UDP hole punching

This articleneeds additional citations forverification.Please helpimprove this articlebyadding citations to reliable sources.Unsourced material may be challenged and removed. Find sources:"UDP hole punching"–news·newspapers·books·scholar·JSTOR(June 2016)(Learn how and when to remove this message)

UDP hole punchingis a commonly used technique employed innetwork address translation(NAT) applications for maintainingUser Datagram Protocol(UDP) packet streams that traverse the NAT.NAT traversaltechniques are typically required for client-to-client networking applications on theInternetinvolving hosts connected inprivate networks,especially inpeer-to-peer,Direct Client-to-Client(DCC) andVoice over Internet Protocol(VoIP) deployments.^[1]

UDP hole punching establishes connectivity between two hosts communicating across one or more network address translators. Typically, third-party hosts on the public transit network are used to establish UDP port states that may be used for direct communications between the communicating hosts. Once port state has been successfully established and the hosts are communicating, port state may be maintained either by normal communications traffic, or in the prolonged absence thereof, bykeep-alivepackets, usually consisting of empty UDP packets or packets with minimal, non-intrusive content.

UDP hole punching is a method for establishing bidirectional UDP connections betweenInternethosts in private networks using network address translators. The technique is not applicable in all scenarios or with all types of NATs, as NAT operating characteristics are not standardized.

Hosts with network connectivity inside a private network connected via a NAT to the Internet typically use theSession Traversal Utilities for NAT(STUN) method orInteractive Connectivity Establishment(ICE) to determine the public address of the NAT that its communications peers require. In this process another host on the public network is used to establish port mapping and other UDP port state that is assumed to be valid for direct communication between the application hosts. Since UDP state usually expires after short periods of time in the range of tens of seconds to a few minutes,^[2]and the UDP port is closed in the process, UDP hole punching employs the transmission of periodickeep-alivepackets, each renewing the life-time counters in the UDP state machine of the NAT.

UDP hole punching will not work withsymmetric NATdevices (also known as bi-directional NAT) which tend to be found in large corporate networks. In symmetric NAT, the NAT's mapping associated with the connection to the known STUN server is restricted to receiving data from the known server, and therefore the NAT mapping the known server sees is not useful information to the endpoint.

In a somewhat more elaborate approach both hosts will start sending to each other, using multiple attempts. On aRestricted Cone NAT,the first packet from the other host will be blocked. After that the NAT device has a record of having sent a packet to the other machine, and will let any packets coming from this IP address and port number through. This technique is widely used inpeer-to-peersoftware andVoice over Internet Protocoltelephony. It can also be used to assist the establishment ofvirtual private networksoperating over UDP. The same technique is sometimes extended toTransmission Control Protocol(TCP) connections, though with less success because TCP connection streams are controlled by the host OS, not the application, and sequence numbers are selected randomly; thus any NAT device that performs sequence-number checking will not consider the packets to be associated with an existing connection and drop them.

Let A and B be the two hosts with internal IP addresses iAddr_Aand iAddr_Brespectively, each in its own private network; N_Aand N_Bare the two NAT devices with external IP addresses eAddr_Aand eAddr_Brespectively; S is a public server with a known IP address.

1. A and B each begin a UDP conversation with S; the NAT devices N_Aand N_Bcreate UDP translation states and assign temporary external port numbers ePort_Aand ePort_B.
2. S examines the UDP packets to get the source port used by N_Aand N_B(the external NAT ports ePort_Aand ePort_B).
3. S informs B about the values of eAddr_A:ePort_Aand informs A about the values of eAddr_B:ePort_B.
4. A sends a packet to eAddr_B:ePort_Band B sends a packet to eAddr_A:ePort_A(not necessarily at the same time nor in any particular order).
   • When those packets leave their private network, each NAT device adds an entry to its translation table:
     • N_Aexamines A's packet and finds an entry already exists (iAddr_A,iPort_A,eAddr_A,ePort_A) but the destination is different (S). N_Awill create a new entry with the same translation for traffic sourced from A ( iAddr_A) to B (eAddr_B).
     • N_Bexamines B's packet and finds an entry already exists (iAddr_B,iPort_B,eAddr_B,ePort_B) but the destination is different (S). N_Bwill create a new entry with the same translation for traffic sourced from B (iAddr_B) to A (eAddr_A).
   • Depending on the state of each NAT's translation table upon arrival of the remote's packet:
     • If the new entry was already added to N_A's translation table before the arrival of B's packet, then N_Apasses B's packet, but otherwise drops it.
     • If the new entry was already added to N_B's translation table before the arrival of A's packet, then N_Bpasses A's packet, but otherwise drops it.
5. Once both NAT's have those tuples added, then "holes" have been "punched" in the NATs, allowing both hosts to directly communicate.

• If both hosts haveRestricted cone NATsorSymmetric NATs,the external NAT ports will differ from those used with S. On some routers, the external ports are picked sequentially, making it possible to establish a conversation through guessing nearby ports.

• Hamachi
• Freenet
• ICMP hole punching
• TCP hole punching
• Hole punching (networking)
• WebRTC
• Port Control Protocol(PCP)
• Teredo tunneling

• Peer-to-Peer Communication Across Network Address Translators,PDF– contains a detailed explanation of the hole punching process
• STUNT– Simple Traversal of UDP Through NATs and TCP too
• Network Address Translation and Peer-to-Peer Applications (NATP2P)