| Andrew Cooke | Contents | Latest | RSS | Twitter | Previous | Next


Welcome to my blog, which was once a mailing list of the same name and is still generated by mail. Please reply via the "comment" links.

Always interested in offers/projects/new ideas. Eclectic experience in fields like: numerical computing; Python web; Java enterprise; functional languages; GPGPU; SQL databases; etc. Based in Santiago, Chile; telecommute worldwide. CV; email.

Personal Projects

Lepl parser for Python.

Colorless Green.

Photography around Santiago.

SVG experiment.

Professional Portfolio

Calibration of seismometers.

Data access via web services.

Cache rewrite.

Extending OpenSSH.

C-ORM: docs, API.

Last 100 entries

Small Success With Go!; Re: Quick message - This link is broken; Adding Reverb To The Echo Chamber; Sox Audio Tools; Would This Have Been OK?; Honesty only important economically before institutions develop; Stegangraphy via PS4; OpenCL Mess; More Book Recommendations; Good Explanation of Difference Between Majority + Minority; Musical Chairs - Who's The Privileged White Guy; I can see straight men watching this conversation and laffing; When it's Actually a Source of Indignation and Disgust; Meta Thread Defending POC Causes POC To Close Account; Indigenous People Of Chile; Curry Recipe; Interesting Link On Marginality; A Nuclear Launch Ordered, 1962; More Book Recs (Better Person); It's Nuanced, And I Tried, So Back Off; Marx; The Negative Of Positive; Jenny Holzer Rocks; Huge Article on Cultural Evolution and More; "Ignoring language theory"; Negative Finger Counting; Week 12; Communication Via Telecomm Bids; Finding Suspects Via Relatives' DNA From Non-Crime Databases; Statistics and Information Theory; Ice OK in USA; On The Other Hand; (Current Understanding Of) Chilean Taxes / Contributions; M John Harrison; Playing Games on a Cloud GPU; China Gamifies Real Life; Can't Help Thinking It's Thoughtcrime; Mefi Quotes; Spray Painting Bike Frame; Weeks 10 + 11; Change: No Longer Possible To Merge Metadata; Books on Old Age; Health Tree Maps; MRA - Men's Rights Activists; Writing Good C++14; Risk Assessment - Fukushima; The Future of Advertising and Surveillance; Travelling With Betaferon; I think I know what I dislike so much about Metafilter; Weeks 8 + 9; More; Pastamore - Bad Italian in Vitacura; History Books; Iraq + The (UK) Governing Elite; Answering Some Hard Questions; Pinochet: The Dictator's Shadow; An Outsider's Guide To Julia Packages; Nobody gives a shit; Lepton Decay Irregularity; An Easier Way; Julia's BinDeps (aka How To Install Cairo); Good Example Of Good Police Work (And Anonymity Being Hard); Best Santiago Burgers; Also; Michael Emmerich (Vibrator Translator) Interview (Japanese Books); Clarice Lispector (Brazillian Writer); Books On Evolution; Looks like Ara (Modular Phone) is dead; Index - Translations From Chile; More Emotion in Chilean Wines; Week 7; Aeon Magazine (Science-ish); QM, Deutsch, Constructor Theory; Interesting Talk Transcripts; Interesting Suggestion Of Election Fraud; "Hard" Books; Articles or Papers on depolarizing the US; Textbook for "QM as complex probabilities"; SFO Get Libor Trader (14 years); Why Are There Still So Many Jobs?; Navier Stokes Incomplete; More on Benford; FBI Claimed Vandalism; Architectural Tessellation; Also: Go, Blake's 7; Delusions of Gender (book); Crypto AG DID work with NSA / GCHQ; UNUMS (Universal Number Format); MOOCs (Massive Open Online Courses); Interesting Looking Game; Euler's Theorem for Polynomials; Weeks 3-6; Reddit Comment; Differential Cryptanalysis For Dummies; Japanese Graphic Design; Books To Be Re-Read; And Today I Learned Bugs Need Clear Examples; Factoring a 67 bit prime in your head; Islamic Geometric Art; Useful Julia Backtraces from Tasks; Nothing, however, is lost with less discomfort than that which, when lost, cannot be missed

© 2006-2015 Andrew Cooke (site) / post authors (content).

What is TCP hole punching?

From: andrew cooke <andrew@...>

Date: Tue, 8 Feb 2011 07:19:15 -0300

It is common (largely because of the restricted number of IPV4 addresses) for
several computers to share the same "external" address.  This is done by NAT
(Network Address Translation) at the point where the internal network meets
the external network.

By default, NAT does not support "incoming" connections.  This is because
there is no simple way for a computer connecting from "outside" to identify a
particular internal computer (since all share the same external address).

The lack of incoming connections means that an application on a computer on an
internal network must initiate all network exchanges and, furthermore, can
only connect to a computer that does have an external address.  This is a
problem for peer-to-peer (P2P) systems, since it requires a separate, public
server to act as the target for connections.

The problem is made worse by the fact that the TCP specification does not
allow for a conversation to be "redirected" to a different machine.  When two
P2P peers have both connected to a central server there is no simple mechanism
for them to address each other directly; all traffic must continue to be
routed through the public server to which the initial connections were made.

This last point is the problem solved by TCP hole punching.  It is a mechanism
that allows two peers to converse directly, even when NAT is in use.

Because a variety of implementations are used, the details that follow are
only a rough sketch.  See the references posted by others for more details [I
am writing this answer not because I am an expert on this, but because I found
neither of the other answers to be very clear].

In general, hole punching requires the following:

- An external, public server that is the target for initial connections, 
  and which helps coordinate the connection process.  

- Two peers behind NAT, who will eventually be connected directly.

- NAT implementations that are lenient in the traffic that they accept, 
  and which are predictable in how they operate.  

- A protocol (like TCP) which is lenient in the traffic it accepts and 
  which, in particular, uses a state machine and messages that are more 
  symmetric than the server / client roles that are assumed at a higher 

The "leniency" I mention above is driven by the need for these components to
function reliably on unreliable networks and to support a wide variety of
traffic (it is not, typically, a result of poor implementation).

The general process (bearing in mind that this is only a rough sketch) for
hole punching is:

- Peers connect to a central, public server and agree on which pairs will

- The central server identifies, for each NAT, how future outgoing connections
  are created (when a peer makes a connection that passes through the NAT then
  a port must be opened on on the NAT to receive the response; typically the
  port numbers used are sequential).

- Peers then open new connections, each aware of the external (NAT) address
  and likely port of the other peer.

By manipulating the TCP traffic (eg. by setting TTL values so that some
outgoing packets cannot reach the other peer) and/or by exploiting uncertainty
in timings and leniency in the NAT and TCP implementations, and by exploiting
symmetry in the underlying state machines and messages, it is then possible
for the two new connections, each of which was opened as client, to reach a
state as though they were opened in a normal client / server conversation.
Once the two peer connections are in the desired state no further use is made
of the public server; the peers can communicate directly with each other.

[From an old Quora answer]


Comment on this post