must be the absolutely > last fall-back option as far as a choice for the transport medium goes. > > Additionally, regarding TCP NAT traversal. In my experience a simple > symmetrical TCP open works very well for connecting two NATed peers as > long as the port prediction is accurate. > I am very curious to know why you opted for carrying initial P2P TCP > signaling OOB. > > Thanks, > Alex > > > -----Original Message----- > > From: [EMAIL PROTECTED] > > [mailto:[EMAIL PROTECTED] On Behalf Of Jeff > > Capone > > Sent: Friday, December 15, 2006 12:15 PM > > To: [email protected] > > Subject: [p2p-hackers] A new approach to NAT/Firewall traversal > > > > Hi, > > > > If anyone is interested, we have developed an alternative approach > > to firewall/NAT traversal using TCP. > > > > If you are interested in how it works, let me know. If you are > > interested in trying it out you can download it from > > http://www.leafnetworks.net > > > > Here is a brief overview of what we do... > > > > The Leaf 2006 client software uses "Out-of-Band TCP Signaling" to > > form a TCP connection between two computers running the Leaf 2006 > > client software. This out-of-band signaling is achieved by creating > > a control channel that is setup using the Leaf Peer Server and used > > to broker all the TCP signaling traffic. Once the TCP connection is > > formed, the control channel is torn down and there is a direct TCP > > connection between each computer. > > > > Once this socket connection is formed, it is used to create a > > virtual private network (VPN) interface that you see as the Leaf > > Network Adapter on your computer. Most VPN solutions that tunnel > > traffic over a TCP socket connection suffer from performance > > degradation - up to 40% loss in bandwidth. However, we have solved > > this problem and you will achieve full bandwidth connectivity > > between two computers connected in a Leaf Network. > > Once the private network is formed, we protect it with a built in > > firewall for the Leaf Network Adapter. > > > > > > _______________________________________________ > > p2p-hackers mailing list > > [email protected] > > http://lists.zooko.com/mailman/listinfo/p2p-hackers > > _______________________________________________ > p2p-hackers mailing list > [email protected] > http://lists.zooko.com/mailman/listinfo/p2p-hackers > > > _______________________________________________ > p2p-hackers mailing list > [email protected] > http://lists.zooko.com/mailman/listinfo/p2p-hackers _______________________________________________ p2p-hackers mailing list [email protected] http://lists.zooko.com/mailman/listinfo/p2p-hackers _______________________________________________ p2p-hackers mailing list [email protected] http://lists.zooko.com/mailman/listinfo/p2p-hackers
