HN

Comments (78)

• Menu

  abcd_f
  Claimed elegance is based on a very bold assumption that the NAT device preserves the source port of outbound connection.Hardly the case in even half of typical deployment cases.
• Menu

  lxgr
  Does TCP hole punching actually work with common CPEs and CG-NATs?I don’t think I’ve ever seen it done successfully and have often wondered if it’s for a lack of use cases or due to its bad success rate and complexity compared to UDP hole punching.That said, I really wish there was a standardized way to do it. Some sort of explicit (or at least implicit but unambiguous) indicator to all firewalls that a connection from a given host/port pair is desired for the next few seconds. Basically a lightweight, in-band port mapping protocol.It could have well been an official recommendation to facilitate TCP hole punching, but I guess it’s too late now, as firewall behaviors have had decades to evolve into different directions.
• Menu

  athrowaway3z
  - you know each others IP's (or have a way to signal it)- can't decide on a port in the same message- don't suffer from NAT port randomizationI'm not saying it will never happen, but the Venn diagram of this being the minimum complexity solution just doesn't seem very large?
• Menu

  EnigmaCurry
  > Many home routers try to preserve the source port in external mappings. This is a property called “equal delta mapping” – it won’t work on all routers but for our algorithm we’re sacrificing coverage for simplicity.It is precisely this point that has flummoxed me when connecting my p2p wireguard config[1] with a friend that uses a pfsense router, no matter what we tried, pfsense always chooses a random source port.But in the simple case this blog outlines, if both ends use the same source port, this method punches through 2 firewalls effortlessly:[1] https://blog.rymcg.tech/blog/linux/wireguard_p2p/
• Menu

  sholladay
  This is a great algorithm!In this era where AI is eating away at how deterministic computers are, I really appreciate reading about an elegant solution to a real problem using deterministic logic.
• Menu

  jcalvinowens
  If you're asking "where is the listener", you don't need one: https://datatracker.ietf.org/doc/html/rfc9293#simul_connect
• jder
  I don’t think the bucket-choosing algorithm works? The two hosts can be just on opposite sides of a bucket edge. For example if one host sees t=61 and another sees t=62, they will get different buckets despite being less than 20 seconds apart. You’ve got to check adjacent buckets within your error tolerance, not expand the bucket windows in size based on it.
• melson
  I made a udp Windows wintun based p2p vpn tunnel https://github.com/mascarenhasmelson/Windows-P2P-UDP
• ata-sesli
  The timestamp bucket idea for generating shared port candidates is clever.Do you find this works reliably outside routers that preserve source ports? My understanding was that TCP punching tends to depend heavily on NAT behavior.
• enoint
  Looks like a typo in the degraded timestamp “bucket”. That “window” value should be based on the min threshold.
• Menu

  Veserv
  Needing to punch holes in NAT is one of the most idiotic own-goals in the entire field of networking.NAT is effectively your router doing DHCP with a 17-bit suffix (16-bit port + 1 bit for UDP vs TCP) to each of your applications and then not telling you the address it gave you or how long it is good for (which is what a regular DHCP lease does). This is in addition to it, most likely, already doing regular DHCP and allocating you a IP address that it does tell you about, but which is basically worthless since routing to just that prefix without the hidden suffix goes into a black hole.If you could just ask your router for a lease on a chunk of IP+NAT addresses that you could allocate to your applications and rotate them as they expire, you would not need this horrifying mess.The router would just need to maintain the last-leg routing table (what a concept, a router doing routing with routing tables) just like it already does DHCP.The applications would have short-term stable addresses that they could just tell their peers and just directly tell the router/firewall to block anybody except the desired peer short-term address.
• sylware
  Dudes: IPv6, please, come on, meh.
• ufocia
  Meh. "It is assumed another process will coordinate the running of this tool." Coordination is the crux of the problem for fast convergence. Otherwise you're stuck with an infinity cubed, hypercubed, or worse problem.
• andrewmcwatters
  [dead]
• Menu

  elophanto_agent
  [flagged]