Hole-Punching

A technique for getting network traffic through NAT routers.

• Peer-to-Peer Communication Across Network Address Translators, the definitive paper on the matter (with good references, too)
• A post on the VNC mailing list that mentions another technique, used by some entity known only as 'Hamachi', which sounds like either (a) a misunderstanding of hole-punching or (b) something that wouldn't work.
• draft-ford-behave-app, an internet draft seeking to formalise NAT traversal techniques, hole-punching in particular.

It would be really useful - and fairly easy, i think - if someone implemented a tool which holepunched through any NATs in the area to a peer somewhere else (behind some other NATs) and then set up a VPN over the hole. Provided the addresses on each end of the link didn't conflict (which would require some control over the DHCP at either end), you could essentially establish a little mini-internet between two disconnected NATted networks, which would be cool. In fact, all you'd need to do is holepunch a TCP connection, then you could run PPP over that to do the IP bit - a bit like a PPP-SSH VPN. In fact, you could probably even run SSH or SSL over the hole to get some security. I bet someone's already done this.

A technically better solution would be to do UDP holepunching, as layering IP over TCP leads to head-of-line blocking and other silliness.

VTun is part of the solution.

Thinking about the protocol stack here:

• The TCP holepuncher takes a network interface and gives you a stream interface.
• The UDP holepuncher takes a network interface and gives you a packet interface.
• PPP takes a stream interface and gives you a packet interface.
• SSH takes a stream interface and gives you a stream interface, but encrypted (and compressed, if you like).
• TCP takes a packet interface and gives you a stream interface, but that's not important right now.
• There's nothing i'm aware of which takes a packet interface and gives you a packet interface with encryption/compression. You could run PPP over SSH over TCP over your packet interface, but that's madness. Some IPSEC protocol? ESP? Would be easy to hand-roll something, but this generally leads to desperately insecure protocols.
• Once you've got a packet interface, i think you can just plug it into your IP subsystem and use it as a route; i don't think you need a layer to turn a packet interface into a proper network interface. Well, not much of a layer - you've just got to serialise the IP packet and put it in your next-layer-down packet's payload field.

Hee!